A threat model is a structured analysis of who might want to harm you (or your work, your sources, your client, your family), what they might try to do, what assets they would target, and what countermeasures actually reduce the risk. The discipline started in software security in the 1990s (STRIDE, Microsoft) and has been adopted across security operations, intelligence work, journalism, legal practice, and personal privacy.
What it means in practice
The threat model is the prerequisite to every OPSEC decision. Without it, you spend money on the wrong tools, optimize for the wrong threats, and accumulate convenience cost without buying actual protection. The lightweight civilian version answers four questions: what are you protecting (the asset), from whom (the adversary), what can they do (the capability), and what cost are you willing to pay to defend it (the budget). The output is one page. The discipline is rebuilding it every six months because the asset shifts (you are working on a new story), the adversary changes (your story now annoys someone with money), the capability evolves (commercial spyware now reaches a tier you previously discounted), and the budget tightens or loosens with the operation.
Where it shows up
Every Predaxia category opens with a threat-model question, sometimes implicit. Journalists ask: am I dealing with a source whose adversary is local police, organized crime, or a nation-state? Lawyers ask: is the privilege threat opposing counsel, a court order, an insider leak, or a state actor? Military families ask: is the threat the recruiting database, the deployment intelligence, or the family-as-leverage scenario? Travelers ask: am I crossing a border that searches devices, that demands social media handles, that will detain me if my LinkedIn says “journalist”? Each of these is a different threat model and produces a different OPSEC stack.
What you can change today
Build your one-page threat model in 30 minutes. Sheet of paper, four columns: Asset (3 lines), Adversary (3 lines), Capability (4 lines per adversary), Countermeasure (1 line per capability). The discipline is to write down adversaries you find uncomfortable to name. The default failure is naming “hackers” as the adversary; that is a category, not a threat. Name the actual person, organization, or class (your former employer’s legal team, the family of your protest opponent, the state intelligence service of the country your source is in). Concrete adversaries produce concrete countermeasures. Abstract adversaries produce shopping lists.
