Need help with online-opsec?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

138 Stars 9 Forks 35 Commits 0 Opened issues


Threat models and tools for staying safe, private and informed while Online, used by the average person.

Services available


Need anything else?

Contributors list

# 5,647
1 commit
# 327,265
Common ...
1 commit

Online Operations Security (OpSec)

Threat models and tools for staying safe, private and informed while Online, used by the average person.


OpSec or Operations Security, originally introduced by the United States Military during the Vietnam War, can be defined (when referring to Wikipedia) as a, "...process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information." OpSec is also a paradigm, and applicable to any activity within the physical and digital worlds; both increasingly intertwined and bound to the other.

The core motivation of OpSec is to protect what you value; often information or state, but sometimes tangible (or other intangible) goods too. OpSec is therefore any proactive efforts made to limit an attacker's ability to remove said value from you, for whatever their and/or your purposes. And Online OpSec is protecting what one values in relationship to coexisting with and using the Internet, all of which we explore in detail throughout the sections below.

Online OpSec, in the context of everyday Internet users is quite a serious/pressing topic, one best to be treated responsibly and with care. Thankfully, in a way similar to how large companies carefully deploy DevOps, individuals can apply Online OpSec tools and techniques to reduce their own risks; perhaps even more effectively and immediately, which is important to observe. Ideally Online OpSec becomes integrated into one's lifestyle choices, even your conscious thinking and (more submliminal) dreaming, during the day and night.

Thus the purpose of this document is to organize useful context (in the form of information about threat modeling) and powerful tools (most of which are free and open source software, or FOSS) for staying safe, private and informed while Online. If a resource mentioned inside this document does require one to spend money for access, said tool is assuredly both low-cost and high-return. Above all, please continue doing your own research to validate anything and everything herein.


Before diving into the world(s) of Online OpSec, it's important to understand what is at risk; more accurately, it's important to understand what we value. We value specific states that encourage human wellness; those being safety, privacy and access to information. Or being safe, private and informed. Each interconnected and reliant on the others for overall, personal success.

The substance of this document can help the individual maintain these conditions Online in conjunction with other states or pursuits or variables. To help explain, below is an overview of what safe, private and informed mean in the setting of this resource.


To be safe (when referencing Wikipedia) means to be, "...protected from harm or other non-desirable outcomes. Safety can also refer to the control of recognized hazards in order to achieve an acceptable level of risk." We can therefore see that to be safe means to employ a degree of agency over one's immediate environment. So, however relative and subjective, to be safe is (universally) to be gated, aware and responsive; which is best accomplished and sustained through cooperation with an interconnected community of like-minded people and other resources.


To have privacy or to be private (according to the IAPP) means to be, "...let alone, or [to have] freedom from interference or intrusion." Something is considered to be private when it relates to or impacts only a select few parties.

Online OPSEC is relevant to the average person (as written by Stuart Peck) in terms of privacy as, 'There’s a saying that goes, “If you have nothing to hide, you have nothing to fear.” The reality is that everyone has something they want to hide from the general public.' In other words, it is reliable to assume that most people value privacy to some extent, and therefore must maintain it.


To be informed (as mentioned on means to be especially, "...knowledgeable in a particular subject[.]" This is also the state of access to information one has that you are seeking, even more so if it's required for your objective(s) to be met.

To be informed is to be aware of properties and their value(s); ideally within a single dashboard. The essence of remaining informed is the ability to quickly and flexibly scale one's awareness over whatever is of interest. Accomplished on the Internet with powerful Social Media Monitoring tools and simple techniques to enhance their usefulness.


There are many different potential threats (to what is valued) or adversaries faced by the average person, in terms of their/the Online reality. And these risks are also important to understand before diving into threat modeling and the relevant technologies, the tools.

An adversary (according to is defined as, "having or involving antagonistic parties or opposing interests[.]" Along those lines, below we review three types of adversaries; which are social, technological and economic.


