Free Delivery on orders above $50 for our US and Europe customers

What is OWASP Cornucupia Threat Modeling?

The OWASP Cornucopia Threat Modeling Game is a card game developed by the OWASP Foundation, designed to help teams identify and discuss security threats in web applications, especially in the early stages of design and development. It’s a structured yet creative tool for conducting threat modelling, with a particular focus on web and mobile applications.

View the product

What is in the deck?

Cornucopia suits are based on the OWASP® Secure Coding Practices, with input from the OWASP® ASVS, WSTG, and David Rook's Principles of Secure Development.

They include six suits: Data Validation and Encoding, Authentication, Session Management, Authorization, Cryptography, and a general “Cornucopia” suit. Like poker cards, each suit has 13 cards (Ace to King), plus two Jokers.

Buy the game

Quick Guide to Playing Cornucopia

1. Set the Scene: Pick a feature or app. Bring visuals (diagrams, stories). Gather 3 to 6 people including devs, testers, product folks, and ideally someone with security knowledge.

2. Deal the Cards: Shuffle the deck. Remove Jokers and low-numbered Cornucopia cards (2 to 4s). Deal the rest evenly.

3. Start Playing: Take turns playing cards. Stick to the same suit if possible. Read your card aloud and say how the threat might apply, no need to solve it yet. Highest card of the suit wins, unless trumped by a Cornucopia card. Winner starts the next round.

4. Score: +1 for a valid threat, +1 if your card wins the round. Most points wins.

5. Wrap-Up: Review threats, map to security standards, and turn them into backlog items.

Tip: have someone take notes for later use.

Cornucopia Starter Tips

  • Top 5 tips

  • Keep it simple to begin with

    Remove Aces and Jokers until the team is familiar with the game flow. You can reintroduce them once everyone’s more confident.

  • Start with a fictional app

    Use an imaginary or future application to practise. It lowers the stakes and lets people focus on learning the method, not worrying about real issues.

  • Tailor the deck to your tech stack

    Remove cards that don’t apply. Or focus on cards relevant to specific standards like PCI DSS or ISO 27001.

  • Keep sessions manageable

    For short time slots, use just one suit to narrow focus, play a single round per day or sprint, or pre-select a few cards that relate to your current work or sprint goals

  • Encourage input

    If someone misses a valid threat, invite others to contribute. Reward sharp insights with bonus points to keep it fun and collaborative.

Remote Teams? We've got you covered!

  • Send physical decks to each team member, making the most of our bulk pricing and multi-address fulfilment.
  • As the facilitator, use our online hand dealing tool Croupier to generate random hands for each player.
  • Email the hands to the players so they can pick out their cards from their decks ahead of the session and be ready to play.

Check out Croupier
Back to top