Trusted by 10,000+ Learners
Certified Threat Modeling Professional (CTMP)TM
Discover how threat modeling reduces security vulnerabilities by up to 65%. The curriculum covers STRIDE, PASTA frameworks, data flow analysis, ASVS and threat modeling as code techniques for modern DevOps environments that 83% of security professionals consider essential for modern app protection.
Self-paced learning
Browser-based lab access
24/7 instructor support
Self-paced learning mode
Browser-based lab access
24/7 instructor support
Self-paced learning mode
Browser-based lab access
24/7 instructor support
Trusted by top companies across industries, empowering thousands of professionals worldwide. Join the ranks of security leaders.
Course Chapters
“Here’s exactly what you’ll master in 5 hands-on chapters:”
CTMP Threat Modeling Training Course Prerequisites
- Course participants should have knowledge of basic security fundamentals like Confidentiality, Integrity, and Availability (CIA)
- Basic knowledge of application development is preferred but is not necessary
Chapter 1: Threat Modeling Overview
- What is Threat Modeling?
- The Threat Model Parlance
- Security is a Balancing Act
- Design Flaws and Risk Rating
- Why Threat Model?
- Threat Modeling vs. Other Security Practices
- Threat Modeling Frameworks and Methodologies
- List/Library Centric Threat Modeling
- Asset/Goal Centric Threat Modeling
- Threat Actor/Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Trust Boundaries vs. Attack Surfaces
- Modern Threat Modeling Approaches for Agile and DevOps
- Risk Management Strategies with Examples
- Avoiding Risks
- Accepting Risks
- Mitigating Risks
- Transferring Risks
- Hands-On Exercises:
- Breakout Sessions to Identify Threats for a Multi-Tiered Application
Chapter 2: Threat Modeling Basics
- Threat Modeling and Security Requirements
- Threat Modeling vs. Threat Rating
- Diagramming for Threat Modeling
- List Centric Threat Modeling
- Exploring the STRIDE Model
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privileges
- Pros and Cons of STRIDE
- STRIDE Defenses
- Authentication
- Integrity
- Non-Repudiation
- Confidentiality
- Availability
- Authorization
- STRIDE Threat Examples
- Goal/Asset Based Modeling Approach
- Attack Trees
- Attack Tree Analysis
- Attacker/Threat Actor Centric Modeling Approach
- Using MITRE ATT&CK for Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Other Threat Modeling Methodologies
- PASTA
- VAST
- Hybrid Threat modeling
- RTMP
- OCTAVE
- Gamified approaches for Threat Modeling
- Virtual Card Games
- Adversary Card Games
- Introduction to Threat Rating
- DREAD
- OWASP Risk Rating Methodology
- Bug Bar
- Rapid Risk Assessment
- Hands-On Exercises:
- Creating a Data Flow Diagram for Threat Modeling
- Using OWASP Cornucopia to Identify Web Related Threats
- Creating Threat Actor Personas
- Using Threat Actor Personas to Identify Threats
- Risk Rating with OWASP Risk Rating Methodology
Chapter 3: Agile Threat Modeling
- Agile Threat Modeling Approaches
- Threat Modeling Diagrams as Code
- Threat Modeling Inside The Code
- Threat Modeling as Code
- Compliance and Audit as Code
- Rapid Threat Model Prototyping
- Security Requirements as Code With BDD Security
- Events of Agile Software Development Through Scrum
- Writing Security Requirements for Agile Software Development
- Writing Use Cases and Abuse Cases
- Privacy Impact Assessments and Security Requirements
- Identifying Privacy Related Threats
- Hands-On Exercises:
- Writing Abuse Cases for Password Reset Workflow
- Threat Modeling Privacy for Your System
- Exploring UML as Code
- Creating Attack Trees Using Code
- Writing Threat Models Alongside Code
- Writing Threat Models With Code
- Writing Threat Models As Code
- Writing Compliance As Code for PCI-DSS
Chapter 4: Reporting and Deliverables
- How To Manage Threat Models
- Documentation
- Backlog
- Bugs, and Tickets
- Code
- Automatio
- Threat Modeling Tools and Templates
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- CAIRIS Platform
- Threat Modeling As Code Tools
- Freemium Tools
- Threat Model Templates and Examples
- Validating Threat Models
- Threat Model Versus Reality
- All Threats Accounted For Risk
- Mitigations Are Tested
- Are We Done Threat Modeling?
