Standard statistical techniques are inadequate for estimating the likelihood of future cyber attacks. Yet risk assessments and security planning urgently need this. This talk will outline the techniques that have allowed the US-CCU to anticipate Stuxnet and nearly every major new attack development over the last eight years. The secret is to identify attack pre-conditions and capability thresholds.