Shostack & Friends BlogModeling Attackers and Their MotivesThe Dope Cycle and the Two Minutes HateKyber Crystal and the Death Star2017 and Tidal ForcesOn Immigration and RefugeesGroundrules on Complaining About SecurityCalls for an NTSB?Introducing Cyber Portfolio ManagementLearning Lessons from IncidentsMore Satellites Than You Can Shake a Stick AtSyriaA New BlogPeople are The Weakest Link In Security?Cyber Balance SheetAccount RecoveryHow Not to Design an Error MessageCyber Grand Shellphish“...the Elusive Goal of Security as a Scientific Pursuit”CassiniThreat Modeling & IoTThreat Modeling and Star WarsA Privacy Threat Model for The People of SeattleWarrants for Cleaning Malware in KelihosRoss Anderson on EdgeHospital RansomwareSecurity Rarely Flows DownhillWell-deserved accoladesCertificate pinning is great in stone soupAdam & Chris Wysopal webcastThe Ultimate Stopping Machine?Maintaining & Updating SoftwareBicycling and RiskBicycling and Threat ModelingThreat Modeling: What, Why and HowWTF? Why rebrand?IoT Security Workshop (Seattle, August)Links of InterestDNA Replicates, Filmed at 11.Goldsworthy's NatureVoter Records, SSN and Commercial AuthenticationThreat Modeling Encrypted DatabasesWorthwhile Books: Q2 2017Secure updates: A threat modelRolling out a Threat Modeling ProgramUmbrella Sharing and Threat ModelingThreat Modeling Password ManagersHumble Bundle“Comparing the Usability of Cryptographic APIs”The Dope Cycle and a Deep BreathMagical Approaches to Threat ModelingThe Evolution of Ctenophore BrainsInteresting Monday ReadsLearning From npm's Rough Few MonthsAmicus brief in “Carpenter” Supreme Court CaseCelebrating Alt-Left LawlessnessBabylonian TriginometryOrganizing Threat Modeling MagicStar Wars, Star Trek and Getting Root on a Star ShipBreach Vouchers & Equifax 2017 Breach LinksOpen for BusinessPie Charts, or this could be hellThreat Modeling Training (London!)Threat Modeling and Architecture“The Readability Of Scientific Texts Is Decreasing Over Time”Parroting Bad Security AdviceIt's Not The Crime, It's The Coverup or the ChaosEmergent Musical ChaosWorthwhile Books, Q3Building an Application Security TeamThreat Modeling ‘App Democracy’20 Year Software: Engineering and UpdatesEmergent Design IssuesWhy is 'Reply' Not the Strongest Signal?Data Flow Diagrams 3.0The Fights We Have to Fight: Fixing BugsMicrosoft's PCI BlueprintVulnerabilities Equities Process and Threat ModelingAverting the Drift into Failure45 YearsThe Carpenter CaseLearning from Near MissesGavle Goat Gallantly GuardedPortfolio Thinking: AppSec RadarThreat Modeling Tooling from 2017Pen Testing The EmpireNot Bugs, but FeaturesThe Resistance Has Infiltrated This Base!Fire and building codesAppSec California TM PanelStar Trek's AstromycologistAppSec Cali 2018: Izar TarandachJonathan Marcil’s Threat Modeling Toolkit talkDoing Science with Near MissesKeep the Bombe on the Bletchley Park EstateBlackHat and Human FactorsThreat Modeling Privacy of Seattle ResidentsThreat Modeling: Citizens Versus SystemsCitizen Threat Modeling and more dataSpeculative Execution Threat ModelThreat Modeling Panel at APPSEC Cali 2018Threat Model Thursday: SynopsysFriday Star Wars: Trek and CISSPRies on GatekeepersThreat Model Thursday: ARM Yourselves!Blaming the UserReasonable Software Security Engineering PodcastJohn Harrison's Struggle ContinuesThreat Model Thursday: ARM's Network Camera TMSAGartner on DevSecOps ToolchainSecurity Engineering: Computers versus BridgesThreat Model Thursday: Talking, Dialogue and Review346,000 Wuhan Citizens’ SecretsThreat Modeling Thursday: #threatmodelheroDesigning for Good Social Systems$35M for Covering up A BreachThreat Model Thursday: Q&ABest Cyber News Blogs, thanks!TESS