Have you seen Judges Tell All?
Some key takeaways:
- TM report should tell a story
- Good TM report ≠ “here’s 200 threats”
- What’s the essence / TL;DR / take home message?
- … especially when reporting to upper management
If we were to design a threat modeling approach that has this as it’s first goal and wants to keep things highly relevant / condensed / essential…
How would it look like?