Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
July 24, 2022 19:43

Shostack's 4 Question Frame for Threat Modeling

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

These questions are designed to help people build better systems. They work less well for end-users of technology.

The authoritative reference is page 4, Threat Modeling: Designing for Security. I've evolved the questions since then. The changes include:

  • We has replaced you, to be inclusive and collaborative
  • "are" has replaced "should" in question 3, to be more focused on action
  • Simplified the wording.
  • I'll regularly ask "did we do a good enough job?" The goal is not to do a good job at threat modeling, but to drive improvement to a system.


People will sometimes phrase the first question "what are we building" rather than working on. The "building" frame draws people towards a waterfall approach with the attendant problems.

In the Threat Modeling Manifesto, the team had a preference for adding the word "enough" to the 4th question: did we do a good enough job? I appreciate the lessened pressure, and miss the aspiration, and so keep the terse form here.

There's a 60 second video that introduces the questions.

Legalese, citations.

I'm told some lawyers have been concerned about quoting a complete thing, and asserted that it pushes at the limits of fair use to use all 23 of these words as a unit. If you need a license, please treat it as CC-BY. Please call it "Shostack's Four Question Frame for Threat Modeling," or "Shostack's Four Question Framework."

MLA formated cite is: Shostack, Adam. Threat Modeling: Designing For Security. John Wiley & Sons, 2014.


Shostack's 4 Question Frame for Threat Modeling






No releases published


No packages published