Skip to content

Gamified Threat Modeling

This gamified method of doing threat modeling might not be for everyone, but it has its pros and is worth testing out.

EOP Game-play

Here are the pros:

+ Depending on your level of geek: Fun!
+ Predefined cards with suggested threats - no need to wreck your brain
+ Encourages collaboration
+ You end up with a JSON that can follow your code
+ Remote!

..and the cons:

- Leads to many false positives
- Time-consuming (~2+ h)
- Not everyone might find the game-aspect of it as intriguing
- Requires a lot more effort than for example doing Agile Threat Modeling
- Everyone needs a laptop
- Requires 3-6 players


  • Its good to familiarize yourselves with the physical EoP-cardgame
  • You need somewhere to host the EoP-game. A tried method is using a dedicated VM in Azure, and running a dockerized-instance of the game.
  • Expect a few iteration to get everyone onboard with the game play
  • Have a prize for the winner


Regardless of how you deploy, be weary of what you information you are exposing through the diagram (IP-addresses, "Equinor", stuff like that


  1. Spin up an instance of Elevation of Privilege, reachable to all participants
  2. Download (or deploy) an instance of OWASP Threat Dragon
  3. Using OWASP Threat Dragon: Create a diagram of the system in scope
  4. Upload the diagram to your EoP-instance, configure a session, distribute the links to participants

Depending on the system in scope, you can choose a suitable card-deck (general vs. a web application)

Game-rules are described here

Afterwards, you can download the model with the added threats and keep it in your code repository.

Additional resources: