AI Threat Modeling Next Generation: From Whiteboard Hacking to Hands-on Prompting

“After years of evaluating security trainings at Black Hat, including Toreon’s Whiteboard Hacking sessions, I can say this AI threat modeling course stands out. The hands-on approach and flow are exceptional - it’s a must-attend.” Daniel Cuthbert, Global Head of Cyber Security Research, Black Hat Review Board member https://www.linkedin.com/in/daniel-cuthbert0x/ This 2-day training is based on the 10th edition of our Black Hat training. We improved our threat modeling training with an exclusive threat modeling war game featuring red and blue threat modeling teams. All participants get our Threat Modeling Playbook plus a one-year subscription to our online threat modeling learning platform. As part of this training, you will be asked to create your own threat model, on which you will get individual feedback. One month after the training we organize an online review session with all the participants together. As highly skilled professionals with years of experience under our belts, we are intimately familiar with the gap between academic knowledge of threat modeling and real-world practice. To minimize that gap, we have developed practical use cases based on real-life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for hands-on exercises, we provide our students with challenging training experiences and the templates to incorporate threat modeling best practices into their daily work. Students will be encouraged, in groups of 3 to 4, to perform the different stages of threat modeling. Through hands-on application of the DICE methodology (Diagraming, Identification of threats, Countermeasures, and Evaluation), participants will learn to identify AI-specific attacks, develop effective countermeasures, and scale threat modeling with AI. The concluding wargame puts theory into practice, as red and blue teams perform threat modeling while attacking and defending a rogue AI research assistant. This training is designed for AI Engineers, Software Engineers, Solution Architects, Security Professionals, and Security Architects to master secure AI system design. Participants earn the Threat Modeling Practitioner Certificate upon:

Successful completion of hands-on exercises.
Creation and submission of an original threat model.
Passing grade on a final examination.

1.1 Course topics

Threat modeling introduction

Threat modeling in a secure development lifecycle
What is threat modeling?
Why perform threat modeling?
Threat modeling stages
Threat modeling augmented by AI

Diagrams – what are you building?

Understanding context
Doomsday scenarios
Data flow diagrams
Trust boundaries
Hands-on: Diagramming techniques applied on a travel booking service
Use AI to analyze design documents and source code
Crafting effective prompts to extract system components, data types, and trust boundaries from architecture descriptions
Hands-on: Generate DFD for a Digital Wallet / Payment App

Identifying threats – what can go wrong?

STRIDE / AI
STRIDE GPT tool demo
Hands-on: Identification threats cloud-based update service IoT kiosk
Attack libraries
Training AI models using threat libraries like MITRE ATT&CK to suggest relevant attack vectors
Hands-on: AI-Assisted STRIDE analysis for a Digital Wallet / Payment App

Countermeasures - addressing each threat

How to address threats
Mitigation patterns
Setting priorities through risk calculation
Risk management
Threat agents
Hands-on: Mitigate threats in a payment service
AI suggested security controls
AI summarizing threat modeling, key findings, and actions for stakeholders.
Hands-on: AI-Assisted mitigations for a Digital Wallet / Payment App
Hands-on: Prompting a Digital Wallet / Payment App report and outcomes

Threat modeling and compliance

GDPR
Privacy by Design (PbD)
GDPR risk patterns
FDA
NIST on threat modeling
Automotive & TARA
Hands-on: Apply GDPR Risk Patterns for Privacy by Design

Threat modeling practice

Soft skills for threat modelers
Threat modeling in sprints
OWASP Threat Modeling Playbook
Hands on: Apply Threat Modeling Playbook to agile development
Threat modeling at scale
SAMM and threat modeling
Lessons learned
Hands-on: Threat modeling the MLOps pipeline
Red Team / Blue Team: Project Prometheus - The Rogue AI Research Assistant

Threat modeling tooling and resources

Threat Modeling Tool Directory
OWASP resources
Threat Modeling Manifesto
Example threat models

Course Wrap-up (15 min)

Resources for continued learning
Next steps and certification path

Review session (online session after 4-6 weeks)

Hand-in of your own threat model
Individual feedback on your threat model
Review session

About the Speaker

Georges Bolssens

Georges Bolssens embarked on his coding journey in the early 1990s and delved into the realm of application security in 2017. With an inherent passion for teaching, Georges is not only a seasoned developer but also an adept communicator. His unique talent lies in simplifying intricate subjects through relatable analogies, making him an engaging and effective speaker. Having undertaken numerous consulting assignments, Georges has assumed the role of a cybersecurity educator for a diverse spectrum of professionals. His guidance has illuminated the path for individuals ranging from legal experts at renowned “Big 4” consulting firms to ethical hackers and all those in between. In his capacity as an Application Security Consultant at Toreon, Georges has been instrumental in assisting numerous clients in constructing comprehensive threat models for their digital assets.