- Hands-On Exercises:
- Threat Modeling with OWASP Threat Dragon
- Threat Modeling Multi-Tiered Application with Irius Risk
- Threat Modeling for Multi-Cloud with Irius Risk
- Validating Threats with Automated Tests
- Validating Mitigations with Automated Tests
Chapter 5: Secure Design Principles and Threat Modeling for Native and Cloud-Native Applications
- Exploring Principles of Secure Design with Examples
- Principle of Economy of Mechanism
- Principle of Fail Safe Defaults
- Principle of Complete Mediation
- Principle of Open Design
- Principle of Separation of Privilege
- Principle of the Least Privilege
- Principle of the Least Common Mechanism
- Principle of Psychological Acceptability
- Case Study of AWS S3 Threat Model
- Case Study of Kubernetes Threat Model
- Case Study of Very Secure FTP daemon
CTMP Course Certification Process
- After completing the course, you can schedule the CTMP exam on your preferred date.
- The process of achieving the Practical DevSecOps CTMP Certification can be found here.
Application Security (AppSec) Engineer
Security Architect
DevSecOps Engineer
Product Security Engineer
Threat Modeler
Career Outlook
What can I do with the Certified Threat Modeling Professional?
The CTMP teaches you to find design-level security flaws before they reach production. You apply STRIDE, PASTA, LINDDUN, and attack trees across AI systems, cloud-native architectures, and monolithic applications in 40+ hands-on labs. You are certified to run threat modeling sessions, build threat catalogs, and integrate the work into CI/CD.
Built for Professionals Who Secure Systems by Design
The roles that can’t afford to leave security to chance:
Application Security (AppSec) Engineer
Govern the SDLC by integrating STRIDE and PASTA into developer workflows; automate threat discovery in CI/CD pipelines and eliminate high-risk architectural flaws before they reach the deployment stage.
Security Architect
Design resilient enterprise frameworks by establishing clear trust boundaries; validate complex cloud migrations and zero-trust environments through rigorous, intelligence-led threat simulations and data-flow analysis.
DevSecOps Engineer
Your scanners pass. The flaw ships anyway. The CTMP teaches you threat-modeling-as-code, automated reviews on infra PRs, and risk-scored findings that catch design-stage bugs before they reach production.
Product Security Engineer
You’re the security review nobody wants to wait for. The CTMP gives you sprint-ready threat models, per-feature abuse case libraries, and acceptance criteria PMs paste straight into the PRD.
Threat Modeler
You’re the person engineering calls before architecture decisions get committed. The CTMP gives you framework fluency across STRIDE, PASTA, LINDDUN, and attack trees, applied to AI/ML pipelines, cloud-native systems, and CI/CD supply chains.
94%
of organizations now require Security-by-Design practices in their SDLC. Most security teams have never been formally trained to do threat modeling. The CTMP fills that gap.
$158K+
$145K+ median compensation for professionals with documented threat modeling expertise. The premium exists because threat modelers reduce mean time to detect, lower cyber insurance premiums, and prevent the kind of design-stage breaches that average $4.88M in total cost (IBM Cost of a Data Breach Report 2024).
Understanding the numbers
These figures reflect industry-wide trends from ZipRecruiter, SalaryExpert and the Bureau of Labor Statistics and market research. Actual salaries depend on your experience, location, industry, and how effectively you apply your skills. We provide the training. The results are yours to build.
And you’ll learn it the right way, through hands-on experience.
What you’ll learn from the
Certified Threat Modeling Professional
Threat Modeling Methodologies
- Apply STRIDE, PASTA, VAST, and RTMP frameworks
- Identify vulnerabilities before security incidents.
