Hands on Threat Modeling Juice Shop (Attacking 1)

All day, we’ll have been working to create models (diagrams) of Juice Shop to help us find problems with it, learn threat modelling, and deliver examples. This is all about answering the question of what Juice Shop is and building models of it.


Dinis proposed a set of evening sessions to create threat model artefacts & examples for the Juice Shop vulnerable app.


  • Using the diagrams that show various aspects of Juice Shop (model 1: What’s the app? model 2: How does it get deployed? Model 3: How is it “developed and maintained”? etc.), apply various techniques to answer the question “what can go wrong?”
  • Techniques might include brainstorming, STRIDE, top-10, PASTA, CAPEC, attack trees, or your favourite.


  • Set of models checked in
  • Possibly also sets of requirements or assumptions


The target audience for this Working Session is:

  • Participants in the threat modeling track
  • Participants interested in Juice Shop
  • Those who want to learn to threat model

Working materials


…add content…

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here