What is DEF CON's Next Top Threat Model??

What is DCNTTM?

This is an official contest at DEF CON centered on Threat Modeling. The contest has been updated for DEF CON 30 and focuses specifically on the threat identification and threat documentation activities of Threat Modeling. The contest is open to both in-person and remote conference attendees.

What is Threat Modeling?

Threat Modeling, also called “Secure Architecture Review” or “Secure Design Assessment”, is arguably the single most important activity in an application security program. Threat modeling involves creating a model of the system and analyzing the model for security or other concerns. Threat modeling enables engineering team members - software engineers, quality assurance, managers, and customer support - to make informed decisions about their system. Threat Modeling can identify a wide range of potential flaws before even a single line of code is written.

How do I play?

This contest is for individuals to show off their threat modeling skills. You will act as a Security Practitioner, reviewing a development team’s product ecosystem. The development team has provided you with an offer description, some use cases, design documents and an annotated Data Flow Diagram (DFD). Your job is to review these materials and produce a list of threats against the system. The judges are looking for submissions with valid, complete and actionable findings, not low-hanging fruit! The contestant with the submission containing the most number and “best” quality findings will win.

Can I play with a team?

Contestants are allowed (and encouraged) to collaborate with others, but submissions will only be accepted from individuals.

Where can I chat with other contestants and staff members during the event?

If you are in-person at DEF CON stop by our tables on the Contest floor at Caesars Forum.

Our contest channel on the DEF CON discord server is another good place to get help or talk with other players. Join the DEF CON discord channel, once you’re in, join the #ce-next-top-threat-model channel. Click here for details about connecting to the DEF CON discord server

Remember this is a contest so we suggest only posting logistics questions/comments in public channels and keeping questions about the design or threats to yourself (or email ).

The goal of this event is for you to identify and document threats in the provided design. While tools exist to model applications and identify threats, using these is against the spirit of the event. Judges will decide on an individual basis whether or not to accept submissions with tool-generated findings.