Skip to main content
Skip to main content
Microsoft Security

Announcing Elevation of Privilege: The Threat Modeling Game

  • Microsoft Security


Adam Shostack here. I’m pleased to announce that at RSA this week, Microsoft is releasing Elevation of Privilege, the Threat Modeling Game. Elevation of Privilege is the easiest way to get started threat modeling. EoP is a card game for 3-6 players. Card decks are available at Microsoft’s RSA booth, or for download here. The deck contains 74 playing cards in 6 suits: one suit for each of the STRIDE threats (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service and Elevation of Privilege). Each card has a more specific threat on it.  For example, here’s the 5 of Tampering.


The threat is “an attacker can replay data without detection because your code doesn’t provide timestamps or sequence numbers.”


Because we want everyone developing software to threat model, and there’s no better way to get people to do what you want than to ensure they have fun while doing it.


Everyone in software draws diagrams. From pictures on napkins or whiteboards to DFDs, UML or other formalisms, everyone diagrams.

  • You start with such a diagram (ideally, one focused on data flows) and deal the cards to 3-6 players. You’ll also want to assign someone to take notes.
  • Play starts with the 3 of Tampering. The player with that card reads it out, and explains how the threat on the card (“An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto”) might apply to the system you’re building. If they can provide a credible threat, they get a point. A credible threat here is one for which you’d file a bug.
  • Play proceeds clockwise until each player has had a chance to play a card. Each player needs to play in suit if they have a card in suit.
  • When each player has played, the highest numbered card played wins. [Ace is high] The player who won gets a point for the hand, and gets to lead the next hand, including picking the suit that leads that next hand.
  • If a player doesn’t have a card in the hand that was lead, they may play any card. Elevation of Privilege cards are “trumps” that beat any other suit. Only the suit lead or Elevation of Privilege can win the hand.

When you’re done (all the cards have been played), count up the points, give the winner a pat on the back, and have someone file bugs.

That may seem a little complex, but it’s pretty simple when you have cards in hand. There’s a video of me explaining the game here and of people playing on the launch page. There’s also a strategy card in the deck with a flowchart to help you decide what card to play.


Right now! If you’re at RSA, come by the Microsoft booth, or download the cards here


If you’re developing software, this is for you. We’d love to hear your feedback here, we’d love for you to blog about it, but most of all we’d love for you to play Elevation of Privilege.

Once you have, we’d also like you to play with the idea of serious games for threat modeling and security. To help you get started, we’re making Elevation of Privilege available under a Creative Commons Attribution license which gives you freedom to share, adapt and remix the game.


I want to thank Austin Hill of Akoha for introducing me to the wide field of serious games (see or for some more on the broad concept), and Laurie Williams of North Carolina State University for designing “Protection Poker,” which inspired me to design Elevation of Privilege.