- Protect your systems and applications using proven techniques
Agile Threat Modeling Security Integration
- Build threat models into DevOps pipelines
- Integrate security within CI/CD workflows
- Transform security from blocker to enabler
Industry-Standard Tools
- Perform threat modeling with IriusRisk and Threat Modeler
- Create models with OWASP Threat Dragon and CAIRIS.
- Apply "Threat Modeling as Code" techniques
Risk Assessment Frameworks
- Prioritize risks using DREAD, OWASP Risk Rating Methodology, and Mozilla RRA.
- Implement risk management techniques
- Communicate risks to stakeholders
Cloud-Native Security
- Design secure applications and Kubernetes workloads
- Analyze real-world enterprise case studies
- Validate cloud application security controls
Security Operations at Scale
- Build automation and reusable templates
- Coordinate security across multiple teams
- Meet PCI-DSS and compliance requirements
Interactive Threat Modeling Labs in Your Browser
No complex setups. No local environments. Just high-fidelity, hands-on labs where you map data flows, identify architectural flaws, and build mitigation strategies. Ready when you are.
We have provided training and presented at numerous industry events.
Hear from our learners
Explore the global impact of our Practical DevSecOps Certifications through our learners’ testimonials.
🎉 I’m thrilled to announce that I have successfully completed the Certified Threat Modeling Professional (CTMP) by Practical DevSecOps! 🚀
This certification journey has been an eye-opening experience, diving deep into the world of **Threat Modeling** and its critical role in building…
Frequently asked questions
What are the prerequisites required before enrolling in the Certified Threat Modeling Professional Course?
To enroll in the CTMP course, students should have a basic understanding of security fundamentals such as confidentiality, integrity, and availability. While application development knowledge is beneficial, it is not mandatory.
What's included in the Certified Threat Modeling Professional course package?
The course includes 3 years of video access, 60 days of browser-based labs, 30+ guided lab exercises, a PDF manual, 24/7 student support, and a one exam attempt.
Do the labs for the Certified Threat Modeling Professional course start immediately after enrollment?
Does the course come with CPE points?
Yes, the course offers 24 CPE (Continuing Professional Education) points upon completion.
What is the exam format?
The exam consists of 5 challenges to be solved within 6 hours, followed by a 24-hour window to complete and submit the report for evaluation. For more information, visit this link.
Should I go to an exam center, or is the exam online?
How long is the Certified Threat Modeling Professional course valid?
Threat Modeling Certification is a lifetime credential. Once you’ve earned your certification, it will last throughout your career.
What's the Financial Return on completing the Certified Threat Modeling Professional course?
Here’s the reality: threat modeling is so specialized that even Fortune 500 companies have maybe a handful of experts who truly understand it. That scarcity is your opportunity.
While most security professionals earn $85,000–$95,000, CTMP-certified threat modelers command $140,000–$180,000. Why the massive difference? Because you’re one of the rare few who can actually do this work. The market is exploding from $1.06 billion today to a projected $58.13 billion by 2034, but there’s almost nobody qualified to fill these roles.
This isn’t just another security certification where you’re competing with thousands of others. Threat modeling is so niche that having CTMP certification basically makes you a unicorn. Security analysts, software architects, and senior developers are trying to break into this field, but very few actually master it.
Why Certified Threat Modeling Professional Course from Practical DevSecOps?
What you will learn:
Implement four proven methodologies (STRIDE, PASTA, VAST, RTMP) to identify vulnerabilities before deployment.Â
- Create threat models using industry tools and “Threat Modeling as Code” techniques. Apply risk frameworks to prioritize issues and communicate effectively with stakeholders.
- Build scalable security processes that work across teams while meeting compliance standards.
Unmatched practical focus
70% hands-on labs for mastering real-world scenarios.
Expert-crafted curriculum
Get real-world insights from experienced security experts.
Practical exam
24/7 expert support
Future-Proof Your Career with Threat Modeling Training
Unlock your potential with Threat Modeling Training! Our Certified Threat Modeling Professional Course equips you with job-ready skills. Conquer the 6-hour exam with confidence and open doors to exciting opportunities and challenges.