Looking Back at ThreatModCon 2025 Barcelona

The fourth edition of ThreatModCon (and our second in Europe) took place last month in Barcelona. Under the Spanish sun, the community gathered to talk about what’s new in threat modeling, share ideas, try out new formats, and connect with peers from around the world.

Scroll down for highlights–but first, here’s ThreatModCon Barcelona in 56 seconds!

And now let’s take a look back at some highlights:

The sunset cruise

We kicked things off the evening before the conference with a sunset cruise along the Barcelona coast. It was a relaxed, informal way to connect before diving into the program. Lots of good conversations, sea breeze, many lovely reunions, and even more new friends.

Hot topics

  • AI, Quantum, and Threat Modeling
    AI continues to be a big topic. Rob van der Veer’s session ‘AI Threats: Separating Hype from Harm’ offered a grounded approach to assessing the true severity of AI threats, how to act on (or not act on) them and why. Meanwhile, James Rabe wowed a packed room with practical techniques for preparing your threat models for a quantum computing future–a topic that’s just beginning to enter the threat modeling conversation.
  • Gamification and how it actually works in structuring a threat modeling program
    Stanley Harris shared real-world examples of designing a threat modeling session that actually feels like a game– using character cards, legitimate monsters, and a mission-driven challenge where your audience (dev, QA, security, architecture) earn XP for demonstrating desired behaviors.


  • Publish your threat models!
    @adamshostack returned to the ThreatModCon stage–this time sharing work with Loren Kohnfelder–and delivered a powerful message: don’t let your threat models sit in a drawer. Whether it’s to get feedback, help others learn, or build a library of real-world examples, publishing your work benefits everyone—and can also help build trust with your customers. The idea sounds simple, but the actual implementation often isn’t. Adam shared practical advice on how to make it happen.

  • First privacy threat modeling workshop
    @Kim and @AviD ran our first privacy-focused threat modeling workshop, which looked at how to identify and prioritize privacy risks using similar methods we apply to security. It was a solid first step in an area that many of us want to explore more deeply.

New formats

  • Lightning Talks
    This year, we introduced lightning talks: three eight-minute, back-to-back presentations with no Q&A. The format allowed for a wider range of voices and ideas–some polished, some experimental—and kept things moving. We learned a lot in a short time. Topics covered in lightning talks include threat modeling digital credentials, exploring assumptions in threat modeling, and a hybrid threat modeling approach for threat modeling audio-based systems.
  • Our First Official Game Session
    For the first time, we ran an official game session at ThreatModCon–hosted by @Elias_Sorensen. Participants worked together in small groups to play Elevation of MLsec – a card game for threat modeling machine learning created by Elias himself. It turned out to be a fun and practical way to learn and interact–and we’re likely to keep building on this.

Chapter leaders reunions

We were thrilled to welcome many TMC chapter leaders to this year’s event–representing Tokyo, DACH, Barcelona (our incredible host!), London, Vienna, Brussels, and Peru. Many of them–like @Mila from Barcelona, @TakaharuOgasa from Tokyo, and @Laxarella, @hewerlin, and @RonMK from DACH—first met at ThreatModCon Lisbon just a year ago. Since then, they’ve brought TMC back home, building amazing local communities, connecting practitioners, and making threat modeling the future, event by event.

Thank you, our volunteers!


From check-in to timekeeping to moderating the sessions–our volunteers made the day run smoothly. You played a huge part in the event’s success, and we’re so grateful for your time and energy.

Slides and resources

We’ve collected slides from many of the sessions–feel free to browse, learn, and share: ThreatModCon 2025 Barcelona Slides - Google Drive

Next stop: Washington D.C.

We’ll be back for our next ThreatModCon in Washington, D.C. on November 7-8, 2025. If you’re thinking about joining us, we’d love to see you there! Grab your ticket now while the super early bird sale goes on: https://www.eventbrite.com/e/threatmodcon-2025-washington-dc-tickets-1145982417259?aff=oddtdtcreator

In the meantime, our global community keeps meeting both online and in person. Find a local TMC chapter near you or join a virtual meetup: TMC Local Chapters

:person_raising_hand: What stood out for you? :person_raising_hand:

If you joined us in Barcelona, drop a comment below and share your favorite moment, top takeaways, or something you learned. Whether it was a talk, a conversation, or just the view from the boat–we’d love to hear what stuck with you!

4 Likes

hi, I wanted to share my slides and the essay form; Shostack + Associates > Shostack + Friends Blog > Publish your threat model!

2 Likes

My 2nd ThreatModCon and in my beloved city of Barcelona :smiling_face_with_three_hearts: What a treat it was :heart_eyes: Thank you, everyone, for gracing us with your presence! Looking forward to many more events locally and globally :flexed_biceps: :star_struck:

3 Likes

Connecting with all the threat modeling enthusiasts was truly wonderful! I loved seeing the energy everyone brought to sharing our stories and growing the community together. I can’t wait for the next edition!

3 Likes

As someone who works mostly remotely, I really enjoyed the in-between moments during the sessions—so much space for creative thinking and for exchanging those early ideas that keep you busy for months, even years, but are never quite polished enough to make it onto a meeting agenda…

I’m genuinely grateful for all the insights and conversations we shared :slightly_smiling_face:

3 Likes

It was great connecting with sooo many knowledgeable professionals and share new techniques and strategies. I especially enjoyed the workshop where we played AI threat modeling with cards! Definitely something I’d like to experiment with at our local TCM chapter meetups in the future.

1 Like

I really liked seeing familiar faces and new faces all together! Personal highlight for @RonMK and me was to meet our Hackathon-teammate from the 2024 edition in person, finally! Being a moderator for the first time was also really exciting. And the participation of all people who attended @Kim’s and @AviD’s workshop was outstanding! I have never seen such an enganged audience before.
I also liked Stanley Harris’s approach to connect Dungeons & Dragons with Security Champions.

2 Likes