Social dangers can include being tricked into unknowingly divulging personally identifiable information. Or losing friendships due to gossip.


Technological dangers can include your computer being remotely accessed without your consent. Or one's smart home video surveillance system being illegally monitored.


Economic dangers can include theft of digital currencies or loss of a job.


The need to be secure (which is at the root or a product of privacy, safety and remaining informed) when using the Internet (in other words, when creating a digital footprint) is relevant to everyone; regardless of who, what, why, how, where and/or when one is. This is a consequence of and opportunity for/from an open Internet. Savvy users must thus be proactive to ensure effective participation, as threats abound.

Moving forward, threat models are covered first, followed by specific tools; extensions in the pursuit of reaching for that meta (yet granular) agency, an ideal asset indeed.

Threat Models

A threat model is a structured and systematic means by which individuals can identify potential vulnerabilities, understand the implications of each and respond accordingly in order to mitigate any potential damage. The intention behind threat modeling, as mentioned on Wikipedia, is to offer an, "...analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker." In other words, designing a threat model is the conducting of an organized review of one's current situation and possible or foreseeable future dangers therein.

The objective for deploying a threat model is to determine what can go wrong inside a given set of variables; providing the modeler tactical advantages that might have otherwise been missed from lack of perspective and preparation. The use of threat models is akin to doing one's homework on probable realities. Best done (according to Martin Fowler) a little bit at a time, but frequently.

There is an underlying or common pattern among many threat models, generally consisting of five interrelated steps/phases. The first step is to identify the information/assest(s) that are critical to your operation. The second step or phase is to conduct an analysis of the possible threats to what you're protecting (what you value). The third step is to conduct a review of how you might be vulnerable to the attacks identified in the previous step. The fourth step is to map out how likely your risk is given the information generated so far. And the fifth phase/step includes deploying any appropriate countermeasures.

Below you will find a growing number of specific threat modeling techniques that can be applied to anyone's security situation Online.


LINDDUN is an acronym for seven different threat categories; including linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness and non-compliance. And is carried out over six steps. 1. Model your Data Flow Diagram (DFD) 1. Map privacy threats to DFD elements 1. Identify threat scenarios 1. Prioritize threats 1. Select suitable mitigation strategies 1. Select corresponding Privacy Enhancing Technologies (PETs)

Six Steps

The six steps of the LINDDUN method are explored below.

Model Your DFD

Understand how your system is organized, using Data Flow Diagrams.

Map Privacy Threats

While relying on DFDs, investigate each element for possible threats.

Identify Threats

Once a threat is identified, make a note of it.

Prioritize Threats

Determine which threats are most pressing.

Select Mitigation Strategies

Resolve and overcome each threat by choosing the correct solution(s).

Apply PETs

Include the use of privacy enhancing technologies (PETs) in your total approach.

Seven Threat Categories

Let's now explore the seven different threat categories addressed by the LINDDUN model, with help from the LINDDUN organization; as quoted below.


When an attacker can, " two items of interest without knowing the identity of the data subject(s) involved."


When an attacker can, "...identify a data subject... ...through an item of interest."


When a, " subject is unable to deny a claim[.]"


When an attacker can, "...distinguish whether an item of interest about a data subject exists or not[.]"

Disclosure Of Information

When an attacker can, "...learn the content of an item of interest about a data subject."


When a, " subject is unaware of the collection, processing, storage, or sharing activities... ...of the data subject’s personal data."


This is the, "...processing, storage, or handling of personal data is not compliant with [standards.]"


The LINDDUN threat model is simple and robust. It's also one of my favorite techniques for analyzing personal Online vulnerabilities; primarily because it produces strong and distinct results.


PASTA stands for Process For Attack Simulation And Threat Analysis.

