10,000+ Learners Certified
Certified Threat Modeling Professional (CTMP)TM
Self-paced learning
Browser-based lab access
24/7 Instructor support
Self-paced learning mode
Browser-based lab access
24/7 Instructor support
Self-paced learning mode
Browser-based lab access
24/7 Instructor support
Trusted by top companies across industries, empowering thousands of professionals worldwide. Join the ranks of security leaders
Course Chapters
“Here’s exactly what you’ll master in 6 hands-on chapters:”
CTMP Threat Modeling Training Course Prerequisites
- Course participants should have knowledge of basic security fundamentals like Confidentiality, Integrity, and Availability (CIA)
- Basic knowledge of application development is preferred but is not necessary
Chapter 1: Threat Modeling Overview
- What is Threat Modeling?
- The Threat Model Parlance
- Security is a Balancing Act
- Design Flaws and Risk Rating
- Why Threat Model?
- Threat Modeling vs. Other Security Practices
- Threat Modeling Frameworks and Methodologies
- List/Library Centric Threat Modeling
- Asset/Goal Centric Threat Modeling
- Threat Actor/Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Trust Boundaries vs. Attack Surfaces
- Modern Threat Modeling Approaches for Agile and DevOps
- Risk Management Strategies with Examples
- Avoiding Risks
- Accepting Risks
- Mitigating Risks
- Transferring Risks
- Hands-on Exercises:
- Breakout Sessions to Identify Threats for a Multi-Tiered Application
Chapter 2: Threat Modeling Basics
- Threat Modeling and Security Requirements
- Threat Modeling vs Threat Rating
- Diagramming for Threat Modeling
- List Centric Threat Modeling
- Exploring the STRIDE Model
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of Privileges
- Pros and Cons of STRIDE
- STRIDE defenses
- Authentication
- Integrity
- Non-Repudiation
- Confidentiality
- Availability
- Authorization
- STRIDE Threat examples
- Goal/Asset Based modeling Approach
- Attack Trees
- Attack Tree Analysis
- Attacker/Threat Actor Centric Modeling Approach
- Using MITRE ATT&CK for Attacker Centric Threat Modeling
- Software Centric Threat Modeling
- Other Threat modeling methodologies
- PASTA
- VAST
- Hybrid Threat modeling
- RTMP
- OCTAVE
- Gamified approaches for Threat Modelling
- Virtual Card Games
- Adversary Card Games
- Introduction to Threat Rating
- DREAD
- OWASP Risk Rating Methodology
- Bug Bar
- Rapid Risk Assessment
- Hands-on Exercises:
- Creating a Data Flow Diagram for Threat Modeling
- Using OWASP Cornucopia to Identity Web Related Threats
- Creating Threat Actor Personas
- Using Threat Actor Personas to Identify Threats
- Risk Rating with OWASP Risk Rating Methodology
Chapter 3: Agile Threat Modeling
- Agile Threat Modeling Approaches
- Threat Modeling Diagrams as Code
- Threat Modeling Inside The Code
- Threat Modeling as Code
- Compliance and Audit as Code
- Rapid Threat Model Prototyping
- Security Requirements as Code With BDD Security
- Events of Agile Software Development Through Scrum
- Writing Security Requirements for Agile Software Development
- Writing Use Cases and Abuse Cases
- Privacy Impact Assessments and Security Requirements
- Identifying Privacy Related Threats
- Hands-on Exercises:
- Writing Abuse Cases for Password Reset Workflow
- Threat Modeling Privacy for your system
- Exploring UML as Code
- Creating Attack Trees Using Code
- Writing Threat Models Alongside Code
- Writing Threat Models With Code
- Writing Threat Models As Code
- Writing Compliance As Code for PCI-DSS
Chapter 4: Reporting and Deliverables
- How To Manage Threat Models
- Documentation
- Backlog
- Bugs, and Tickets
- Code
- Automatio
- Threat Modeling Tools and Templates
- Microsoft Threat Modeling Tool
- OWASP Threat Dragon
- CAIRIS Platform
- Threat Modeling As Code Tools
- Freemium Tools
- Threat Model Templates and Examples
- Validating Threat Models
- Threat Model Versus Reality
- All Threats Accounted For Risk
- Mitigations Are Tested
- Are We Done Threat Modeling?
- Hands-On Exercises:
- Threat Modeling with OWASP Threat Dragon
- Threat Modeling Multi-Tiered Application with Irius Risk
- Threat Modeling for Multi-Cloud with Irius Risk
- Validating Threats with Automated Tests
- Validating Mitigations with Automated Tests
Chapter 5: Secure Design Principles and Threat Modeling Native, and Cloud Native Applications
- Exploring Principles of Secure Design with Examples
- Principle of Economy of Mechanism
- Principle of Fail Safe Defaults
- Principle of Complete Mediation
- Principle of Open Design
- Principle of Separation of Privilege
- Principle of Least Privilege
- Principle of Least Common Mechanism
- Principle of Psychological Acceptability
- Case Study of AWS S3 Threat model
- Case Study of Kubernetes Threat Model
- Case Study of Very Secure FTP daemon
CTMP Course Certification Process
- After completing the course, you can schedule the CTMP exam on your preferred date.
- Process of achieving Practical DevSecOps CTMP Certification can be found here.
Senior Security Engineer (MCP Security)
AI Security Architect [MCP & Agentic AI]
Principal Cybersecurity Engineer (MCP Integration)
Application Security Lead [Model Context Protocol]
Proof > Promises. Certifications Hiring Managers Trust
Career Outlook
What can I do with the MCP Security Certification?
