Most people approach security backwards. They start with tools – VPNs, encrypted messengers, password managers – and stack them haphazardly, hoping that more tools equals more protection. This is security theater. A journalist using Signal to communicate with sources but posting geotagged photos on Instagram has not achieved security. They have achieved the appearance of it while leaving critical attack surfaces exposed.
Threat modeling is the discipline that replaces tool-stacking with structured analysis. It asks four questions, in order: What do I need to protect? Who am I protecting it from? How likely are specific attacks? What are the consequences of failure? The answers produce a prioritized map of risks and countermeasures – a threat model – that directs your security investments toward the threats that actually matter, rather than the threats that feel most dramatic.
This guide provides a framework for building a personal or small-team threat model. It is not a corporate risk assessment methodology. It does not require a CISO, a GRC platform, or a consulting engagement. It requires a clear head, honest self-assessment, and two hours of focused work.
Phase 1: Asset Inventory
A threat model begins with what you’re protecting. Assets are anything whose compromise, exposure, or destruction would cause you harm. Most people dramatically underestimate their asset inventory because they think only in terms of files and passwords.
Digital Asset Categories
Identity assets. Your real name linked to online accounts. Email addresses. Phone numbers. Home address. Date of birth. Government ID numbers. Biometric data (fingerprints, face scans). These are the assets that enable identity theft, doxxing, and targeted harassment.
Communication assets. The content of your messages, emails, and calls. But also the metadata – who you communicate with, when, how frequently, and from where. Metadata is often more revealing than content. Intelligence agencies have confirmed publicly that they build surveillance programs around metadata analysis because it is more reliable and scalable than content interception.
Financial assets. Bank accounts, credit card numbers, cryptocurrency wallet keys, investment account credentials, tax records. Also financial behavior patterns: where you shop, what you spend, and how your spending correlates with your stated identity.
Professional assets. Source code, trade secrets, client lists, strategic plans, unreleased products, internal communications. For individuals in sensitive roles (journalists, lawyers, healthcare providers, activists), professional assets may also include information about other people – sources, clients, patients – whose exposure would cause harm beyond your own.
Behavioral assets. Your browsing history, search queries, location history, app usage patterns, AI conversation logs. These behavioral traces compose a detailed psychological profile that can be used for manipulation, discrimination, or prediction. They are the assets most aggressively collected and least frequently protected.
Credential assets. Passwords, API keys, SSH keys, encryption keys, recovery codes, hardware token credentials. These are force multipliers: compromising a single credential can unlock access to entire categories of other assets.
The Asset Mapping Exercise
Create a table. List every asset you can identify across the categories above. For each asset, note:
| Asset | Location(s) | Current Protection | Sensitivity |
|---|---|---|---|
| Primary email | Gmail | Password + 2FA (TOTP) | Critical |
| AI chat history | ChatGPT account | Account password | High |
| Client contracts | Google Drive | Google’s server-side encryption | Critical |
| Location history | Google Maps, phone carrier | Account settings | Medium |
| Source code | GitHub private repo | SSH key + 2FA | High |
| Cryptocurrency | Hardware wallet + exchange | Hardware wallet PIN | Critical |
| Medical records | Patient portal | Portal password | High |
Be comprehensive. The assets you forget to list are the ones that get compromised. Spend at least 30 minutes on this exercise. Return to it after 24 hours and add what you missed.
Phase 2: Adversary Identification
The second question: who would want to compromise your assets, and what capabilities do they have?
Adversary identification is where most people either over-index or under-index. The over-indexers imagine nation-state actors targeting their personal laptop. The under-indexers imagine no one would bother targeting them at all. Both are usually wrong.
Adversary Tiers
Tier 1: Opportunistic attackers. Automated scanners, credential stuffers, phishing campaigns. These adversaries don’t target you specifically. They target everyone and succeed against anyone with weak hygiene. Their capabilities are limited (bought credential lists, commodity malware, mass phishing) but their scale is vast. Every internet user faces Tier 1 adversaries.
Tier 2: Motivated individuals. Stalkers, harassers, disgruntled employees, business competitors, jealous partners. These adversaries target you specifically but have limited technical capabilities. They use social engineering, public records, social media OSINT, and commercially available surveillance tools (stalkerware, people-search databases). They are more dangerous than most people expect because their motivation compensates for their technical limitations.
