Consent Preferences
top of page

Slaying Cyber Dragons: How to Turn Threat Modeling Into a Fantasy-Inspired Team Adventure

  • Writer: Stanley Harris
    Stanley Harris
  • Jun 4
  • 3 min read
“You enter the fog-laced forest. The ranger draws her bow. The mage studies the terrain. Ahead, a shadow stirs near the firewall... it’s a Bugbear of Tamper!”

If that sounds more like a campaign night than a security planning session, you’re exactly where you need to be!


At Katilyst, we’ve found that the biggest barrier to strong threat modeling isn’t technical knowledge—it’s engagement. Even with the best frameworks (STRIDE, PASTA, etc.), teams tune out if threat modeling becomes a rote checklist. That’s why we set out to transform it into an epic quest. Inspired by tabletop RPGs like Dungeons & Dragons, our approach gives security champions the tools to lead fun, collaborative, and genuinely productive threat modeling sessions.


Here’s how to design your own “Threat Modeling Party” experience; with character classes, XP rewards, monster manuals, and maps. It’s not just about role-play. It’s about reframing threat modeling as an ongoing adventure worth taking.



🎲 Chapter One: Gather Your Party



Before you slay dragons, you need your adventuring party.


  • Warrior (Developer): Strong in system knowledge and attack surface.

  • Mage (Architect): Sees patterns and structure others miss.

  • Ranger (QA/Test): Sharp-eyed for edge cases and bugs.

  • Bard (Security Champion): Inspires, documents, and boosts morale.


Distribute character cards that define each role’s Primary Traits (e.g., “Code Analysis,” “Design Foresight”) and Bonus Skills (“Threat Evasion,” “Creative Mitigation”).


This turns participants into characters with purpose—and encourages everyone to contribute from their unique vantage point.



🗺️ Chapter Two: Map the World



Just like fantasy worlds have maps, your systems need clear boundaries. Bring architecture diagrams to life with storytelling:


  • Dark Forests: Unexplored subsystems or legacy zones

  • Dragon Lairs: High-value data stores or admin panels

  • Portals: 3rd-party dependencies or user entry points


Use a whiteboard or digital collaboration tool. Let the team sketch and annotate collaboratively. The goal? Build shared mental models. If your party doesn’t know the terrain, they’ll walk right into ambushes.



🔍 Chapter Three: Interactive Cartography


Turn system mapping into an XP-earning minigame. Ask participants to:


  • Draw new data flows (+2 XP)

  • Identify unclear entry points (+3 XP)

  • Spot unauthenticated areas (+5 XP)


Let your Bard (Security Lead) log discoveries. Award XP and badge names like “Seeker of Secrets” or “Cartographer General.” Encourage collaboration over perfection.



🐉 Chapter Four: Slay the Dragons (aka Identify Threats)



Now comes the real battle: threat discovery. Frame each threat as a fantasy monster:

Threat

Monster

STRIDE Type

Privilege Escalation

Troll of Privilege

Elevation of Privilege

Logging Exposure

Ghost in the Logs

Information Disclosure

Parameter Tampering

Bugbear of Tamper

Tampering

CSRF

Wraith of Whispers

Spoofing

Insecure Defaults

Gremlin of Oversight

Misconfiguration

Each participant rolls (figuratively!) for perception. When they identify a threat, they earn XP based on severity.


🎯 Tip: Reference the OWASP Threat Modeling Cheat Sheet to structure your monster hunt.



⚔️ Chapter Five: Choose Your Weapons (Mitigation Planning)


Each monster has a weakness. Have your party pick their tools:


  • 🔐 Encryption Spells

  • 🧱 Firewalls & Access Gates

  • 🧬 Input Validation Scrolls

  • 🔁 Multi-Factor Sigils


Encourage everyone to explain how their mitigation works (teaching and XP go hand in hand.) Award extra XP for:


  • Mapping mitigations to specific threats

  • Describing real-world examples

  • Spotting trade-offs


Bonus: Let the team name new defensive spells or tools (“Amulet of Input Sanitization”?).



📓 Chapter Six: Battle Plans and Standups


Adventures don’t end in one session. Set recurring “campaign rituals”:


  • Weekly standups with threat call-outs

  • Monthly “Monster Spotting” competitions

  • Retro-style reflections on missed risks


Log each threat modeled and XP earned in a shared notebook. Keep the momentum going. The Bard leads the lore.



🏅 Chapter Seven: Keep the Quest Alive



Recognition is key. Celebrate heroic effort:


  • XP Tracker Sheets (or use Katilyst's platform to track your party's progress!)

  • Badges: “Shieldbearer of Secrets,” “Mitigation Mage”

  • Leaderboard: Track XP per sprint or quarter


Use small perks: shout-outs in standup, digital badges in Slack, coffee tokens. Encourage leveling up through security training and red-team games.



🌄 Epilogue: Returning Home Victorious



Close each session with a victory screen. Recap what was discovered, defeated, and still lurking.

Remind your party: threat modeling isn’t a one-shot. It’s a long campaign, and it's best played together.



🎁 Bonus: Build Your Threat Modeling Party Kit

Want to run your own session? Include these essentials:

  • Character Cards (one per class)

  • Monster Manual (with threat/mitigation mapping)

  • XP Tracker Sheet (Excel or printed)

  • Fantasy System Map (custom sketch)

  • Session Script (step-by-step guide)

  • Leaderboard & Badges


📦 We’ve bundled ours as a downloadable Party Kit with QR code in the slides. Feel free to contact us for access or collaboration ideas.



Final Thoughts

Fantasy isn’t fluff, it’s framing. By injecting creativity and shared storytelling, security teams can unlock deeper engagement and retention. When threat modeling becomes an adventure, your team will keep showing up ready to roll initiative.


So gather your party. Ready your tools. And let the quest begin!

Comments

bottom of page