Threat Model

A threat model is a deliberate, written assessment of the risks you actually face, used to decide where to spend limited time and money on security. The Electronic Frontier Foundation frames it as thinking about who might want to compromise you and what they want from you. The concept originated in software security — Microsoft formalized the STRIDE methodology in the late 1990s — but it applies just as well to personal privacy and self-custody.

The core questions

A useful threat model answers a handful of plain questions: What am I protecting (assets)? Who might want it (adversaries)? How likely and how capable are they? What happens if they succeed (consequences)? And how much inconvenience am I willing to accept to prevent it? Crucially, there is no defense against every theoretical threat, so the exercise is about prioritization — taking seriously the threats that are plausible for you and consciously declining to chase the ones that are not.

Why it comes first

Without a threat model, security spending becomes cargo-cult ritual: people adopt tools that do not address their real risks while ignoring the ones that do. A casual holder defending against remote hackers needs different measures than a public figure who must also plan for physical coercion. Naming your adversary turns vague anxiety into concrete decisions — whether to run a node over Tor, how to structure multisig against a Wrench Attack, or whether a hardened phone is worth the friction.

Build your threat model first, then let it drive your day-to-day OPSEC and tool choices rather than the other way around.