Launch CloseupRedzone Podcast on threat modelingJust Culture and Information SecurityJoining the Continuum Team4 Common Missteps in Threat ModelingThreat Model Thursday: Google on KubernetesNTSB on Uber (Preliminary)The DREAD PiratesConway's Law and Software SecurityEagle vs Fox'EFAIL' Is Why We Can't Have Golden KeysThreat Model Thursday: Chromium Post-SpectreThreat Model Thursday: Architectural Review and Threat ModelingCarpenter!Continuum InterviewThreat Model Thursdays: Crispin CowanAutomotive PrivacyThreat Modeling Thursday: 2018Friday Star WarsGames and CardsKeeping the Internet SecureHey, this movie looks pretty interesting!Half the US population will live in 8 statesThreat Modeling Thursday: 2018Summer Reading ListCSO on AppSec at the Speed of DevopsCyberSecurity Hall of FameAretha FranklinThreat Modeling in 2018: Attacks, Impacts and Other UpdatesToolbox: After a ConferenceThreat Model Thursday: Legible ArchitectureReflective Practice and Threat Modeling (Threat Model Thursday)Space Elevator TestCVE Funding and ProcessThe Architectural Mirror (Threat Model Thursday)Does PCI Matter?GAO Report on EquifaxMeasuring ROI for DMARCPrivacy Extension to Elevation of Privilege gamePodcast with Ron WoernerAirline SafetyChange in the WeatherThreat Modeling in 2018: Attacks, Impacts and Other UpdatesBooks which are worth your time: Q4Gavelblocken, 2018Structures, Engineering and SecurityHouse Oversight Committee on EquifaxResources for Infosec SkillbuildingPivots and PayloadsHigh ROI Security Advisory BoardsBeyond Elf on a ShelfScaling Threat Modeling TrainingIriusRisk 2.0LinkedIn Learning: Producing a VideoThreat Modeling as CodeThreat Modeling: Attackers May Adapt, RespondIncentives and Multifactor AuthenticationFire Doesn't Innovate by Kip Boyle (Book Review)Nature and Nurture in Threat ModelingThe Queen of the Skies and InnovationPodcast: DevSecOps55 5 ⭐ Reviews?Dolphins and PufferfishWhat Should Training Cover?Adam @ RSASpoofing In DepthAfter a ConferenceFacebook's Privacy ConstitutionA Seat At The Table (AppSecCali)Happy Pi Day!India's Intermediary GuidelinesThreat Modeling in 2019Cybersecurity is not very important20 Years of STRIDE: Looking Back, Looking ForwardLeave Those Numbers for April 1stBooks Worth Your Time (Q1 2019)Hayabusa!‘No Need’ to tell the public (?!?)Science of Security, Science for SecurityThe White Box Essays (Book Review)3 Arguments for Threat ModelingEpisode 9 SpoilersTesting Building BlocksPromoting Threat Modeling WorkPolymorphic Warnings On My MindWhen security goes off the railsDNS SecurityHappy Juneteenth!Passwords AdviceThe Unanimous Declaration of the 13 United StatesThe Unanimous Declaration of the Thirteen United States of AmericaThe Road to MediocritySafety and Security in Automated DrivingNIST on SDLsThreat Modeling at Layer 8Books Worth Reading: Q2 2019 (Apollo Edition)Happy Apollo Day!Valuing CyberSecurity Research DatasetsActionable Followups from the Capital One BreachBlackhat Best PracticeToolbox: After a ConferenceTraining At Embedded Systems Security DaysInteresting Reads, August 19Threat Modeling Building BlocksCourse announcement: Tampering in Depth!Capture the Flag events and eSportsInteresting readsOWASP Portland: Talk and PodcastQuick Threat Model Links October 2019Interesting Reads: Risk, Automation, lessons and more!Who Are We Kidding with Attacker-Centered Threat Modeling?Interesting Finds: Liberalism, machine learning, encryption and learningIncludes No Dirt: Healthcare Threat Modeling (Thursday)Medical Device Security StandardsMessage Sequence ChartsManaged Attribution Threat ModelingHan Solo, Frozen in CarboniteThe Gavle Goat is upBooks Worth Your Time (Q4)Goodbye, FeedburnerEmpirical