Abstract. This tutorial provides an overview of the best industrial practices in IT security analysis followed by a sketch of recent research results in this area, especially results providing formal foundations and more powerful tools for security analysis. The conclusion suggests directions for further work to fill the gaps between formal methods and industrial practices.