Home Getting Started certified threat modeling professional (CTMP)

certified threat modeling professional (CTMP)

Last updated on Jan 28, 2026

certified threat modeling professional (CTMP) is Learn how to use threat modeling in the modern DevOps organizations

Common Question:

Q1: Is the Threat Modeling focused on every sort of system?

A: Threat Modeling is a concept that is not limited to just software. You can threat model your house, your car, an electronic voting systems, Elections Operations, and many other things. So, is threat modeling focussed just for software? In fact, Threat modeling methodologies like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) are still applicable to non-web applications/software.  You can adapt them to the specific context of your application/software.

Q2: What's good for PCI certification?

A: Tools find threats, and categorize them in to various standard mappings. There are plenty of tools discussed in the course through lectures, and hands on. When you are at the end of the course, you should have a better idea of the choices you want to make. If not, kindly post back here, we will assist you.

Q3: How can I integrate the process of threat modeling into our pipeline?

A: Here's a brief explanation:

  • CI/CD is about automating the building, testing, and deploying of your application.

  • Threat Modeling is a proactive security practice that identifies potential vulnerabilities in your application.

While CI/CD itself doesn't directly perform threat modeling, it can automate certain aspects and trigger security checks based on your threat model.

For example:

  • Integrate SAST (Static Application Security Testing) tools that can flag potential security issues in the code based on common coding vulnerabilities.
  • E.g., Nikto, SSlyze, Nmap.
  • Integrate DAST (Dynamic Application Security Testing) tools that can scan your application for vulnerabilities while it's running.
  • E.g., OWASP ZAP.

We cover more of these practices in our CDP course. In summary:

  • Identifying potential threats is the responsibility of the threat modeling team.

  • Implementing security practices and integrating scanning tools into the pipeline is the responsibility of the DevOps team.

  • Addressing and fixing vulnerabilities discovered during the scanning process is the responsibility of the development team.