Introducing a OWASP Game for threat modeling Agentic AI, Cloud, Devops, Frontend, LLM, Automation, and Web

Shift-left doesn't start with scanning the code for security vulnerabilities; it begins with designing for security.

Too often, the shift-left mantra consists of implementing (AI-powered) code scanning and applying AI-powered security fixes for remediation. Also, don't forget to implement the AI-powered benchmark for AI-powered Security Fixes. Now, to be clear, I am not actually telling you to stop using these tools — if they work for you — instead, we should ask ourselves:

• What are we working on?
• What can go wrong?
• What are we going to do about it?
• Did we do a good job?

OWASP Cornucopia v3.0

In order to support that second question in particular, we have released the next version of OWASP Cornucopia v3.0.
If you would like to buy a professional physical copy of v3.0, you can do so at CyberSec Games. We would suggest buying the 25th anniversary edition as it also comes with both the Website App Edition 3.0 and the new OWASP Cornucopia Companion Edition, specifically made to be used together as an expansion. You can also download the design files from the release and take them to your local printer or print them yourself.

OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams in identifying security requirements in Agile, conventional, and formal development processes. It is language, platform, and technology-agnostic.
The formerly titled “Cornucopia — Ecommerce Website Edition” was renamed in v2.0 to “Cornucopia — Website App Edition”. This edition was originally created in August 2012, released as v1.0 in February 2013, and has undergone several minor updates/releases over the following ten to fifteen years. This has been substantially updated in v2.0, in which the most noticeable change was an update of the OWASP ASVS mapping from ASVS v3.0 to v4.0, together with the creation of translations into six languages (EN, ES, FR, NL, NO-NB, and PT-BR) due to the efforts of past and current volunteers.

The new version, available in 11 languages (EN, ES, FR, HI, NL, NO-NB, PT-PT, PT-BR, RU, UK, IT), includes all new cards and text that cover all OWASP ASVS 5.0 requirements and links them to more than 200 unique common attack patterns (CAPEC™). Each of the common attack patterns will have a unique set of ASVS 5.0 requirements, which means that you never need to stop playing the game! You will always be able to return to the same card to discover new threats and security requirements to consider when building your software; that's the Cornucopia way.

We have also created an API where you can find, programmatically, all requirements connected to each card together with a complete mapping between CAPECs and ASVS 5.0 requirements so that you can automate your threat modeling and requirement analysis processes. If you want to know more about the latest additions to the Website App Edition v3.0, read all about it on our blog post "The Cornucopia of Gamified Threat Modeling"

OWASP Cornucopia Companion Edition v1.0

Today, we are publishing a brand new OWASP Cornucopia Edition to complement the existing two editions. The OWASP Cornucopia Companion Edition v1.0 comes with 6 companion suits covering new topics: Agentic AI (AAI), Automated Threats (BOT), Cloud (CLD), Frontend (FRE), Large Language Models (LLM), and DevOps (DVO). A suit in the companion deck may replace (or be used in addition to) suits in the existing Website Edition so that the players can add a specific focus to their threat modeling: For example, say you are building an LLM application and want to perform threat modeling and security requirement analysis specifically for LLM. You would then use the OWASP Cornucopia Website Edition and the LLM companion suit as your elected OWASP Cornucopia focus area. The new version is immediately available online at copi.owasp.org and for sale at CyberSec Games. You can also download the design files from the latest release.

To commemorate the OWASP Foundation's 25th anniversary, we have also designed the case, leaflet, and cards specifically to celebrate the anniversary and OWASP's achievements within the field of application security and software engineering. We will also be attending the OWASP Global AppSec 2026 in Vienna, where we will be demoing the game for anyone who wants to come and play with us.

We feel this is only the start; each year, OWASP Cornucopia resellers distribute 1,000 games to teams worldwide. At copi.owasp.org, more than 500 users conduct threat modeling for mobile applications, agentic AI, automated threats, cloud, identity management, large language models, and SDL processes every month. In the coming time, we at OWASP Cornucopia will work towards promoting threat modeling and games to change the security culture at software companies worldwide.

Why a companion edition?

The time when development teams could focus only on web development is long gone. Modern software development and sprint planning often include implementing integrations towards large language models, AI agents, and DevOps pipelines through full-stack development. In such an environment, security requirements are constantly shifting from sprint to sprint. Therefore, the only possibility is choosing an agile and collaborative approach to threat modeling that supports including a large number of people with various backgrounds, experiences, and knowledge.
The OWASP Cornucopia Companion Edition was created to accommodate this. A big, beautiful Excel document can never replace a collaborative approach to threat modeling that includes the opinions of everyone on the development team. To avoid having the threat modeling and security design processes become an exercise in superficial ISO compliance, you need to empower your development teams to work together to come up with a secure design. Such a process requires ingenuity, to think out of the box, and to make unpopular decisions that may affect the delivery schedule of a development project. Neither an Excel document nor an ISO 27001 policy will ever get a development team to do that.

Failing to regularly assess your security isn't only costly; it can leave you vulnerable to threats. Several companies have implemented OWASP Cornucopia as part of their SDLC and use it for security requirements analysis, threat modeling, and secure design for every sprint and every user story. You should do the same! Don't let your business spiral out of control; consciously assess how you are doing by continuously threat-modeling your applications and infrastructure. To get started scaling your threat modeling efforts, OWASP Cornucopia and its companion edition are the perfect tools.