Evaluation of Secure Development ProcessesEncryption & Privacy Policy and TechnologyStar Wars Episode 9 is a week away!Echo, Threat Modeling and PrivacyThreat Modeling Thursday: Machine LearningThreat Modeling Thursday: The Human Element100,00 Moon ShotsEnter the SpudNetCryptographic ExcitementThreat Model Thursday: FilesThreat Model Thursday: GamesRepudiation Now Live on Linkedin LearningBlackhat and Human FactorsThreat Model Thursday: BIML Machine Learning Risk FrameworkThreat Modeling Training at Blackhat 2020Amazon's 'Alexa Built-in' Threat ModelFree Threat Modeling TrainingThreat Modeling with QuestionnairesThe COVID PandemicMedical Device Threat ModelingFriday Star WarsAnswering 'What Are We Working On' When RemotePower Dynamics in Threat ModelingWorthwhile Books (Q1 2020)Threat Model Thursday: Data Flow DiagramsBounce and RangeSDL Article in CACMModels and Accuracy (Threat Modeling Thursday)How Are Computers Compromised (2020 Edition)Code: science and productionSLR as a WebcamOne Bad AppleEvidence Based Security'Best Practices for IoT Security'Contextualisation of Data Flow Diagrams...Sonatype Report on DevSecOpsThreat Research: More Like ThisThe Jenga View of Threat ModelingHappy Juneteenth!The Cyentia Library RelaunchesThreat Modeling and the SAFE FrameworkThreat Model In My DevopsInternet Society Opposition to LAED ActAmicus Brief on CFAASoftware Engineering RadioVideo SeriesSociotechnical Approach to Cyber SecurityMaximizing the Value of Virtual Security ConferencesWhen to Threat ModelMDIC Annual Public ForumInformation Disclosure In DepthBetter Taught Than Caught!Worthwhile Books Q2 2020Elevation of Privilege In The Time of CholeraPodcast with Sidney DekkerThe Uber CSO indictmentPhil Venables BloggingThreat Modeling, Insiders and IncentivesStarting Threat Modeling: Focused Retrospectives are KeyMentionsA PCI Threat ModelTraining: Threat Modeling for Security ChampionsOn MonopoliesNotice the Outrage MachinesOn LegitimacyMaps and VisualizationFriday Star Wars: Lego Holiday CelebrationOn Legitimacy (After the Election)A Threat Modeling ManifestoBreaking Encryption Myths (EU Commission on Encryption)Stencils and Sketch BooksIt's Not Working!Mitigating Social Bias in Knowledge GraphsWe Need a Discipline of Cybersecurity Public HealthFireeye Hack & CultureCharley Pride (1934-2020)Elevation of Privilege In The Time of Cholera, ReduxThe Asset TrapChang'e 5!Dinosaur FeathersJust the Great Conjunction of Saturn and Jupiter...shot from the moonVaccinesIt's 2021: Have you checked your backups?Digital Guru BooksPodcast on Using GamesIrius Risk & Gary McGrawThreat Modeling and Social IssuesBetter OKRs Through Threat ModelingMy Year Without FlyingLinkedin LearningHappy (Belated) Pi Day!Mmmm, Pandemic PuppiesEver Given & SuezMicrosoft Autoupdate hangs Excel 16.47.21032301Threat Modeling ClassesPassover PieBehind the Scenes: Training DevelopmentCan Training Work Remotely?The Updates Must Go ThroughThreat Model Thursday: Github's ApproachIoT Security & Threat ModelingThis time for sure, Pinky!'Stop Vaccine Finger Wagging'Threat Model Thursday: Technology ConsumersApple Guidance on Intimate Partner SurveillanceTracking Company Says 96% of iPhone Users Block TrackingPacific Northwest Appsec ConferenceColonial Pipeline, Darkside and ModelsNSF Wants Data on Your Data NeedsUsing Threat Modeling to Improve Compliance (TM Thursday)Review: Practical Cybersecurity ArchitectureRecording LecturesVan BurenThoughts on the Executive OrderRansomware is Not the Problem'Not in my threat model'?Fast threat modeling videosJuneteenth: A New Federal HolidayWhy Threat Model?Applied Threat Modeling at BlackHat 2021Threat Model Thursday: 5G InfrastructureSketching to Answer 'What