Threat Model Self-Assessment Tool
Most security advice fails because it assumes the same threat model for everyone. In reality, “What should I do?” depends on who you’re protecting against, what you’re protecting, and how much friction you can sustain.
Reality anchor: a single tool (including a VPN) is never “complete protection.” The right approach is layered, proportional, and sustainable.
What this tool checks
- Who: likely adversaries (casual tracking, scammers, workplace networks, targeted harassment).
- What: what you’re protecting (accounts, identity, location, communications, files).
- Where: exposure contexts (public Wi-Fi, travel, shared devices, work-managed systems).
- How: what you’ll actually maintain (low vs high friction).
- Next steps: a simple “layer stack” and what to read next on SAH.
What it does not do
- It does not provide legal advice or guarantee safety.
- It does not diagnose compromise or detect malware.
- It does not replace professional support for high-risk situations.
Run the self-assessment
Not run yetChoose the closest match. This tool outputs a risk tier and a practical stack. Nothing is stored.
Reality check: if you selected “high risk,” treat this as a starting point. High-risk situations often require operational security beyond consumer tools.
How to read your results
If you land in Tier 1 (Everyday)
Focus on the highest ROI: account security and safe browsing habits. A VPN can help, but it shouldn’t be your first or only layer.
If you land in Tier 2 (Privacy-aware)
You’ll benefit from consistent privacy hygiene: better browser settings, tracker reduction, and a VPN for travel/public networks. Sustainability matters more than advanced tricks you won’t maintain.
If you land in Tier 3 (Higher-risk / targeted)
Treat consumer tools as partial coverage. You may need identity separation, hardened devices, safer comms, and careful operational routines. A VPN can help — but it won’t solve targeted threats alone.
Common false alarms
- “I need the most extreme setup.” Over-hardening often fails because it’s unsustainable.
- “A VPN will fix tracking.” Most tracking is account/cookie/fingerprint based.
- “If I’m Tier 1, I’m ‘safe.’ Tier 1 means “don’t overcomplicate,” not “nothing can happen.”
What this means for your setup
- Start with: password manager + 2FA + software updates.
- Add a VPN when: you travel, use public Wi-Fi, or want less ISP visibility.
- Reduce tracking by: controlling cookies, using privacy-respecting browsers, and separating identities where needed.
- For high-risk: prioritize operational security and safer communications — not just “best VPN.”
Recommended next steps
- Choosing a VPN? Best VPNs (2026)
- Need a simple decision path? How to choose the right VPN
- Want to verify your setup? VPN Leak Test
- Reality check: What VPNs can’t protect you from
Limitations of this tool
- This is a simplified model; real risk changes with context, location, and adversary capability.
- It can’t detect compromise, spyware, or active attacks.
- It can’t account for all legal/physical safety factors.
FAQ
- Is a VPN the first thing I should buy? Usually no. Account security (password manager + 2FA) is often higher ROI.
- If I’m “Tier 1,” should I ignore privacy? No. It means keep it simple: sustainable basics beat complicated setups.
- Does Tier 3 mean I’m in danger? Not necessarily. It means your situation may warrant stronger layers and more careful routines.
- Can this tool tell me if I’m being watched? No. It only helps you choose proportional defenses.
- What if my situation changes? Re-run this tool after major changes (new job, travel, harassment, public exposure).
Trust & disclosure
This tool is educational. It does not store your answers. It uses conservative guidance and avoids absolutes. Learn more: Methodology • Affiliate disclosure.