Tier 3: Organized groups. Cybercriminal organizations, corporate espionage teams, hacktivist collectives. These adversaries have significant technical capability – custom malware, zero-day exploits, infrastructure for long-term campaigns. They target you for financial gain, competitive advantage, or ideological reasons. If you handle high-value financial assets, proprietary technology, or politically sensitive information, you face Tier 3 adversaries.
Tier 4: State actors. Intelligence agencies and law enforcement with legal compulsion powers, signals intelligence infrastructure, and effectively unlimited technical resources. Most individuals do not face state-actor threats. Journalists covering national security, human rights activists in authoritarian regimes, whistleblowers, and high-value intelligence targets do. If you face Tier 4 adversaries, you need more than this guide – you need operational security training from organizations like the Electronic Frontier Foundation, Citizen Lab, or Committee to Protect Journalists.
Tier 5: Your service providers. This is the adversary most people overlook. Google, Apple, Microsoft, Meta, OpenAI, Anthropic, Amazon – the companies that host your data – have complete access to everything you store with them. They are not adversaries in the traditional sense: they don’t intend you harm. But they can be compelled by law enforcement, compromised by attackers, incentivized by business models, or negligent in their security practices. Your cloud provider is a Tier 3 adversary by capability, even if they are a Tier 0 adversary by intent.
Adversary Mapping Exercise
For each asset in your inventory, identify which adversary tiers represent realistic threats:
| Asset | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
|---|---|---|---|---|---|
| Primary email | Yes | Maybe | Unlikely | No | Yes (Gmail) |
| AI chat history | Yes | No | Unlikely | No | Yes (OpenAI) |
| Client contracts | Yes | Maybe | Maybe | No | Yes (Google) |
| Source code | Yes | No | Maybe | No | Yes (GitHub) |
| Cryptocurrency | Yes | Maybe | Yes | No | Yes (exchange) |
This mapping reveals where your defenses need to be strongest. If your most critical assets are all hosted by Tier 5 adversaries (cloud providers) and your realistic threat tier is 1-2, your priority should be hardening against opportunistic attacks (strong passwords, 2FA, phishing resistance) and reducing your exposure to provider-side access (client-side encryption, zero-knowledge architectures).
Phase 3: Attack Surface Analysis
An attack surface is every point where an adversary can attempt to access your assets. Attack surfaces are not just technical – they include physical, social, and procedural vectors.
Digital Attack Surfaces
Authentication surfaces. Every account you hold is an authentication surface. Each one can be attacked via credential stuffing (reused passwords), phishing (tricking you into entering credentials on a fake site), SIM swapping (hijacking your phone number to bypass SMS 2FA), or session hijacking (stealing authentication cookies).
To audit: List every account you hold. Identify which use unique passwords, which have 2FA enabled, what type of 2FA (SMS, TOTP, hardware key), and which have recovery mechanisms that could be socially engineered (security questions, email-based reset).
Network surfaces. Your home network, the Wi-Fi networks you join, your DNS resolver, your ISP – each is a point where traffic can be intercepted or monitored.
To audit: Do you use a VPN? Is your DNS traffic encrypted (DoH/DoT)? Do you connect to untrusted Wi-Fi networks? Does your ISP sell browsing data?
Device surfaces. Every device you own is an attack surface. Laptops, phones, tablets, smart home devices, USB drives. Each can be compromised through malware, physical theft, or supply chain attacks.
To audit: Is full-disk encryption enabled on every device? Are your devices running current OS versions with security patches? Do you leave devices unattended and unlocked? Do you use USB devices from untrusted sources?
Application surfaces. Every piece of software you run is an attack surface. Browser extensions, mobile apps, desktop applications – each has access to some subset of your data and can be compromised or malicious.
To audit: List your browser extensions. Review app permissions on your phone. Identify applications with broad file system access, camera/microphone access, or network access. Remove anything you don’t actively use.
Cloud and SaaS surfaces. Every cloud service you use holds some portion of your data and presents an attack surface through its own security posture, its employees, and its compliance with legal requests.