are we working on?'Collaboration in Threat ModelingThreat Model Thursday: NIST’s Code Verification StandardZen and the art of not quantifying riskThe COVID testbed and AI25 Years in AppSec: Looking BackTraining - OctoberThreat Modeling Through the JoHari WindowThis is the blog you're looking forTraining discounts!What can go wrong?A Vulnerable SystemNIST Brings Threat Modeling into the SpotlightLessons Learned: Playing Elevation of PrivilegeWhat are we going to do: CO2 editionTrainings at Global Appsec 2021Breaking into threat modeling25 Years of Appsec - Appsec GlobalLearning Lessons from AviationMedical Device Threat Modeling WebinarFDA Threat Modeling Playbook Now AvailableGävle Goat, 2021 editionFast, Cheap + Good WhitepaperMissed it by that much!The Allegory of Rocks and Sand25 Years in AppSec: Looking Back, Looking ForwardLetterlockingThreat Modeling Open Training: First Quarter, 2022Elevation of Privilege: New Cards for 2022#WeHackPurple: Podcast Episode with Tanya JancaWearing Many HatsWorthwhile Books Q1 2022Ten Questions we hope the CSRB answersHow To Choose a Threat Modeling TrainingI need an extension!Elevation of DefensesHow Executives Can Use Threat ModelingThe Evergreen Running Aground ProblemShort reads, March 2022The Grimes Model of ScamsFDA Draft Premarket GuidanceFuture of Appsec podcastCyberPeaceWorthwhile Books May 2022Happy Star Wars Day: A Big Announcement & Small Gifton the security of Star WarsApplication Security Roundup - MayPlants grow in lunar soilOWASP podcast with Matt TesauroA Science of Cybersecurity Public HealthAuthentic Thoughts About What Can Go WrongApplication Security Roundup - JuneCongratulations to the CSRB!Webb Telescope comparitorMajor Cyber Incidents InvestigationsThe Buffet Overflow cafeApplication Security Roundup - JulyPodcast: A Fully Trained JediThreats — The CoverThreat Modeling Training Announcements Fall, 2022Doing an AMAThreat Modeling for Security ChampsOregon ForestryApplication Security Roundup - SeptemberBic Transit Gloria MundiWorthwhile Books Q3 2022Medical Device Threat Modeling Boot CampMiro Threat Modeling Template for EoPTrainings and discountsApplication Security Roundup - October and NovCybersecurity Magazine: Podcast Episode with Han Christian RudolphThe Threats book is completeGPT-3GPT-3Human-Centered SecurityLiability for the Second Death StarSpace NewsWorthwhile Books Q4 2022Usable Security MattersDarkreading: Threat Modeling in the Age of OpenAI's ChatbotWhat do you get the person who has everything?Gavle GoatMore on GPT-3 and threat modelingFast, Cheap and Good, ReduxThreat Model Thursday: curlThe Last 747The Appsec Landscape in 2023Threat Modeling is Measure Twice, Cut OnceThreats: The Table of ContentsThreats Book is CompleteThreats Book Launch PartyFriday Star Wars: Presidents Daily BriefThreats, To The Supply ChainNot all developers can be JediThe Hacker MindFumée d'incendieApplication Security Roundup - JanuaryWatermarksUsable Security and Privacy for Engineers2001, as directed by George LucasBing’s ChatGPTRoman ConcreteApplication Security Roundup - FebThreat Modeling Google Cloud (Threat Model Thursday)Leonardo da Vinci’s Gravity ExperimentMy David Prouse MomentThe National CyberSecurity Strategy: Liability is ComingStar Wars, The InfographicImperium for MenWhen will Adam be replaced by ChatGPT?Application Security Roundup - MarchCumulusReflecting on Threats: The FrameFive Threat Model Diagrams for Machine LearningThreats Book News and Updates for AprilLayoffs in Responsible AI TeamsMay the Fourth Secure YouThe Cyber Safety Review Board Should Investigate Major Historical IncidentsApplication and AI roundup - MayPhishing DefensesAppSecPNW 2023 AI will be the high interest