Interactive threat modeling lab. Six scenarios cover STRIDE classification of token-enumeration as spoofing, identifying the API-to-database trust boundary as the highest-stakes, GDPR PII classification of hashed device fingerprints, attack tree analysis prioritising CI/CD compromise over RCE, severity prioritisation by impact-times-likelihood, and mitigation ranking by blast-radius reduction.