Free Delivery on orders above $50 for our US and Europe customers

What's LINDDUN GO Privacy Threat Modeling?

LINDDUN GO is a collaborative card game designed to help teams identify privacy threats in software systems. It simplifies the traditional LINDDUN framework, making it suitable for people who are new to threat modeling but at the same time providing a sufficient level of thoroughness.

View the product

What's in the deck?

There are 33 threat cards in the deck, each representing a specific privacy threat type. These cards are categorized into seven suits: Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness and Non-compliance.

Each card has a structured layout ensuring non-experts can meaningfully contribute, cross-functional teams can collaborate using a shared language, and threat identification is both comprehensive and systematic.

Buy the game

What are the steps in LINDDUN GO?

  • 1. Model the system

    Start by creating a Data Flow Diagram (DFD) that maps out data flows, processes, external actors, data stores, and trust boundaries. This provides a clear view of the system for analysis.

  • 2. Elicit Privacy threats

    Review each interaction in the DFD to uncover potential privacy risks. This step involves systematically assessing how data flows might lead to threats like linkability or unauthorised access.

  • 3. Manage identified threats

    Prioritise the identified threats based on impact or likelihood, then decide on appropriate mitigations—whether through design changes, controls, or policy.

How to play?

Initiate the Session: The first participant draws a random threat card and presents it to the group.

Assess the Threat: Using the system sketch, evaluate whether the threat described on the card is applicable. Consider the card's elicitation questions and hotspot indicators.

Document Identified Threats: If a threat is deemed relevant, record it for further analysis and mitigation planning.

Collaborative Input: Other participants can contribute additional insights or identify overlooked threats related to the card.

Proceed to Next Card: Once discussions on the current card conclude, the next participant draws a new card, and the process repeats.

Conclude the Session: The game ends when all cards have been reviewed.

LINDDUN GO Card layout


What makes LINDDUN GO unique is the power packed into each card.

The detail on each card, refined through hands-on testing and real world feedback, is there to spark insight and drive discussion. From the clear structure to the carefully crafted prompts, the cards are designed to help players spot privacy threats with confidence and clarity.

Remote Teams? We've got you covered!

  • Send physical decks to each team member, making the most of our bulk pricing and multi-address fulfilment.
  • As the facilitator, use our online hand dealing tool Croupier to generate random hands for each player.
  • Email the hands to the players so they can pick out their cards from their decks ahead of the session and be ready to play.

Check out Croupier
Back to top