Threat Modeling

The Elevation of Privilege card game

Transforming Threat Modeling into an Interactive Experience

Get your deck now

What's the Elevation of Privilege game?

Threat modeling is the process of identifying the work needed to make a system more secure. Elevation of Privilege (EoP), created by Adam Shostack, makes the process more approachable and engaging—especially for developers who aren’t security experts. Instead of working through lengthy checklists, players use a card game format to uncover vulnerabilities in the design stage, making security discussions more interactive and collaborative.

What's in the deck?

There are 88 cards in the deck, with 78 covering common security pitfalls to help players identify real threats. The cards follow the STRIDE framework, breaking down threats into six key categories:

EoP's six threat categories - STRIDE

  • Spoofing – Pretending to be someone else
  • Tampering – Altering data or code
  • Repudiation – Denying an action
  • Information Disclosure – Exposing sensitive information
  • Denial of Service – Disrupting system functionality
  • Elevation of Privilege – Gaining unauthorized access

For teams focused on privacy, the Privacy Edition adds 13 extra cards addressing data protection and privacy risks.

How to play Elevation of Privilege?

Inspired by the game Spades, EoP is thoughtfully designed to make security reviews more engaging, accessible and fun!

1. Set the stage

Before dealing, sketch a simple diagram of the system on a whiteboard, paper, or digital tool—just enough to show key components and data flows.

2. Deal the cards

Shuffle the deck and deal all the cards to 3-6 players. Each player organizes their hand by suit (but no peeking at your neighbour’s cards!).

3. Let the game begin!

The player with the 2 of Tampering kicks things off. On your turn, read your card aloud and describe is and how the threat could impact the system.

Players take turns identifying and recording security threats, which may lead to real fixes. Each round, they must follow the suit that was led, with the highest-value card winning—unless an Elevation of Privilege (EoP) card is played, in which case the highest EoP card wins. The round’s winner leads the next turn, and play continues until all cards are used.

After the game, the team reviews identified threats and discusses how to address them, turning gameplay insights into actionable security improvements.

For remote teams

  • Send out physical decks to every member of the team. We can help with bulk discounts and multi-address shipping.
  • One or more team mates collaborate to produce or update a suitable diagram of the system, such as a data flow diagram. 
  • A Games Master randomly generates "hands" of cards for each player using Croupier, the online hand-dealing tool for EoP and Cornucopia. 
  • The Games Master books the meeting and sets up the video call. The calendar invitation will contain every player's hands. 
  • Share the system diagram on the video call.
  • Players work in rounds to beat each other at matching the most serious threat to the system diagram, using the normal game rules. 
  • The Games Master records where the threats were found and uses your organisation's normal systems to manage the work of checking up and mitigating the threat. 
  • Scores are calculated and a winner is declared

Play the Elevation of Privilege Card Game with its Inventor, Adam Shostack

This is an opportunity to experience, first hand, a game of Elevation of Privilege supported by the games inventor - threat modelling expert Adam Shostack. Working in a small group, you'll play the game online using physical cards and find threats in a sample system architecture.

Event details

Why play the game with physical cards?

A key reason Elevation of Privilege was designed as a box of cards was because "as a physical item it draws attention, and allows people to point at it in ways that are potentially awkward with a screen."  (source:EoP Whitepaper by Adam Shostack). This remains important even as we work remotely. The deck serves as a constant reminder to threat model. It acts as a compact reference even for years - like a well thumbed thesaurus!

We also believe that physical decks extend player engagement with the material, compared to the short-term use of online tools (usually an hour or two). The player’s interaction with the deck occurs over multiple stages: receiving the deck, getting their hand, preparing for the game, and playing via a video call. This repeated engagement keeps the game in the player’s mind, even when they’re not actively playing.

There is also an optional rule that allows players to trade cards mid-game, which encourages collaboration and helps uncover threats that may have been missed. Encouraging players to familiarize themselves with the deck before playing helps facilitate trades, deeper gameplay, and offers a richer, longer-lasting interaction.

So don't battle to stop devs put insecure systems into production. Draw them in, and have them find faults with their own designs before they leave the whiteboard. Try out the Elevation of Privilege game and deliver more secure systems earlier in the development phase. 

Let's play!