There are seven stages involved in the PASTA model. 1. Define Objectives 1. Define Technical Scope 1. Application Decomposition 1. Threat Analysis 1. Vulnerability And Weaknesses Analysis 1. Attack Modeling 1. Risk And Impact Analysis

Seven Phases

The seven phases of PASTA explained.

Define Objectives

Identifying your goals.

Define Technical Scope

Define where you're interfacing with the Internet, where you're exposed.

Application Decomposition

Box each element of your situation into their basic elements.

Threat Analysis

List out your potential threats.

Vulnerability And Weaknesses Analysis

Connect where you're exposed to assets (what you value) and possible attackers.

Attack Modeling

Create hypothetical situations for how attackers might attempt to remove value from you.

Risk And Impact Analysis

Generate an overall understanding of what the consequences and likelihood(s) are for certain attacks.


The PASTA model (as mentioned by Tony UV) is a, "...flexible, phased approach for [the] adoption of... ...threat modeling[.]"


STRIDE (originally introduced by Microsoft) is an acronym representing six different types of threats, each tied to a desired/alternative state or property: * Spoofing / Authenticity * Tampering / Integrity * Repudiation / Non-Repudiability * Information Disclosure / Confidentiality * Denial Of Service / Availability * Elevation Of Privilege / Authorization

According to Wikipedia, STRIDE is typically applied when attempting to, "...find threats to a system. It is used in conjunction with a model of the target system that can be constructed in parallel. This includes a full breakdown of processes, data stores, data flows and trust boundaries." The STRIDE model is popular because it is effective, but that relevancy (as mentioned by Kevin Poniatowski) has been waning.

Specific Threats

What follows are the six different threats (as outlined above) that the STRIDE model examines in detail.


Spoofing (as explained by Forcepoint) is the misrepresentation of one's identity when communicating, whether that be of a person or computer.


Tampering (according to refers to, "...interfere so as to weaken or change for the worse..."


Leaving no trail or details of illegal or unauthroized activity.

Information Disclosure

Gaining access to private and/or secure information without proper authority.

Denial Of Service

Preventing intended users from having access to a resource.

Elevation Of Privilege

Unauthorized expansion of abilities as a user.


The STRIDE threat model is especially useful for understanding one's personal Online Operations Security situation.

Now that we have overviewed a number of threat models, let's take a look at the best tools and technologies accesible to the average person for remaining safe, private and informed while Online.


The tools organized below are useful for remaining secure while Online. Special attention has been given to the overall usefulness of each utlity for the average person. In other words, most of the resources listed below are picked for their simplicity and overwhleming effectiveness. There are more powerful tools available, but those are considered to be expert level technologies, therefore unnecessary or outside the scope of this document.

Android Device Apps

Applications for the Android mobile Operating System.

  • Bouncer - " you the ability to grant permissions temporarily. Want to tag a location or take a photo, but don't want that app to be able to use the camera or get your location whenever it wants? Bouncer gives you exactly that."
  • K-9 Mail - " an open source email client focused on making it easy to chew through large volumes of email."


Reputable and effective antivirus software for Windows computer. Which can be understood (by referring to TechTerms) as a, "...type of utility used for scanning and removing viruses from your computer."

  • Bitdefender - " a global cybersecurity leader protecting over 500 million systems in more than 150 countries." (Recommended)
  • Malwarebytes - "...not only stops hackers and malware, but it cleans up an infected machine better than traditional antivirus."


Literature for understanding the larger thought-space of personal security; both Online and off.

  • The Art of Invisibility - written by Kevin Mitnick, published on September 10th of 2019
  • ComSec - written by Justin Carroll, published on July 13th of 2018
  • Extreme Privacy - written by Michael Bazzell, published on May 27th of 2020 (Recommended)
  • Going Gray - written by Matthew Dermody, published on January 22nd of 2020
  • How To Be Your Own Bodyguard - written by Nick Hughes, published on October 1st of 2011
  • Open Source Intelligence Techniques - written by Michael Bazzell, published on October 25 on 2019
  • Operator Handbook - written by Joshua Picolet and published on March 18th of 2020
  • Situational Sense - written by Matthew Dermody, published on December 10th of 2019
  • Social Engineering - written by Christopher Handagy, published on July 31st of 2018
  • Surveillance Zone - written by Ami Toben, published on May 21st of 2017
  • Survive Like a Spy - written by Jason Hanson, published on September 8th of 2020

Browser Extensions

Critical security and privacy add-ons for the Firefox Browser.

