Free Delivery on orders above £50 for our US and Europe customers

Threat Modelling with OWASP® Cornucopia

OWASP Cornucopia is a threat modelling card game developed by the OWASP Foundation to help teams explore and discuss security risks early in the design of web and mobile applications. By turning a technical process into a creative, structured activity, it encourages collaboration and makes threat modelling more accessible and engaging for developers, designers, and other stakeholders.

Website App Edition Mobile App Edition

What's in the decks?

  • OWASP Cornucopia 2.1 Web App Edition

    The deck comprises 80 tarot-style cards divided into six suits: Data Validation and Encoding, Authentication, Session Management, Authorization, Cryptography, and a catch-all "Cornucopia" suit. Accessible to all skill levels, each card represents a common error or anti-pattern that can lead to vulnerabilities and aligns with widely-recognized standards such as OWASP ASVS, MASVS, MASTG, SAFECode, SCP, and CAPEC.

    Buy the deck

  • OWASP Cornucopia 1.0 Mobile App Edition

    Tailored for mobile application security, the deck comprises 80 tarot-sized cards divided into six suits: Platform & Code, Authentication & Authorization, Network & Storage, Resilience, Cryptography, and Cornucopia. The game aligns with OWASP's Mobile Application Security Verification Standard (MASVS v2.0) and Mobile Application Security Testing Guide (MASTG v1.7), making it suitable for diverse teams regardless of platform or technology.



    Buy the deck

Quick Guide to Playing Cornucopia

1. Set the Scene: Pick a feature or app. Bring visuals (diagrams, stories). Gather 3 to 6 people including devs, testers, product folks, and ideally someone with security knowledge.

2. Deal the Cards: Shuffle the deck. Remove Jokers and low-numbered Cornucopia cards (2 to 4s). Deal the rest evenly.

3. Start Playing: Take turns playing cards. Stick to the same suit if possible. Read your card aloud and say how the threat might apply, no need to solve it yet. Highest card of the suit wins, unless trumped by a Cornucopia card. Winner starts the next round.

4. Score: +1 for a valid threat, +1 if your card wins the round. Most points wins.

5. Wrap-Up: Review threats, map to security standards, and turn them into backlog items.

Tip: have someone take notes for later use.

Cornucopia Starter Tips

  • Top 5 tips

  • Keep it simple to begin with

    Remove Aces and Jokers until the team is familiar with the game flow. You can reintroduce them once everyone’s more confident.

  • Start with a fictional app

    Use an imaginary or future application to practise. It lowers the stakes and lets people focus on learning the method, not worrying about real issues.

  • Tailor the deck to your tech stack

    Remove cards that don’t apply. Or focus on cards relevant to specific standards like PCI DSS or ISO 27001.

  • Keep sessions manageable

    For short time slots, use just one suit to narrow focus, play a single round per day or sprint, or pre-select a few cards that relate to your current work or sprint goals

  • Encourage input

    If someone misses a valid threat, invite others to contribute. Reward sharp insights with bonus points to keep it fun and collaborative.

Remote Teams? We've got you covered!

  • Send physical decks to each team member, making the most of our bulk pricing and multi-address fulfilment.
  • As the facilitator, use our online hand dealing tool Croupier to generate random hands for each player.
  • Email the hands to the players so they can pick out their cards from their decks ahead of the session and be ready to play.

Check out Croupier
Back to top