Training & Workshops

Secure Delivery advanced Badge

Secure by Design With Agile Threat Modelling

4 hours Non-assessed, attendance. Remote or on-site

Threat modelling is an essential part of building secure systems. The United States’ Executive Order 14028 to improve the nation’s cybersecurity mandates threat modeling as part of the minimum standard for verification. OWASP’s Top 10:2021 puts Insecure Design at number 4 of the top 10 risks to businesses.

To scale threat modelling to cover your whole organisation you must put the capability into the hands of of your product development teams. Agile threat modelling provides a focus for your teams to think critically about their system’s design and how it could be attacked. It’s performed as part of the usual cadence of agile delivery, and the output is actionable work on the team’s backlog.

Threat modelling essentially attempts to answer four, simple questions:

  1. What are we working on?
  2. What could go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

And in this session, one of our expert practitioners will guide your team through the process of answering them. We’ll utilise a gamified, structured framework for threat modelling, either OWASP Cornucopia or Elevation of Privilege to provide focus for the team and help you capture the security work arising as actionable backlog items.


Product development teams. The session focuses on a single product or service and requires people with hands-on, technical knowledge of its implementation. Non-technical team members and product decision makers are encouraged to participate to bring the full product view to the session.


Knowledge of the system being threat modelled and the technology ecosystem it is a part of.

  • Secure Product
  • Secure Engineering
  • 3-6 players
  • Up to 6 observers

It was an entertaining session that generated a lot of good discussions. The game is straightforward and it allowed for newcomers to participate as much as some of the team's veterans. Would definitely plan to do it again. The facilitator is very important as well, as he gives insights on what alternative solutions are out there.

I really want to play this game, but I also think the game master was imperative to the fun-factor, but also because he kept us progressing.

It was a really good and alternative way to talk about the security part of the product. It also helped that everyone got a chance to talk instead of the usual 3-4 people.

Fun - which surprised me because I thought security stuff was boring

Some feedback from our clients.

People are at the centre of product security. Our approach means we work directly with the people making decisions, building and infuencing product development.

We love to work with these teams and we love to hear from them as to how they've found working with us. Here are some examples of the feedback we get from teams across our clients' organisations.


I like how you tied back Security to the four metrics metrics in Accelerate as well as SRE principles, that was very clear. I was actually already planning to recommend you to some people in my network :)

SRE Energy Sector
Engineering Foundations Course

[Practioner] clearly has a wealth of expertise in application security, and uses this very effectively to provide a highly informative course that includes insights and recommendations specific to our business domain. I am confident that other business domains would be equally served due to [Practitioner]'s range of experience.

Engineering Medical Equipment & Devices Sector
Decision Makers Foundations Course

The hands on sessions of seeing an issue and then fixing it in the code really brought it to life. Letting us do the fixing rather than watching keeps you involved, I thought the site was excellent

Engineering Retail Sector
Secure Coding Workshop

[Practitioner]'s knowledge and experience is exceptional. I really liked the Case Studies. I could always use more.

IT Management Medical Equipment & Devices Sector
Decision-Makers Foundations Course

Good to refresh and increase knowledge, labs were enjoyable and illustrated the points well.

Engineering Energy Sector
Secure Coding Workshop

[Practioner] was engaging, knowledgable and great to listen to and work with

Engineering Retail Sector
Engineering Foundations Course

Great news, the amazing [Practitioner] from Secure Delivery has agreed to deliver security training again this year!

Tech Leadership Energy Sector
Engineering Foundations Course

Security is part of delivery

and we'll help make it happen

If you'd like to find out more about securing and raising the quality of your digital product delivery to stand out from the competition then get in touch with us. We'd love to have a chat about our proven approach and see how we can best help your organisation succeed.