How to build your threat model in 20 minutes.
Short answer
A personal threat model answers five questions: What are you protecting? From whom? How likely are they to try? What are the consequences if they succeed? How much friction will you actually sustain? Answer these honestly and your tool choices become obvious. Skip them and you will spend effort in the wrong places.
If you want the answers without the writing exercise, the Threat Model Builder walks you through five questions in three minutes and outputs a personalized OPSEC score for your specific profile. This article is for those who want to understand the method before using the tool.
A threat model is not a paranoia checklist. It’s a tool for making accurate decisions about what to protect, from whom, and at what cost.
Most people approach digital security by asking: ‘what should I do?’ The right question is: ‘what am I actually defending against?’ The answer determines everything else. Without it, you’re spending effort in the wrong places.
The five questions
Every functional threat model answers five questions. You don’t need a framework, software, or a consultant. You need honest answers to these.
1. What do I have that’s worth protecting?
Not ‘what do I want to keep private in general’ but specifically: what information, if accessed by the wrong person, would cause real harm? Source identities. Client files. Financial records. Location data during a specific period. The more specific you are, the more useful the model.
2. Who would want to access it?
Not a generic adversary. A specific one. A state actor with significant resources and legal authority is different from an ex-partner with technical skills and local knowledge. A corporate competitor is different from a criminal organisation. Each requires a different response.
3. How likely is it that they will try?
Probability matters. Protecting against a targeted nation-state attack when you are not a realistic target is a waste of effort. Protecting against opportunistic credential theft when you use the same password across 30 services is a straightforward fix that most people delay.
4. What are the consequences if they succeed?
For a journalist, a compromised source list is a career-ending and potentially life-threatening outcome. For a lawyer, disclosed client communications are a professional and legal crisis. For a family going through a custody dispute, location data accessed by the other party has immediate practical consequences. Scale your response to the consequence.
5. How much friction am I willing to accept?
A threat model that requires practices nobody will sustain in real working conditions is useless. Maximum security with zero usability is not a solution. The goal is the highest level of protection that you will actually maintain.
Mapping your answers to decisions
Once you have honest answers to the five questions, the tool choices become straightforward.
If your adversary is opportunistic and your primary risk is credential theft: a good password manager and two-factor authentication on your critical accounts eliminates the majority of your exposure. That’s a half-hour project.
If your adversary has legal authority and your primary risk is compelled disclosure of communication records: end-to-end encrypted email and messaging, providers in appropriate jurisdictions, no cloud backups of sensitive content. Proton Mail and Signal. A week to implement properly. The choice between them is not arbitrary, and the trade-offs are documented in Signal versus ProtonMail versus Wire for source contact.
If your adversary has physical access capability and your primary risk is device seizure: strong device encryption, USB Restricted Mode, travel devices for high-risk environments, no iCloud backup. What forensic tools can extract from a seized device is the reference here. The capability gap between what users assume and what investigators recover is wide. An ongoing discipline, not a one-time setup.
If your adversary has significant technical resources and your primary risk is surveillance of your network activity: VPN from an audited provider with no-logs infrastructure, compartmentalised devices for different activities, operational security discipline around metadata.
The most common mistake
People build threat models based on what they’ve heard about, not what they’re actually facing. They implement Tor because they read about it, when a VPN and strong passwords would address their actual risk profile. They ignore email security because encryption sounds complicated, when email is the most common vector for the attack they’re most likely to face.
The threat model is not about demonstrating seriousness. It’s about efficiency. Time and attention spent on the wrong protection is time and attention not spent on the real vulnerability.
When to update it
A threat model is not a document you write once. It changes when your circumstances change. Starting a new job in a sensitive sector. Beginning a relationship with a source in a high-risk environment. Going through a contentious legal process. For that specific case, why you should assume your devices are already compromised before filing for divorce is the framing that should drive the first 48 hours. Travelling to a country with a different risk profile. The actionable version of that point is in the security checklist before traveling to a high-risk country. Built to be run weeks before the airport, not at the gate.
The model doesn’t need to be written down. It needs to be thought through, honestly, at the moments that matter.
Frequently asked questions
Is there a faster way to build a threat model?
Yes. The Predaxia Threat Model Builder walks you through five questions in three minutes and gives you a personalized OPSEC score, the vulnerabilities the score reveals, and the exact articles to close each one. The article you are reading explains the method that powers it. Use the tool if you want the answer fast. Read the article if you want to understand why the tool asks what it asks.
How long does building a threat model actually take?
Twenty minutes for a first pass. The five questions in this article can be worked through quickly. Revisiting and refining takes another session when your situation changes.
Does a threat model change over time?
Yes. A threat model built during a divorce proceeding is different from one built during a high-risk assignment abroad. Update it whenever your situation, assets, or adversaries change significantly.
Do I need technical knowledge to build a threat model?
No. A threat model is a thinking exercise, not a technical configuration. The five questions require honest self-assessment, not security expertise.
What’s the most common threat model mistake?
Building it around the most dramatic threat instead of the most likely one. People prepare for nation-state actors when their actual exposure is opportunistic credential theft. The result is hardened tools nobody uses against threats that never come, and basic gaps left open against the threats that arrive every week.
A threat model is accurate thinking about a specific problem. It’s the only thing that makes any security tool choice meaningful.
Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.
There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.