To audit: List every cloud service that holds your data. For each, determine what data they hold, whether they have end-to-end encryption, and what their breach history looks like.
Social Attack Surfaces
Public information. Everything you’ve posted publicly – social media profiles, forum posts, blog articles, public code repositories, conference talks – forms an OSINT (Open Source Intelligence) surface that adversaries can mine to inform targeted attacks.
To audit: Search your own name, email addresses, and usernames. Determine what an adversary would learn. Consider what information enables social engineering against you or your contacts.
Relationship mapping. Your social connections are an attack surface. Adversaries can target people you trust to reach you (spear-phishing from a compromised colleague’s account), or target you to reach people you know (supply-chain social engineering).
To audit: Identify your most sensitive relationships (sources, clients, colleagues with access to critical systems). Consider how an adversary who compromised your accounts could leverage your position to attack others.
Physical Attack Surfaces
Device access. Can someone access your devices while you’re away? Do you leave laptops in hotel rooms, phones on restaurant tables, or USB drives in bags?
Physical mail. Do sensitive documents arrive by postal mail? Can someone intercept or photograph your mailbox contents?
Visual surveillance. Can someone observe your screen while you work? Shoulder surfing in cafes, co-working spaces, and airports is a low-tech but effective attack vector.
Phase 4: Risk Prioritization
You now have three lists: assets, adversaries, and attack surfaces. The next step is to combine them into a prioritized risk register.
For each combination of asset, adversary, and attack surface, estimate two values:
- Likelihood: How probable is this attack? (Low / Medium / High)
- Impact: How severe would successful compromise be? (Low / Medium / High / Critical)
The product of likelihood and impact determines priority:
| Low Likelihood | Medium Likelihood | High Likelihood | |
|---|---|---|---|
| Critical Impact | Priority 2 | Priority 1 | Priority 1 |
| High Impact | Priority 3 | Priority 2 | Priority 1 |
| Medium Impact | Priority 4 | Priority 3 | Priority 2 |
| Low Impact | Priority 5 | Priority 4 | Priority 3 |
Example Risk Register
| Risk | Likelihood | Impact | Priority | Countermeasure |
|---|---|---|---|---|
| Email account compromised via credential stuffing | High | Critical | 1 | Unique password + hardware 2FA |
| AI conversations exposed via provider breach | Medium | High | 2 | PII stripping + API tier |
| Laptop stolen from hotel | Medium | High | 2 | Full-disk encryption + remote wipe |
| Client contracts exposed via Google Drive compromise | Low | Critical | 2 | Client-side encryption |
| Phone number SIM-swapped | Medium | High | 2 | Port lock + hardware 2FA (not SMS) |
| Home network intercepted by ISP | High | Medium | 2 | VPN + DoH |
| Social media doxxing | Low | Medium | 4 | Audit public information |
Focus your security investments on Priority 1 and 2 risks first. Priority 4 and 5 risks are real but should not consume resources that could address higher-priority threats.
Phase 5: Countermeasure Implementation
With your prioritized risk register, you can now select and implement countermeasures in order of priority.
The Countermeasure Hierarchy
Not all countermeasures are equal. Prefer countermeasures that are:
Architectural over procedural. A system that cannot store your data is more reliable than a policy that says it won’t. Zero-knowledge architecture is more robust than a privacy policy.
Passive over active. Full-disk encryption protects you when your laptop is stolen whether or not you remember to enable it that day. It is passive. Remembering to lock your screen every time you leave your desk is active and failure-prone.
Default-on over opt-in. A browser that blocks trackers by default is more protective than one that requires you to install and configure an extension. Choose tools where privacy is the default state.
Verifiable over promissory. Open-source encryption you can inspect is more trustworthy than a proprietary system that promises security. End-to-end encryption you can verify is more reliable than server-side encryption you must trust.
High-Impact Countermeasures (Priority 1-2)
Password manager with hardware 2FA. This single change addresses the most common attack vector (credential stuffing and reuse) across all your accounts. Use Bitwarden or KeePassXC. Generate unique, random passwords for every account. Enable hardware key 2FA (YubiKey, SoloKey) on your password manager and all critical accounts.
Full-disk encryption on all devices. FileVault (macOS), BitLocker (Windows), LUKS (Linux). This makes stolen or seized devices useless without your password.
