Hello everyone,
As expected, I’m happy to share some of thoughts and remarks about our journey as Team 7 during the Threat Modeling Hackathon 2025,on top of the final report that my very proactive teammate Matt already shared here: Hackathon 2025 -TMC Drive Threat Model - Team 7 - 1st Place
Setting Up the Team
When I got the final team list, I was excited to start acting as a real team lead and started preparing a big plan for first weekly sprint: daily 1-hour calls after work (6 PM CET), focusing on one threat modeling question each day. I wanted us to finish early drafts of our DFD, threat matrix, and final report by the end of the first weekly sprint, to have time for review and improvements during the second week.
But very I soon realized this was too ambitious. Team members were in different time zones with busy schedules, and regular calls were not sufficient to clarify even some ideas, nor to take team decisions, etc. we hadn’t had time to build trust or clear roles yet. One teammate left early, which I think was partly because of the fast pace and pressure. Things improved after couple days when Vinesh and Matt joined. They understood the tasks quickly and started contributing right away, which really helped us to move forward with having some initial content. We also had very helpful mentoring sessions with Adrian, who guided us on using IriusRisk and OpenFAIR tools. After this, we entered into a more stable way of work, even though we still faced challenges to materialize some great ideas and deliver everything what was planned on time.
Threat Modeling Insights
Goal
I think it is good that from the very begin, we understood that our task was not just about identifying the threats and risks, we had in mind needs for privacy assessment and mapping our findings with real life incidents. We also had in mind that we need to show how our results support TMC Drive’s business goals, although were not sure how to do so. Another mentoring session with Adrian on OpenFAIR methodology helped us lot to figure it on how to connect technical impact to the business risks and the mitigations we suggested to the business values.
Breaking Down TMC Drive Concept
To make sure everyone was on the same page, we made a TMC Drive Ecosystem diagram to understand the big picture. It wasn’t a standard DFD, but it helped us see the main parts of the system, user stories, and possible threat actors. Later, we focused on the Autonomous Driving Stack (ADS) because the task needed a deep analysis of at least one subsystem and one of the most critical for many user stories was actually the ADS. Although none of us were familiar with ADS, we found resources like this article on Waymo software architecture which helped us a lot understand its key parts and how its elements work together. While learning it, we created our own simple ADS diagram, mapped out what could go wrong, and filled this into our STRIDE based Threat Matrix (includes final results with all details about the threats, risks and mitigations and the Public References we managed to find). We definitelly had intention to cover more, but recognized missing time risks and decided to proceed with finalizing deliverables planned.
Risks and Mitigations
As you can see in the threat matrix, we matched each threat to cumulative business impact as a result of estimating impact on Passenger Safety, Financial Loss, Operational Downtime and Privacy Violations.
Then we calculated inherent risk scores using a likelihood factors and finally simulated financial loss by applying simple OpenFAIR method to rank the threats according to the urgency into Very High, High, or Medium. A cybersecurity EV industry benchmark report from Upstream gave us real-world examples and statistics to support our work.
We then just grouped mitigations according to the domains they have to be applied, assigned estimated investments and compared them with the losses, using estimated risk reduction for demonstrating the return of the investments over a period of 3-5 years.
Lessons Learned
I think this was a big learning experience for our whole team, with plenty of challenges, mistakes and successfully reached goal. If I could start it over again, I would pay more attention to:
• Plan more realistically and spend time building trustful communication inside the team first.
• Talk more 1-on-1 with teammates to understand their strengths, motivation, expectations and ideas
• Prepare individual task and make sure everyone has understood the expectation correctly
• Have ready and a bit simplified templates and standard collaborations tools in advance
I’m very proud of our achievement and how we as a team has finished the Hackathon with strong effort, commitment, and lots of shared learning. Once again congratulation and a big thank you to all my teammates for our achievement and to our mentor for supporting us!