Whiteboard hacking – hands-on threat modeling

Learn Whiteboard Hacking With Toreon’s Finest

Toreon’s whiteboard hacking course teaches a practical methodology to perform threat modeling. The course combines pragmatic approach to threat model theory with techniques for each threat model step. This enables attendees to handle any threat model in real life. In this course we answer 4 questions:

  • What are we building?
  • What could possibly go wrong?
  • What are we going to do about it?
  • Did we do a good enough job?

Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign-on (SSO) principles. This 2 day course takes place at the Novotel London West, Hammersmith from the 2nd – 3rd of December, 2019.

Book Now

Steven Wierckx

Who Should Take This Course

  • Software developers
  • Security and system architects
  • System managers
  • Security professionals
  • Application security specialists

“Learn Whiteboard Hacking and Build Skills For Successful Threat Modeling”

Get More Out Of Your Models

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands-on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.

Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

  • B2B web and mobile applications, sharing the same REST backend
  • An Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
  • OAuth scenarios for an HR application
  • Privacy of a new face recognition system in an airport
  • Get into the defenders head – modeling points of attack against a nuclear facility

After each hands-on workshop, the results are discussed, and students receive a documented solution.

We will show how this methodology can be integrated into your existing processes and where tools might be of assistance. We will provide a curated list of references and reading material to use after the course.

We will finish the course with an exam to provide you with a certificate to prove your knowledge.

What You’ll Learn

  • Cover the 4 main steps of creating and updating an effective threat model.
  • Use threat model as part of secure design of systems and to more efficiently scope penetration testing.
  • How to implement threat modeling both in agile and non agile organizations.
  • Use threat modeling as a way to learn, model and communicate with security and development teams and build bridges between them.
  • Which tools exist and where they can be of assistance.

Book Now

Course Outline

Day 1 – Introductory Threat Modeling

  • Threat modeling introduction
  • Diagrams – What are you building?
  • Hands-on: diagram B2B web and mobile applications sharing the same REST back-end
  • Lunch
  • Identifying threats – What could possibly go wrong?
  • Hands on: STRIDE analysis of an IoT solution
  • Hands on: Building an attack tree for a nuclear facility

Day 2 – Going Further

  • Addressing Each Threat
  • Hands-on: Threats & mitigations (OAuth) for web and mobile applications
  • Privacy Threat Modeling
  • Hands-on: DPIA threshold analysis: face recognition system airport
  • Lunch
  • Advanced Threat Modeling
  • Hands-on: “The nuts” poker tournament
  • Threat modeling tooling
  • Threat modeling resources
  • Exam

What To Bring

  • A Laptop or tablet to view course content and take the exam.

What Students Are Provided With

  • Presentation hand-outs
  • Use case Worksheets
  • Detailed use case solution descriptions
  • Threat model document template
  • Risk calculation template
  • Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

2 Days of Training at a Premium London Venue.
Book Now at only £1300 Inc. VAT!

Book Now!

4 Reasons Why You’ll Want To Train With 44CON



Focus on learning with our spacious, air-conditioned rooms. The comfort doesn’t stop there, with incredible food at lunch and in breaks.

Serious Savings

Save over 50% with us compared to the same courses at other events in London. Get the Vegas experience without the cost.



Get exclusive invites to 44CONnect – our quarterly event with talks and more. Invites run for 12 months after your last course.


44CON Discounts

You’ll receive an exclusive £50 discount code for standard tickets to the next main 44CON event: the UK’s best security conference.

Meet The Trainer: Steven Wierckx

Steven Wierckx is a software and security tester with 20 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. He spoke at Hack in the Box Amsterdam, hosted workshops at BruCON and DevSecCon (UK) and delivered threat modeling trainings at OWASP AppSec USA, OWASP AppSec Israel, BruCON and O’Reilly Security New York.

Book Now For December!

44CON December Bonus: Hootenanny Tickets Included!


The 44CONnect Hootenanny is an end-of-year one day event on the 6th of December.

The Hootenanny has a single talk track, a workshop track and an escape room track. We’ll have workshops from our trainers so you can get a taste of their courses, and a bunch of invited talks at the level of quality you’ve come to expect from a full 44CON. The event is fully catered, of course.

All December training attendees automatically receive a Hootenanny ticket as part of their booking. Those who’ve attended training at any time in 2019 can join our wait list. Tickets will be issued to the wait list two weeks before the Hootenanny event.

Book Now

Watch Steven Talk

Embedding GDPR into the SDLC

Watch Steven Wierckx map GDPR requirements across to typical software security activities as part of a Secure Development Lifecycle.


Stay In Touch

Like the NSA, our newsletter will be in your inbox every Tuesday. Unlike the NSA, you can unsubscribe at any time.