credit card of 2023Worthwhile Books Q2 2023No guns pleaseMicrosoft Can Fix Ransomware TomorrowValorizing Rule-breakingThreat Modeling and Secure by DesignChuck, Acme, and Remediation AvoidanceSEC Cybersecurity RulesUse the Defcon WifiML Sec Ops: Feature with Diana KelleyAirline Close CallsApplication and AI roundup - AugustOpen training: Threat Modeling for Champs (October)Comparing RetrospectivesFDA Final Cyber Guidance is outApplication and AI roundup - SeptemberThreat Modeling on SaleAdversarial Thinking and WargamesSecurity Principles in 2023Application and AI roundup - OctoberThreat Modeling Thursday: ThanksgivingC2PA Threat ModelingApplication and AI roundup - NovemberThink like Alph-V?The Nazgul of Threat ModelingTake Control of What You ReadGiant Pink Bunny, ReduxThink like Sieged-sec?The State of Appsec in 2024Red Queen Dynamics: Podcast Episode with Tarah WheelerThreat Modeling Capabilities ReleasedCSRB Senate HearingRed TeamingApplication and AI roundup - Jan 2024My Instructional JourneyThe Security Table: Podcast Episode with Chris RomeoConoscere Il Lato OscuroBlackhat and Human FactorsThreatModCon Lisbon 2024Solving HallucinationsInsecurity of Government InfrastructureArchimedes Early Bird Ends SoonApplication and AI roundup - Feb 2024The British Library’s Incident ReviewInherent Threats (Whitepaper)Adventures in LLM CodingThe NVD CrisisCybersecurity Lessons from Covid19Secure by Design roundup - March 2024Introducing Magic Security Dust!Healthcare Info Security: Podcast Episode with Marianne Kolbasuk McGeeCSRB Report on MicrosoftLeveraging our training platformOther comments on the CSRB Microsoft ReportEternal sunshine of the spotless LLMEnterprise Security Weekly: Podcast Episode with Adrian SanabriaSutter on SafetyHappy Star Wars DayRSA 2024Secure by Design roundup - April 2024Diagrams and Symbols in Threat ModelsBlackhat Training Early BirdSecurity Engineering roundup - May 2024Threat Modeling and LoginsThe Universal Cloud TM -- Threat Model ThursdayWilliam AndersThreat Modeling and Logins, ReduxScale to ZeroWhy I don't engage with Sean HastingsLockbit, a study in public healthFirst Workshop on Cyber Public Health97 Things Every Application Security Professional Should KnowWorthwhile Books 1H 2024Inherent threats talk (ThreatModCon)The Unanimous Declaration of the Thirteen United States of AmericaAppsec Roundup - June 2024Hard Problems + Cyber Public HealthGoogle on Cyber Public HealthHard Problems + Cyber Public HealthThe Goals of Cyber Public HealthYour Turn! by Scott RogersThreat Modeling and GenAI with Venkat RamakrishnanAppsec Roundup - July 2024Threat Modeling Gameplay with EopOffice Hours after trainingHandling Pandemic-Scale Cyber Threats (preprint)Secure Boot and Secure by DesignAppsec Roundup - August 2024Google Health SymposiumOur back to school saleSecure Boot and LiabilityAppsec Roundup - September 2024Our back to school sale is endingThreatModCon San FranciscoOn DemocracyA Tale of Two AddressesCoachingParty over countryOWASP Board 2024MITRE ATT&CK: Threat Model ThursdayThe people who served under TrumpScaling Threat Modeling25 Years of CVERussiaOn policyAppsec Roundup - Oct 2024The EconomyPatching in 2024Election PredictionWhy do we call them trust boundaries?Purple StatesCar Safety FactoidsIs Cybersecurity Awareness Month Worth the Money?Black Friday SaleThe Four Question Framework for Threat ModelingRisk Talk at JPLAppsec Roundup - Nov 2024Human Centered SecurityGavle Goat EnduresStocking stuffers for security nerdsA Different Hackathon Design?Appsec Roundup - Dec 2024Who Are 'We?' Power Centers in Threat ModelingLessons for Cybersecurity from the American Public Health SystemHandling Pandemic-Scale Cyber Threats: