How to build your threat model in 20 minutes.

A threat model is not a paranoia checklist. It’s a tool for making accurate decisions about what to protect, from whom, and at what cost.

Most people approach digital security by asking: ‘what should I do?’ The right question is: ‘what am I actually defending against?’ The answer determines everything else. Without it, you’re spending effort in the wrong places.

The five questions

Every functional threat model answers five questions. You don’t need a framework, software, or a consultant. You need honest answers to these.

1. What do I have that’s worth protecting?

Not ‘what do I want to keep private in general’ but specifically: what information, if accessed by the wrong person, would cause real harm? Source identities. Client files. Financial records. Location data during a specific period. The more specific you are, the more useful the model.

2. Who would want to access it?

Not a generic adversary. A specific one. A state actor with significant resources and legal authority is different from an ex-partner with technical skills and local knowledge. A corporate competitor is different from a criminal organisation. Each requires a different response.

3. How likely is it that they will try?

Probability matters. Protecting against a targeted nation-state attack when you are not a realistic target is a waste of effort. Protecting against opportunistic credential theft when you use the same password across 30 services is a straightforward fix that most people delay.

4. What are the consequences if they succeed?

For a journalist, a compromised source list is a career-ending and potentially life-threatening outcome. For a lawyer, disclosed client communications are a professional and legal crisis. For a family going through a custody dispute, location data accessed by the other party has immediate practical consequences. Scale your response to the consequence. (See: how to communicate with sources safely.)

5. How much friction am I willing to accept?

A threat model that requires practices nobody will sustain in real working conditions is useless. Maximum security with zero usability is not a solution. The goal is the highest level of protection that you will actually maintain.

Mapping your answers to decisions

Once you have honest answers to the five questions, the tool choices become straightforward.

If your adversary is opportunistic and your primary risk is credential theft: a good password manager and two-factor authentication on your critical accounts eliminates the majority of your exposure. That’s a half-hour project.

If your adversary has legal authority and your primary risk is compelled disclosure of communication records: end-to-end encrypted email and messaging, providers in appropriate jurisdictions, no cloud backups of sensitive content. Proton Mail and Signal. A week to implement properly.

If your adversary has physical access capability and your primary risk is device seizure: strong device encryption, USB Restricted Mode, travel devices for high-risk environments, no iCloud backup. An ongoing discipline, not a one-time setup. (See: what agents can extract in 6 hours.)

If your adversary has significant technical resources and your primary risk is surveillance of your network activity: VPN from an audited provider with no-logs infrastructure, compartmentalised devices for different activities, operational security discipline around metadata.

The most common mistake

People build threat models based on what they’ve heard about, not what they’re actually facing. They implement Tor because they read about it, when a VPN and strong passwords would address their actual risk profile. They ignore email security because encryption sounds complicated, when email is the most common vector for the attack they’re most likely to face.

The threat model is not about demonstrating seriousness. It’s about efficiency. Time and attention spent on the wrong protection is time and attention not spent on the real vulnerability.

When to update it

A threat model is not a document you write once. It changes when your circumstances change. Starting a new job in a sensitive sector. Beginning a relationship with a source in a high-risk environment. Going through a contentious legal process. Travelling to a country with a different risk profile.

The model doesn’t need to be written down. It needs to be thought through, honestly, at the moments that matter.

A threat model is accurate thinking about a specific problem. It’s the only thing that makes any security tool choice meaningful.

This article contains no affiliate links. Specific tool recommendations are on our Resources page.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.