  • Clear Browsing Data - "Delete browsing data directly from the browser toolbar. Clear cookies, history and cache with a single click." (Recommended)
  • ClearURLs - "...automatically remove tracking elements from URLs to help protect your privacy when browsing through the Internet." (Recommended)
  • Cookie AutoDelete - "When a tab closes, any cookies not being used are automatically deleted. Whitelist the ones you trust while deleting the rest." (Recommended)
  • Decentraleyes - "...prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking."
  • Firefox Multi-Account Containers - "...lets you keep parts of your online life separated into color-coded tabs that preserve your privacy."
  • Ghostery - "Block ads, stop trackers and speed up websites."
  • Google Search Link Fix - "...prevents Google and Yandex search pages from modifying search result links when you click them."
  • HTTPS Everywhere - "...a Firefox extension to protect your communications by enabling HTTPS encryption automatically on sites that are known to support it, even when you type URLs or follow links that omit the https: prefix." (Recommended)
  • NoScript Security Suite - "Allow potentially malicious web content to run only from sites you trust. Protect yourself against XSS other web security exploits." (Recommended)
  • Privacy Badger - "Automatically learns to block invisible trackers." (Recommended)
  • uBlock Origin - " efficient wide-spectrum content blocker. Easy on CPU and memory." (Recommended)
  • uMatrix - "...forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook, etc."


The average Web Browser (according to enables users to go, "...anywhere on the internet, letting you see text, images and video from anywhere in the world." The modern Browsers of today's Web are able to do much more than view text, images and videos; including text-to-voice translation, secure Online shopping and the inclusion of extensions/add-ons.

  • Brave - "Secure, fast and private Web browser with Adblocker[.]" - Source
  • Firefox - " a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. Firefox uses the Gecko layout engine to render web pages, which implements current and anticipated web standards." - Source (Recommended)
  • GNU IceCat - "GNUzilla is the GNU version of the Mozilla suite, and GNU IceCat is the GNU version of the Firefox browser. Its main advantage is an ethical one: it is entirely free software."
  • Tor - "Defend yourself against tracking and surveillance. Circumvent censorship."

Browser Testing

These are tools that Internet users can use to verify how secure or insecure an Web experience is. Or, how much information your digital footprint, inside a given moment, contains or expresses.

  • AmIUnique - "Learn how identifiable you are on the Internet[.]"
  • BrowserLeaks - " all about browsing privacy and web browser fingerprinting. Here you will find a gallery of web technologies security testing tools that will show you what kind of personal identity data can be leaked, and how to protect yourself from this." (Recommended)
  • Cover Your Tracks - "Test your browser to see how well you are protected from tracking and fingerprinting."
  • - "This is the kind of information that all the sites you visit, as well as their advertisers and any embedded widget, can see and collect about you." (Recommended)

Data Erasure

Tools for permanently deleting data on your computer.

  • BleachBit - " can free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn't know was there." (Recommended)

Disc Encryption

A disc is one's hard drive, whether that's a standard Hard Disc Drive or a more modern Solid State Drive. And encryption (according to Wikipedia) is the, "...process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decipher a ciphertext back to plaintext and access the original information." So, disc encryption is therefore the process of encoding of information stored therein.

  • GPG - " a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories."
  • VeraCrypt - " a free open source disk encryption software for Windows, Mac OSX and Linux."

