Recap: Developing a Threat Modeling Mindset (Threat Modeling Fundamentals Workshop)

shuning · April 2, 2025, 12:38am

On 2025-04-01T07:00:00Z, we hosted the Threat Modeling Fundamentals Workshop - Developing a Threat Modeling Mindset with Robert Hurlbut. Based on his well-received in-person workshop on a similar topic at many major security conferences (including twice at our very own threatmodcon!), Robert adapted this session into a virtual experience for TMC members and our 2025 hackathon participants.

Key takeaways

A Threat modeling mindset is to:

Be strategic
Be curious / asking questions
Be prepared
Be active

The four principles align well with the four steps of a typical threat modeling process:

Mindset	Threat Modeling Step
Be strategic: ‘Thinking ahead’	Understand your system & data flows
Be curious: ‘What if? What could go wrong?’	Identify threats
Be prepared - ‘Focused defense’	Document threats
Be active - ‘Review, follow through’	Actively review, follow through, repeat

To put this into practice, we ran two hands-on exercises based on an example web application:

Threat Hunt – focused on being curious and identifying potential threats
Mitigation Brainstorming – focused on being prepared and developing proactive defense strategies

Check out the output from our exercises below! (PDF)

Slides

Access Robert’s slides →

Resources

Here are some additional Robert recommended:

Threat modeling manifesto: https://www.threatmodelingmanifesto.org/
Threat modeling capabilities: Threat Modeling Capabilities
Books (View the full list in his slides)
- Hacking Kubernetes: Threat-Driven Analysis and Defense (2021) Andrew Martin, Michael Hausenblas
- Threat Modeling: A Practical Guide for Development Teams (2020) Izar Tarandach and Matthew Coles
Playbook for threat modeling medical devices (2021) MITRE: https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf

Replay

Watch the full session

Shoutouts

A big thank you to everyone who joined us, and a special shoutout to our breakout room facilitators: Adrian Bettag, Ari Kalfus, Donavan Cheah (@donavancheah), John Taylor (@JohnT), Natalia Semenova, Pankaj Joshi, Pankaj Upadhyay, Praveen Gupta – you made the hands-on exercises such a success.

And of course, massive thanks to Robert Hurlbut (@roberthurlbut) for bringing this valuable session to our community!

hewerlin · April 2, 2025, 12:22pm

Sounds great!

Enjoy the hackathon, players!

Prabhav_impact · April 2, 2025, 4:03pm

An amazing and to-the-point practical workshop that jumped into actually getting hands dirty and think like a TM professional. Looking forward for more such workshops.

Topic		Replies	Views
Workshop: Developing a Threat Modeling Mindset (April 1, 2025) Events	3	56	March 25, 2025
August Meetup Recap: Meta Threat Modeling Events meetup	3	74	September 9, 2024
November 2024 Challenge: Nominate a question for the 'State of Threat Modeling' survey Announcements community-challenge	16	212	December 12, 2024
Call For Papers: Threat Modeling Conference 2023 Announcements threatmodcon	0	6	June 1, 2023
Applications Now Open: 2025 TMC Community Leaders Announcements	1	34	August 23, 2024