Elevation of Privilege (EoP) Threat Modeling Card Game

Elevation of Privilege (EoP) Threat Modeling Cards
Elevation of Privilege (EoP) Threat Modeling Cards
Elevation of Privilege (EoP) Threat Modeling Cards
Elevation of Privilege (EoP) Threat Modeling Cards

Elevation of Privilege (EoP) Threat Modeling Cards

View details


The Elevation of Privilege (EoP) card game is designed to introduce developers who are not information security practitioners or experts to the craft of threat modeling.

According to the 2020 DevSecOps report by Gitlab:

"68% of security professionals feel that less than half of developers can spot security vulnerabilities, but most people feel it's a programmer's job to write secure code.
At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan."

The Elevation of Privilege Card game is an excellent way to bring security into the development process earlier enabling developers to find and fix vulnerabilities in the systems.

Until now, considering a system from an attackers’ perspective was hard to wrap your head around. The game helps you identify threats to software or computer systems within a six category framework called STRIDE and is intended to be picked up and used by any development group.

Because the game uses STRIDE threats, it gives you a framework for thinking, and specific actionable examples of those threats.

 STRIDE stands for:

SSpoofingImpersonating something or someone else.
TTamperingModifying data or code.
RRepudiationClaiming not to have performed an action.
IInformation DisclosureExposing information to someone not authorized to see it.
DDenial of ServiceDenying or degrading service to users.
EElevation of PrivilegeGain capabilities without proper authorization.

Who Invented the game 

The EoP card game was invented by Adam Shostack during his tenure at Microsoft. The game was released in 2010. It is a gorgeously produced design at the centre of a gamification of a security checklist, modelled after the game called Spades.

Adam wrote a white paper which explains the objectives and design of the game and his motivations for creating it.

Where did the name come from? 

An elevation of privilege occurs when a user or application gains rights (i.e., privileges) that should not be available to him or her. For example, a system’s user that should have “read-only” permission somehow elevates their system privileges to include “read and write” permissions.

How to play?

The game consists of 84 cards, including 2 instruction cards, 1 play and strategy flowchart card, 74 playing cards, 6 reference cards, and an ‘about’ card. The cards are in six suits based on the STRIDE mnemonic.

The 74 playing cards contain cyber security anti-patterns which supports players as they attempt to find validated security flaws in a system.

We have organised a free online event at the Leeds Digital Festival on 1st October 2020 where Mark Vinkovits (the creator of the Privacy suit in the extended version of the game) will be explaining how this game can be played in person and remotely on a video call. Register your place and learn more about the game

Event details

Instructions on how to play EoP 

  • Draw a diagram of the system you want to threat model before you deal the cards. 
  • Deal the deck to 3-6 players 
  • Play starts with 3 of tampering 
  • To play a card, each player reads their card, announced the threat and records it.  
  • Each round is won by the highest card played in the suit that was led, unless an Elevation of Privilege (EOP) card is played.  
  • In that case, the high value EOP card wins.  

More details on how to play the game are captured in the session given by Adam Shostack at the AppSec Cali conference.

If you would also like to explain threat modeling itself before playing the game, please consider this experience report from the Leeds Digital Festival. 

Where to get the cards 

You can buy the card deck on Agile Stationery

Buy the deck

You can also download a pdf copy of the cards

Download a pdf copy