Lessons from COVID-19Spatial Reasoning and Threat ModelingNational Cyber Incident Response Plan commentsThe Birth of the CVE System, on Hackers To FoundersHoarding, Debt and Threat ModelingTalk at CERIASAppsec Roundup - Jan 2025Threat Modeling the Genomic Data Sequencing Workflow (Threat Model Thursday)Blackhat and Human FactorsA New Hope for Threat Modeling, on The CyberTuesday PodcastHow to Threat Model Medical Devices, on The Medical Device Cybersecurity PodcastInside ManAppsec Roundup - Feb 2025RSAC Webinar: Building Resilient SystemsStrategy for threat modeling AIThe First Constitutional Crisis of 2025The Covid pandemic, 5 years onOWASP Training in BarcelonaSecurity Researcher Comments on HIPAA Security RuleIntroducing the DEF CON 32 Hackers' AlmanackAppsec Roundup - March 2025Learning from Troy Hunt’s Sneaky PhishAssets, AgainA few thoughts on CVEFree ThreatsAndor, Season 2CVE FuturesThreat Informed Defense SeriesAppsec Roundup - April 2025The Empire’s Threat ModelingAndor Threats: Information DisclosureAndor: Think like a leaderCyber Hard Problems ReportBlackhat Earlybird Prices End FridayFree Threat Modeling Training for Displaced Federal WorkersAndor: Insider ThreatsAppsec Roundup - May 2025The Essence and Beauty of Threat ModelingPublish your threat model!Google’s approach to AI Agents -- Threat Model ThursdayAppsec Roundup - June 2025The Unanimous Declaration of the Thirteen United States of AmericaVoting Twice for Secession Would be More FairThreat modeling as a dial, not a switchThe Cyber Resilience Act (CRA)!Risk Management and Threat ModelingBlackhat and Defcon 2025LLMs as CompilersRisk is not a hammerThreat Modeling ToolsMansplaining your threat model, as a serviceSecure By Design roundup - July/Aug 2025Our back to school saleOWASP Training in Washington, D.C.How could LLMs change threat modelingNew Adventure! CyberSec Game Challenge 2025Apollo 15 Lunar Rover VehicleLunar Rover Vehicle, ReduxAdam Featured on Inside MedTech InnovationSecure By Design roundup - September 2025AI Insurance Won't Save YouPrompt Engineering Requires EvaluationLeanAppSec AnnouncementOWASP Board Thoughts 2025The MoonwalkersOctober Adam's New Thing!Stop Trying to Manage Risk!Secure By Design roundup - October 2025Publishing ‘Publish Your Threat Model’OWASP Threat Modeling RebootRecent accessibility improvements for the Shostack + Associates websiteSecure By Design roundup - November 2025Windows Links and Usable SecurityState of Threat Modeling 2024-2025OWASP Keynote Available for Viewing!The Best Holiday DecorationsGavle Goat Survived 2025 - or did it?A few thoughts closing out 2025Congratulations to ThreatModeler and IriusRisk!Take Control of What you Read, ReduxSecurity Advisory SA-26-01 GPS AttacksBitlocker, the FBI, and RiskNIST 800-218 revisionThreat Modeling in the Age of AISecure By Design roundup - Dec/Jan 2026Adam Featured on the AppSec Weekly PodcastThe DEF CON 33 Hackers AlmanackVulnerability Finding: An Inflection PointWelcoming Kymberlee Price to Shostack + AssociatesLayered Defenses at BSides SeattleAppsec roundup - Feb 2026Silver Hyundais RecalledBlackhat and Human FactorsThreat Modeling AI Systems: Finding the Line Between Application Security and AI SecurityWasting Failures at RSAC™ 2026 ConferenceSunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026Appsec roundup - March 2026DevSecOps: What Every Security Engineer Should Learn from Star TrekDevSecOps: Lessons from the ST:TNG CrewArtemis and CybersecurityOne week left for Threat Modeling AI Systems Early Bird pricingAdam reflects on BSides SF and RSACMeasuring the ROI of threat modeling: moving from activity to impactLessons from Threat Modeling Intensive With AILLM Threat Modeling Is Fun
