The fourth edition of ThreatModCon (and our second in Europe) took place last month in Barcelona. Under the Spanish sun, the community gathered to talk about what’s new in threat modeling, share ideas, try out new formats, and connect with peers from around the world.
Scroll down for highlights–but first, here’s ThreatModCon Barcelona in 56 seconds!
And now let’s take a look back at some highlights:
The sunset cruise
We kicked things off the evening before the conference with a sunset cruise along the Barcelona coast. It was a relaxed, informal way to connect before diving into the program. Lots of good conversations, sea breeze, many lovely reunions, and even more new friends.
Hot topics
- AI, Quantum, and Threat Modeling
AI continues to be a big topic. Rob van der Veer’s session ‘AI Threats: Separating Hype from Harm’ offered a grounded approach to assessing the true severity of AI threats, how to act on (or not act on) them and why. Meanwhile, James Rabe wowed a packed room with practical techniques for preparing your threat models for a quantum computing future–a topic that’s just beginning to enter the threat modeling conversation. (View Rob’s slides, view James’ slides)
-
Gamification and how it actually works in structuring a threat modeling program
Stanley Harris shared real-world examples of designing a threat modeling session that actually feels like a game– using character cards, legitimate monsters, and a mission-driven challenge where your audience (dev, QA, security, architecture) earn XP for demonstrating desired behaviors. (Find more details in his slides)
-
Publish your threat models!
@adamshostack returned to the ThreatModCon stage–this time sharing work with Loren Kohnfelder–and delivered a powerful message: don’t let your threat models sit in a drawer. Whether it’s to get feedback, help others learn, or build a library of real-world examples, publishing your work benefits everyone—and can also help build trust with your customers. The idea sounds simple, but the actual implementation often isn’t. Adam shared practical advice on how to make it happen. (View the slides)
-
First privacy threat modeling workshop
@Kim and @AviD ran our first privacy-focused threat modeling workshop, which looked at how to identify and prioritize privacy risks using similar methods we apply to security. It was a solid first step in an area that many of us want to explore more deeply. (Find out more)
New formats
- Lightning Talks
This year, we introduced lightning talks: three eight-minute, back-to-back presentations with no Q&A. The format allowed for a wider range of voices and ideas–some polished, some experimental—and kept things moving. We learned a lot in a short time. Topics covered in lightning talks include threat modeling digital credentials, exploring assumptions in threat modeling, and a hybrid threat modeling approach for threat modeling audio-based systems.
- Our First Official Game Session
For the first time, we ran an official game session at ThreatModCon–hosted by @Elias_Sorensen. Participants worked together in small groups to play Elevation of MLsec – a card game for threat modeling machine learning created by Elias himself. It turned out to be a fun and practical way to learn and interact–and we’re likely to keep building on this. (View the slides)
Chapter leaders reunions
We were thrilled to welcome many TMC chapter leaders to this year’s event–representing Tokyo, DACH, Barcelona (our incredible host!), London, Vienna, Brussels, and Peru. Many of them–like @Mila from Barcelona, @TakaharuOgasa from Tokyo, and @Laxarella, @hewerlin, and @RonMK from DACH—first met at ThreatModCon Lisbon just a year ago. Since then, they’ve brought TMC back home, building amazing local communities, connecting practitioners, and making threat modeling the future, event by event.
Thank you, our volunteers!
From check-in to timekeeping to moderating the sessions–our volunteers made the day run smoothly. You played a huge part in the event’s success, and we’re so grateful for your time and energy.
Slides and resources
We’ve collected slides from many of the sessions–feel free to browse, learn, and share: ThreatModCon 2025 Barcelona Slides - Google Drive
Next stop: Washington D.C.
We’ll be back for our next ThreatModCon in Washington, D.C. on November 7-8, 2025. If you’re thinking about joining us, we’d love to see you there! Grab your ticket now while the super early bird sale goes on: https://www.eventbrite.com/e/threatmodcon-2025-washington-dc-tickets-1145982417259?aff=oddtdtcreator
In the meantime, our global community keeps meeting both online and in person. Find a local TMC chapter near you or join a virtual meetup: TMC Local Chapters
What stood out for you?
If you joined us in Barcelona, drop a comment below and share your favorite moment, top takeaways, or something you learned. Whether it was a talk, a conversation, or just the view from the boat–we’d love to hear what stuck with you!
What a treat it was 
Thank you, everyone, for gracing us with your presence! Looking forward to many more events locally and globally 