Email Providers

  • AnonAddy - "...simply make up a new alias and enter that instead of your real email address."
  • Guerilla Mail - " you a disposable email address. There is no need to register, simply visit Guerrilla Mail and a random address will be given."
  • Mailfence - "We believe that online privacy is a fundamental human right which can no longer be taken for granted so we decided that it was time to offer a service which is fully dedicated to email privacy."
  • ProtonMail - " easy to use secure email service with built-in end-to-end encryption and state of the art security features. Our goal is to build an internet that respects privacy and is secure against cyberattacks." (Recommended)
  • SimpleLogin - " an open-source email alias solution to protect your email address."
  • Tutanota - "...the world's most secure email service, easy to use and private by design."

Email Clients

  • Roundcube - " a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking."
  • Thunderbird - " a free email application that’s easy to set up and customize - and it’s loaded with great features!"

Encrypted Cloud Storage

  • pCloud - "...we're providing the world with a comprehensive easy-to-use cloud storage solution for individuals and businesses alike."
  • Sync - "...protects your privacy with end-to-end encryption — ensuring that your data in the cloud is safe, secure and 100% private."
  • Tresorit - " the ultra-secure place in the cloud to store, sync, and share files within your organization and with external partners."


A firewall (according to Indiana University) is a, "...system designed to prevent unauthorized access to or from a private network. ... Firewalls prevent unauthorized internet users from accessing private networks connected to the internet, especially intranets." The purpose and useuflness of a firewall doesn't change, whether you're securing a business or a home network.

  • pfSense - " a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense software, with the help of the package system, is able to provide the same functionality or more of common commercial firewalls, without any of the artificial limitations." (Recommended)


  • Signal - "...a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC. It uses the Internet to send one-to-one and group messages, which can include files, voice notes, images and videos." - Source
  • Silence - "Encrypt your SMS and MMS messages with Silence. Improve your privacy, think freely."

Mobile Device Operating Systems

  • GrapheneOS - " an open source privacy and security focused mobile OS with Android app compatibility."

Operating Systems

An Operating System (sometimes abbreviated simply as "OS", when referencing GCFGlobal) is the, "...most important software that runs on a computer. It manages the computer's memory and processes, as well as all of its software and hardware. It also allows you to communicate with the computer without knowing how to speak the computer's language." All of the Operating Systems explored below are Linux distributions.

  • Arch Linux - "...a Linux distribution for computers with x86-64 processors. Arch Linux adheres to five principles: simplicity, modernity, pragmatism, user centrality, and versatility." - Source
  • Debian - "...a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993." - Source
  • Fedora - " innovative, free, and open source platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users."
  • Qubes OS - "...a free and open-source, security-oriented operating system for single-user desktop computing. Qubes OS leverages Xen-based virtualization to allow for the creation and management of isolated compartments called qubes."
  • Tails - " a portable operating system that protects against surveillance and censorship."
  • Ubuntu - "...a Linux distribution based on Debian and mostly composed of free and open-source software." - Source (Recommended)
  • Whonix - "...can anonymize everything you do online[.]"

Password Storage

Password storage is accomplished with password manager software, which (referencing WeLiveSecurity) is a type of, "application specifically designed to store your login details in an encrypted vault and to generate complex passwords for you[.]"

  • Bitwarden - "...easiest and safest way for individuals and businesses to store, share, and secure sensitive data on any device[.]"
  • KeePassX - " application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License." (Recommended)
  • KeePassXC - "Securely store passwords using industry standard encryption, quickly auto-type them into desktop applications, and use our browser extension to log into websites."
  • Pass - "The standard unix password manager[.]"

Prepaid Wireless Providers

  • Tracfone - " an American prepaid, no-contract mobile phone provider." - Source

Search Engines

A search engine (according to Computer Hope) is, " accessed on the Internet that searches a database of information according to the user's query. The engine provides a list of results that best match what the user is trying to find" These tools are useful for finding lots of relevant information quickly; or, scaling the Internet with ease.