Client-side encryption for cloud storage. As detailed in our encryption guide, encrypt files before they reach any cloud provider. This neutralizes Tier 5 (provider) access entirely.
PII hygiene in AI interactions. Never input unredacted PII into commercial AI systems. Use API tiers with training opt-out. Implement client-side PII stripping for sensitive workflows.
Network-level protection. A no-log VPN for all internet traffic. DNS-over-HTTPS for all DNS queries. These prevent ISP surveillance and network-level metadata collection.
Medium-Impact Countermeasures (Priority 3)
OSINT reduction. Audit and reduce your public information footprint. Remove old social media posts, opt out of people-search databases, use pseudonyms where real names aren’t required.
Communication encryption. Signal for messaging. ProtonMail or Tuta for email. PGP for specific high-sensitivity communications. Ensure that your most sensitive conversations use end-to-end encrypted channels where the provider cannot access content.
Device hardening. Remove unnecessary apps. Audit browser extensions. Disable unused radios (Bluetooth, NFC) when not in use. Enable automatic OS and app updates.
The Threat Model Worksheet
Use this worksheet to build your own threat model. Copy it, fill it out, and review it quarterly.
Section 1: Asset Inventory
For each asset, note:
- What is it?
- Where is it stored/accessible?
- What is the impact of compromise? (Low/Medium/High/Critical)
- Who currently has access?
Section 2: Adversary Profile
For each relevant adversary tier:
- Do they have motive to target you?
- What capabilities do they have?
- What resources would they invest?
- Have they acted against people in your situation before?
Section 3: Attack Surface Audit
For each surface category:
- How many entry points exist?
- Which are most exposed?
- Which protect the most critical assets?
- What is the current protection level?
Section 4: Risk Register
For each identified risk:
- Asset at risk
- Adversary tier
- Attack vector
- Likelihood (Low/Medium/High)
- Impact (Low/Medium/High/Critical)
- Priority score
- Current countermeasure
- Required countermeasure
- Implementation deadline
Section 5: Review Schedule
- Monthly: Check for new assets, accounts, or exposure.
- Quarterly: Full worksheet review. Update adversary assessment.
- Annually: Complete rebuild. Reassess all assumptions.
- On incident: Immediate review if any compromise or near-miss occurs.
Common Mistakes in Personal Threat Modeling
Overweighting dramatic threats. Most people overestimate the probability of sophisticated attacks (state-sponsored hacking, zero-day exploits) and underestimate the probability of mundane ones (password reuse, phishing, stolen laptop). Your threat model should reflect the threats you actually face, not the ones that make the best stories.
Ignoring Tier 5 adversaries. Your service providers have more access to your data than almost any other adversary. A threat model that accounts for hackers but not for the companies that host your data is incomplete. Zero-knowledge architecture exists specifically to neutralize this threat tier.
Treating threat modeling as a one-time exercise. Your threat model decays. New accounts, new devices, new adversaries, new capabilities – the landscape shifts continuously. A threat model that isn’t reviewed quarterly is a historical document, not a security tool.
Neglecting the social layer. The most common breach vector is social engineering – phishing, pretexting, and manipulation. Technical countermeasures don’t protect against a convincing email from a compromised colleague’s account. Include social awareness and verification habits in your countermeasure plan.
Perfection paralysis. No threat model achieves complete protection. The goal is risk reduction, not risk elimination. Implement the highest-priority countermeasures first and iterate. A partially implemented threat model is infinitely better than a perfect one that only exists in theory.
The Architectural Response
Threat modeling reveals a consistent pattern: the more services that hold your data in plaintext, the larger your attack surface. Every cloud account, every AI conversation, every unencrypted file in transit – each is a node in a graph of exposure.
Stealth Cloud’s architectural philosophy is to collapse this graph. Wallet-based authentication eliminates identity assets from the threat model entirely. Client-side encryption removes the provider from the trust boundary. Zero-persistence infrastructure ensures that even a total server compromise yields nothing – because there is nothing to yield.
Your threat model may not require this level of architectural protection. But understanding the principle helps you evaluate every tool and service you use: does this reduce my attack surface, or does it add another node to the graph? The answer determines whether you’re building security or building the appearance of it.