We want to thank all project leaders and contributors to the OWASP projects who have provided valuable input and guidance on the OWASP Top 10, OWASP AISVS, OWASP MAS, OWASP Cumulus, OWASP Threat Dragon and the OWASP GenAI Security project. It's thanks to these projects, and many more, that we can deliver to you the OWASP gamified approach to threat modeling and requirement analysis.
We also want to thank the people and contributors to Mitre's Common Attack Pattern Enumeration and Classification (CAPEC™) and Atlas, together with CSA Cloud Controls Matrix, which are all used in the cross-references provided.

Walk that walk, talk that talk

With this latest version of OWASP Cornucopia, we are making it more than a game; it has become a fully fledged threat modeling tool. It doesn’t just feed into your threat modeling process; it drives it, and it doesn’t just work; it scales! A long-time project contributor, previously working at Banco de Crédito BCP, used OWASP Cornucopia to train hundreds of people in using OWASP Cornucopia for threat modeling.
Several companies, such as Admincontrol AS, a Euronext subsidiary, are using it as part of their custom development methodology and have made it the primary mechanism for structured threat elicitation.

"Continuous Gamified threat modeling", done the OWASP way, has been tested and proven to work and is generally welcomed by ISO auditors. Not only is it welcomed, but auditors also love to hear about how it can be used to create engagement and change the culture of the companies that make use of it. This, according to Admincontrol, which has been audited 4 times using all 97 controls from ISO 27001/27002 as part of their information security management system. "Continuous Gamified Threat Modeling" is about assisting software development teams in identifying security requirements in Agile, conventional, and formal development processes through continuous gamification and threat modeling for every feature and every release. Don't apologize for designing before coding, it's called thinking!

And the developers? They love it! At the company I work for (Admincontrol), they always send out an anonymous survey to gather team feedback.
The aggregate score for how satisfied respondents have been with all sessions they've held since they started to use OWASP Cornucopia in 2023 is 4.5 out of 5, which is the maximum. When asked how relevant the session was to the participant's job, the average score was 4.7 out of 5.

The point here is not just to do your initial security risk assessment and be done with it, but to continuously look for new threats as you improve your software, in line with the Threat Modeling Manifesto.

"Continuous Threat Modeling", a term described in "Threat Modeling: A Practical Guide for Development Teams", is essential to keep your applications and infrastructure secure as you expand your system with new features and machines and increase the attack surface. Gamification can help you get started doing just that. So why would you want to continuously threat model your infrastructure and applications? Isn't it enough to just do a thorough check-up now and then? Admincontrol thought so as well!

Admincontrol used threat modeling to design its applications. They have large sessions that they run once a year and several smaller sessions for each sprint. They define Jira issues to mitigate these threats and assign them directly to the development team's backlog. Then they have security backlog grooming once a month with the product owners, where they discuss directly with them how they can resolve these issues.
The first graph shows the resolution time for Jira issues created during the annual threat modeling session. The second graph shows the resolution of Jira issues for the threat modeling they do each sprint.

As shown in the first graph, the resolution time is increasing. This is because they had Jira issues that were defined but never resolved. Some of the issues had taken nearly 3 years to resolve.
The second graph shows an increase in resolution time. This is because Admincontrol had a component that didn't get finalized. It stayed on the drawing board, but the threat modeling was done, so the resolution time spiked. There are no data prior to 2023, as they didn't keep this form of statistics before then. On average, the resolution time for the short threat modeling sessions were ca. 3 months. This usually coincided with the frequency of their minor releases, which included new features.

If you do long, large sessions, you run the risk of doing threat modeling irregularly, meaning you will have issues you will never be able to solve, and issues meant to improve security will stay in the development team's backlog forever, never to see the light of day. If you think technical debt is scary, wait until you see your security debt.

Credits

We want to thank everyone who has made this possible. Especially, we want to thank

Adrian Sroka, for bringing us the Agentic AI, Cloud, and Frontend suits for the new game and creating online pages and mapping his threats to OWASP AISVS, AITG, Top 10 Agentic Apps, and Top 10 for LLM, Mitre Atlas, and STRIDE.

Mateusz Hubala, for bringing us the DevOps suit for the game and creating online pages and mapping his threats to OWASP SAMM and DSOMM, CAPEC, and STRIDE.

Moritz Krause & Torben Neumann, for bringing us the LLM suit for the game and mapping their threats to OWASP AISVS, AITG, Top 10 for LLM, Mitre Atlas, CWE, and STRIDE.

Colin Watson for bringing us the Automated Threats suits and mapping his threats to OWASP Automated Threats to Web Applications.

We also want to especially thank Ayman Algamal, Adarsh Kumar, Abhijit Sahoo, and Mradul Tiwari for helping develop the game, now available at copi.owasp.org, and for creating the help pages at cornucopia.owasp.org.

And we want to thank all project leaders and contributors to the OWASP projects that have provided valuable input and guidance on the OWASP Top 10, OWASP AISVS, and the OWASP GenAI Security project. We also want to thank the people and contributors to Mitre's Common Attack Pattern Enumeration and Classification (CAPEC™) and Mitre Atlas™, and the Cloud Security Alliance for the use of the Cloud Controls Matrix, which are all used in the cross-references provided.

In addition, we want to thank Anand kushwaha, Mahaboobunnisa Md for helping with the release of v3.0.0 and CyberSec Games for all the help and support with the printing and distribution of the 25th anniversary edition.

Final words

OWASP Cornucopia welcomes any input or improvements you might be willing to share with us. For anyone wanting to share their opinion, please don't hesitate to visit our repository, share your feedback, and, if appropriate, give us a star⭐️.

---

OWASP is a non-profit foundation that envisions a world with no more insecure software. Our mission is to be the global open community that powers secure software through education, tools, and collaboration. We maintain hundreds of open source projects, run industry-leading educational and training conferences, and meet through over 340 chapters worldwide.