  • CheckUsernames - "Check the use of your brand or username on 160 Social Networks[.]"
  • DuckDuckGo - " international community of extraordinary individuals, coming together on a mission to set a new standard of trust online." (Recommended)
  • Qwant - " the first search engine which protects its users freedoms and ensures that the digital ecosystem remains healthy."
  • Searx - "Privacy-respecting metasearch engine[.]"
  • Startpage - "The world's most private search engine[.]"
  • - "Find anyone online[.]"

Social Media And Trend Monitoring

The use of these tools, as well as the search engine listed above, is the conducting of open-source intelligence (OSINT) gathering. OSINT is (referring now to Wikipedia) a, "...methodology for collecting, analyzing and making decisions about data accessible in publicly available sources to be used in an intelligence context." Which can be applicable to a personal context as well, simply by intending for it to.

Below you will find various Social Media and trend monitoring tools, organized by platform/type.


  • - "...helps you to find the Facebook ID for your profile or a Group."


General Purpose

  • Hootsuite - "...manage all your social media and get results with Hootsuite."
  • Social Mention - "...a real time search platform[.]"



  • Metrics For Reddit - "...a tool for tracking statistics of 2,535,250 subreddits... ...and discovering the fastest growing communities on reddit."
  • Reddit Insights - " analytics suite for using their public API, combined with real-time data analysis and graphic visualizations of historical data."
  • Reddit Investigator - "...a new way to discover many things about redditors. It works just by collecting the data that reddit makes available and elaborates it to obtain some new useful infos."
  • RedditMetis - "...a project inspired by u/orionmelt's site SnoopSnoo. Since May 2019, the site no longer updated user info due to an API error."
  • Subreddit Stats - "...a bunch of different subreddit ranking lists. You can click a subreddit name to see stats (graphs, etc.) for that subreddit."


  • Followerwonk - "...for Twitter Analytics, Bio Search and more[.]"
  • OmniSci Tweetmap - "Interactively explore millions of geo-located tweets." (Recommended)
  • SocialBearing - "Find, filter and sort tweets or people by engagement, influence, location, sentiment and more[.]" (Recommended)
  • Trendsmap - "...the latest Twitter trending hashtags and topics from anywhere in the world. Click on a word, zoom into your area of interest, and explore." (Recommended)
  • TweetDeck - "...for real-time tracking, organizing, and engagement. Reach your audiences and discover the best of Twitter."
  • TweeterID - "...allows you to easily look up any username (@handle) on Twitter and find out what their corresponding ID is."
  • Twiangulate - "...analyzing the connections between friends..."



A VPN or Virtual Private Network (according to Wikipedia) allows a user to safely, "...send and receive data across shared or public networks as if their computing devices were directly connected to the private network." All of which is accomplished with strong encryption.

  • AirVPN - "...based on OpenVPN and operated by activists and hacktivists in defence of net neutrality, privacy and against censorship." (Recommended)
  • Mullvad VPN - "Privacy is a universasl right[.]"
  • Private Internet Access - " the leading VPN Service provider specializing in secure, encrypted VPN tunnels which create several layers of privacy and security providing you safety on the internet."
  • ProtonVPN - " designed with security as the main focus, drawing upon the lessons we have learned from working with journalists and activists in the field."

Web Services Account Deletion

Resources for helping Internet users permanently delete their accounts with various Web Service(s) providers, such as Google or Netflix.

  • JustDeleteMe - "A directory of direct links to delete your account from web services."


There are a healthy number of reliable techniques and dozens of powerful tools available to the averge person for staying safe, private and informed while Online. This document brings the best of them to you; the "tools most fit for the average person".

Over the coming months, the information and resources found herein will continue to grow; ideally becoming a first class resource for those interested in the serious topic of personal Online OpSec. Many thanks to those who have already suggested improvements to this project.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.