AI-powered and agentic systems are now the default infrastructure for modern organizations. This certification gives you practical skills to secure MCP architectures, LLM pipelines, and agentic AI systems. It puts you in position for high-demand roles where traditional security knowledge alone won’t cut it.
Built for People Who Secure AI Systems for a Living
The roles that can’t afford to get this wrong
Senior Security Engineer (MCP Security)
Stop MCP server breaches by enforcing authentication and authorization controls, detecting tool poisoning and prompt injection at runtime, and hardening agentic pipelines before attackers exploit exposed tool interfaces.
AI Security Architect [MCP & Agentic AI]
Eliminate design-level risk in agentic systems by threat modeling MCP architectures with STRIDE and MITRE ATLAS, enforcing zero-trust principles across agent-to-tool communication, and building security into AI infrastructure from the ground up.
Principal Cybersecurity Engineer (MCP Integration)
Prevent supply chain compromise by generating SBOMs, enforcing code signing and provenance attestations, applying SLSA frameworks, and automating security gates across CI/CD pipelines before agentic workloads reach production.
Application Security Lead [Model Context Protocol]
Remove vulnerabilities before deployment by embedding SAST, SCA, and DAST in MCP development pipelines, blocking malicious tool registrations at intake, and securing API surfaces and dependencies across agentic application stacks.
85%
of enterprises are actively adopting AI, yet fewer than 1 in 4 have dedicated AI security controls in place. The skill shortage is real. The talent gap is your opportunity.
$165k+
Average salary for AI Security Engineers in the US. Professionals with hands-on AI and ML security expertise command premium compensation across industries deploying agentic systems.
Understanding the above numbers
These figures reflect industry-wide trends from Gartner, IBM Security, ZipRecruiter and the Bureau of Labor Statistics and market research. Actual salaries depend on your experience, location, industry, and how effectively you apply your skills. We provide the training. The results are yours to build.
What you’ll learn from the
Certified Threat Modeling Professional Course?
Threat Modeling Methodologies
- Apply STRIDE, PASTA, VAST, and RTMP frameworks
- Identify vulnerabilities before security incidents.
- Protect your systems and applications using proven techniques
Agile Threat Modeling Security Integration
- Build threat models into DevOps pipelines
- Integrate security within CI/CD workflows
- Transform security from blocker to enabler
Industry-Standard Tools
- Perform threat modeling with IriusRisk and Threat Modeler
- Create models with OWASP Threat Dragon and CAIRIS.
- Apply "Threat Modeling as Code" techniques
Risk Assessment Frameworks
- Prioritize risks using DREAD, OWASP Risk Rating Methodology and Mozilla RRA.
- Implement risk management techniques
- Communicate risks to stakeholders
Cloud-Native Security
- Design secure applications and Kubernetes workloads
- Analyze real-world enterprise case studies
- Validate cloud application security controls
Security Operations at Scale
- Build automation and reusable templates
- Coordinate security across multiple teams
- Meet PCI-DSS and compliance requirements
Threat Medeling Training in Your Browser
No installs. No VMs. Just real hands-on labs where you secure clusters, scan containers, and apply runtime policies. Ready when you are.
We have provided training and presented at numerous industry events.
Hear from our learners
Explore the global impact of our Practical DevSecOps Certifications through our learners’ testimonials.
Frequently asked questions
What are the prerequisites required before enrolling in the Certified Threat Modeling Professional Course?
To enroll in the CTMP course, students should have a basic understanding of security fundamentals such as confidentiality, integrity, and availability. While application development knowledge is beneficial, it is not mandatory.
What's included in the Certified Threat Modeling Professional course package?
The course includes 3 years of video access, 60 days of browser-based labs, 30+ guided lab exercises, a PDF manual, 24/7 student support, and a one exam attempt.
Do the labs for the Certified Threat Modeling Professional course start immediately after enrollment?
No, The Threat Modeling course does not begin automatically upon enrollment. After purchasing the course, students will have the opportunity to select their desired start date, which will mark the beginning of their course access period.
Does the course come with CPE points?
Yes, the course offers 24 CPE (Continuing Professional Education) points upon completion.
What is the exam format?
The exam consists of 5 challenges to be solved within 6 hours, followed by a 24-hour window to complete and submit the report for evaluation. For more information, visit this link.
Should I go to an exam center, or is the exam online?
Yes, it is an online exam. You can take the exam from the comfort of your home or office.
How long is the Certified Threat Modeling Professional course Valid?
Threat Modeling Certification is a lifetime credential. Once you’ve earned your certification, it will last throughout your career.
Why Certified Threat Modeling Professional Course from Practical DevSecOps?
The first of its kind vendor-neutral Certified Threat Modeling Professional Certification delivers hands-on training through real-world exercises across all five chapters. Unlike theoretical courses, it focuses on practical implementation in DevSecOps environments with expert instructors who’ve successfully integrated threat modeling into Agile and CI/CD workflows.
What will you learn:
Implement four proven methodologies (STRIDE, PASTA, VAST, RTMP) to identify vulnerabilities before deployment.
- Create threat models using industry tools and “Threat Modeling as Code” techniques. Apply risk frameworks to prioritize issues and communicate effectively with stakeholders.
- Build scalable security processes that work across teams while meeting compliance standards.
Unmatched practical focus
70% hands-on labs for Mastering real-world scenario’s.
Expert-crafted curriculum
Get real-world insights from the experienced Security Experts.
Practical exam
Take a 6-hour examination to show what you have learned.
24/7 expert support
Future-Proof Your Career with Threat Modeling Training
Unlock your potential with Threat Modeling Training! Our Certified Threat Modeling Professional Course equips you with job-ready skills. Conquer the 6-hour exam with confidence and open doors to exciting opportunities and Challenges.