Free Delivery on orders above £75 for our US and Europe customers
1 3

OWASP Cornucopia Web App Companion Set - 25ᵗʰ Anniversary Edition

£40.00

Coming in stock on 15th June 2026. Place your pre-order now!

Description

This edition combines the OWASP Cornucopia Web App Edition v3.0 with the all-new Companion Edition v1.0, bringing together a total of 158 scenarios across 12 suits for continuous gamified threat modeling in this set.

The Web App Edition includes six suits covering Data Validation, Authentication, Session Management, Authorization, Cryptography & Cornucopia. The Companion Edition introduces six additional suits focused on modern software development domains:

  • Agentic AI
  • Automated Threats
  • Cloud
  • Frontend
  • Large Language Models
  • DevOps

This version connects gameplay with well-researched standards including, amongst others: OWASP ASVS, AISVS, SAMM, DSOMM, CAPEC, OWASP Top 10, and STRIDE.

OWASP is a registered trademark of the OWASP Foundation.

⭐ Created to celebrate the OWASP Foundation’s 25th anniversary, this edition features specially designed packaging, and materials inspired by OWASP’s contribution to application security.

Specifications
  • Suits
    Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), DevOps (DVO), Web App Edition suits, Data Validation & Encoding, Authentication, Session Management, Authorization, Cryptography, Cornucopia
  • # Cards
    158
  • Created by
    OWASP Foundation

Why the Companion Edition?

The Companion Edition was developed to expand OWASP Cornucopia beyond traditional web application threat modelling and reflect the demands of modern software development. Teams now work across AI agents, LLM integrations, cloud infrastructure, DevOps pipelines, frontend frameworks, and automation platforms, often within the same project or sprint.

The Companion Edition introduces dedicated suits focused on contemporary technologies and security concerns. These suits enable teams to adapt threat modelling sessions to their specific architectures, workflows, and risk areas, while still using the OWASP Cornucopia Web App Edition as the foundation.

The companion suits may be used together with, or independently from, the Web App Edition suits, giving teams greater flexibility when modelling threats across diverse technologies and development practices.

Quick Guide to Playing Cornucopia

1. Set the Scene: Pick a feature or app. Bring visuals (diagrams, stories). Gather 3 to 6 people including devs, testers, product folks, and ideally someone with security knowledge.

2. Deal the Cards: Shuffle the deck. Remove Jokers and low-numbered Cornucopia cards (2 to 4s). Deal the rest evenly.

3. Start Playing: Take turns playing cards. Stick to the same suit if possible. Read your card aloud and say how the threat might apply, no need to solve it yet. Highest card of the suit wins, unless trumped by a Cornucopia card. Winner starts the next round.

4. Score: +1 for a valid threat, +1 if your card wins the round. Most points wins.

5. Wrap-Up: Review threats, map to security standards, and turn them into backlog items.

Tip: have someone take notes for later use.

Cornucopia Starter tips

  • Top 5 tips

  • Keep it simple to begin with

    Remove Aces and Jokers until the team is familiar with the game flow. You can reintroduce them once everyone’s more confident.

  • Start with a fictional app

    Use an imaginary or future application to practise. It lowers the stakes and lets people focus on learning the method, not worrying about real issues.

  • Tailor the deck to your tech stack

    Remove cards that don’t apply. Or focus on cards relevant to specific standards like PCI DSS or ISO 27001.

  • Keep sessions manageable

    For short time slots, use just one suit to narrow focus, play a single round per day or sprint, or pre-select a few cards that relate to your current work or sprint goals

  • Encourage input

    If someone misses a valid threat, invite others to contribute. Reward sharp insights with bonus points to keep it fun and collaborative.

Hybrid teams? No problem

We developed a style of play where everyone has the physical deck, but plays the game through video conferencing.

Meet our croupier Why?
Back to top