Home Technical Support CTMP Tools and Reporting Guidelines – What You Need to Know for the Certified Threat Modeling Professional Exam

CTMP Tools and Reporting Guidelines – What You Need to Know for the Certified Threat Modeling Professional Exam

Last updated on Jan 06, 2026

CTMP Tools and Reporting Guidelines – What You Need to Know for the Certified Threat Modeling Professional Exam

Introduction

Preparing for the Certified Threat Modeling Professional (CTMP) exam involves more than mastering theory—you also need to know which tools are available in the course and how to assemble a clear, compliant exam report. This article walks you through the dashboard‑style tools you’ll encounter, outlines the exact components required in your exam submission, and offers practical tips to help you present your work professionally. Whether you’re a first‑time candidate or refreshing your knowledge, these guidelines will keep you on track and boost your confidence on exam day.

1. Dashboard‑Based Tools Included in the CTMP Course

The CTMP curriculum introduces several threat‑modeling utilities that you can use during labs and the exam. The most prominent ones are:

Tool Primary Use Key Features
ThreatDragon Open‑source threat‑modeling editor Drag‑and‑drop data flow diagrams (DFDs), automatic STRIDE analysis, export to PDF/PNG, integration with GitHub
ThreatModelling (the course‑specific web app) Guided threat‑model creation Step‑by‑step wizard, built‑in reporting templates, collaborative workspace
Additional utilities (e.g., Microsoft Threat Modeling Tool, OWASP Threat Dragon, PlantUML) Optional, for advanced diagramming or automation Custom script support, API access, extensive library of symbols

Tip: While ThreatDragon is the default recommendation, you are free to use any compatible tool that produces the required diagrams and documentation. The important factor is that the output is clear, accurate, and can be embedded in your final report.

2. What the CTMP Exam Report Must Contain

Your exam submission is evaluated on both content completeness and presentation quality. The following three sections are mandatory:

  1. List of Exam Challenges

    • Enumerate each challenge exactly as it appears in the exam interface.

    • Use a numbered list (e.g., Challenge 1, Challenge 2, …) for easy reference.

  2. Process Explanation

    • Describe, in your own words, how you approached each challenge.

    • Include the methodology, threat‑modeling technique (e.g., STRIDE, DREAD), and any decision‑making criteria.

    • Keep explanations concise (150‑250 words per challenge) but thorough enough to demonstrate your reasoning.

  3. Evidence of Completion

    • Attach screenshots, log excerpts, or output files that prove you solved the challenge.

    • Highlight key steps (e.g., a highlighted portion of a DFD or a screenshot of a generated risk matrix).

    • Ensure all images are legible (minimum 300 dpi) and labeled with the corresponding challenge number.

3. Incorporating Diagrams, Tables, and Other Visuals

While the core report structure is fixed, you have flexibility in how you present supporting material:

3.1 Using Diagrams

  • Create diagrams in ThreatDragon or your preferred tool and export them as PNG or PDF.

  • Insert each diagram directly below the relevant challenge description.

  • Add a caption that includes the challenge number and a brief title (e.g., “Figure 1 – DFD for Challenge 2: Online Payment Flow”).

3.2 Adding Tables

  • Tables are ideal for summarizing risk scores, mitigation actions, or asset inventories.

  • Use Markdown table syntax in the report or embed an Excel/CSV screenshot if the platform does not support native tables.

3.3 Other Artifacts

  • Code snippets (e.g., a security‑control script) can be formatted using fenced code blocks.

  • Video clips are not accepted, but you can provide a link to a private repository (e.g., a GitHub Gist) if the exam rules permit external references.

4. Practical Example: Formatting a Single Challenge

Below is a concise template you can copy for every challenge in your exam report:

### Challenge 1 – Identify Threats in the User Authentication Flow

**Process Overview**  
1. Imported the system architecture into ThreatDragon.  
2. Applied STRIDE analysis to each data flow.  
3. Prioritized threats using the DREAD scoring model.  

**Key Findings**  
| Threat | STRIDE Category | DREAD Score | Recommended Mitigation |
|--------|----------------|------------|------------------------|
| Credential stuffing | Spoofing | 8 | Implement CAPTCHA and rate limiting |
| Session hijacking | Tampering | 7 | Enforce secure, HttpOnly cookies |

**Evidence**  
- ![DFD for Challenge 1](./images/challenge1-dfd.png)  
- *Figure 1 – Data Flow Diagram highlighting the authentication endpoints.*

- Screenshot of the DREAD score matrix (see Appendix A).

Repeating this pattern for each challenge guarantees consistency and makes it easy for reviewers to locate information.

5. Tips for a Polished, Exam‑Ready Report

  • Consistent Naming: Use the same challenge numbers throughout the document, diagrams, and file names.

  • File Size Management: Compress images without losing readability; keep the total PDF under the platform’s size limit (usually 25 MB).

  • Proofread: Spelling or grammatical errors can distract reviewers from the technical content.

  • Version Control: Save a copy of your report before final submission; you may need to revert if a file becomes corrupted.

6. Common Questions

Question Answer
Do I have to use ThreatDragon for the exam? No. Any tool that can produce clear DFDs, tables, or risk matrices is acceptable, as long as the output is included in the final report.
Can I submit a separate document for diagrams? All supporting artifacts must be embedded in the single exam report file (PDF or DOCX) unless the exam instructions explicitly allow separate attachments.
What if a screenshot is blurry? Re‑capture the screen at a higher resolution or annotate the critical area. Illegible evidence may be marked as insufficient.
Are third‑party libraries allowed in the diagrams? Yes, you may import symbols from external libraries (e.g., Visio stencils) as long as they accurately represent the system components.

Conclusion

Mastering the CTMP exam isn’t just about threat‑modeling knowledge—it also hinges on delivering a well‑structured, evidence‑rich report. By leveraging the built‑in tools like ThreatDragon, adhering to the three‑section report format, and polishing your visuals, you’ll present a professional submission that showcases both your analytical skills and attention to detail. Follow the guidelines above, double‑check every requirement, and you’ll be ready to earn your Certified Threat Modeling Professional credential with confidence.