July has been a whirlwind - and a great one!
Here’s what the global TMC community was up to in July – chapters launched, frameworks discovered, and lively debates here in the forum. Drop a comment if you attended any of these meetups or join the top discussion this month.
Quick Poll
- 0 (no judgement!)
- 1-2
- 3-5
- 6 and more
Chapter Highlights
We had six chapters meet across the globe last month - over BBQ, skyline views, pizza nights, Zoom calls, and great threat modeling discussions (of course!).
Toronto: Tackled threat modeling in LLMs and agentic AI. (Organized by @TMC_Toronto_Chapter) Check out highlights and slides →
London: Explored how to get senior leadership support for TM and discovered a new framework. (Organized by @sebbs @katierowan @omarsaenz) Watch the recording →
Wien: Started a new chapter with talks on interdisciplinary threat modeling, top threats in automotive and…a BBQ! (Organized by @agota.daniel @StefanProksch @Reinhard)
Tokyo: Held an ‘audience-led’ panel on The Limits of Threat Modeling, featuring insights from AI pen testers, educators, and hardware hackers. (Organized by @TakaharuOgasa)
DACH: Gathered around a virtual summer campfire to swap ideas, challenges, and support. Topics included: Top-down vs bottom-up TM, Lightweight vs heavyweight processes, the unexpected role of DFDs. (Organized by @Laxarella @hewerlin @RonMK) Read the highlights →
Wales/Midlands: Another new chapter! Had a fun, hands-on session at their initial gathering where they model… a chicken crossing the road
(Organized by @PaulSpruce)
Coming soon!
We’re excited to welcome two newest chapters launching soon in New York Cit@navneet (led by @zbraiterman and @izar) and Raleigh-Durham (led by @navneet and @nikola). Join their new communities on TMC Slack and stay tuned for the launch events.
New! AI-Powered Highlights from the Forum
We’re rolling out a new feature: Key takeaways distilled from the most active forum threads each month by AI.
July’s Top Discussion: Bridging the Gap Between Threat Modeling and Risk Management
Should threat modeling and risk management stay separate – or evolve together?
Prompted by Adam Shostack’s recent post, this thread dives deep…
Some practitioners argue risk assessments often add little value and distract from good security engineering, especially when misused or misunderstood. Others counter that connecting technical threats to business risks is essential for demonstrating value, influencing priorities, and meeting compliance standards like the Cyber Resilience Act.
While many agree that risk quantification can be flawed or manipulated, there’s a shared recognition that structured prioritization - whether formal or informal- is inevitable. The discussion also surfaces practical concerns, from cultural barriers to documentation fatigue, and the need to make secure practices simple and routine.
In the end, the thread doesn’t settle the debate but enriches it, offering multiple nuanced perspectives for anyone navigating the intersection of engineering and risk.
Want to dive deeper? Go directly to the original thread - read every comment, share your thought, and join the discussion!
Upcoming Events
- Aug 8–9 – Next Top Threat Model @ DEFCON: Our friends at NTTM are hosting another epic threat modeling contest at DEFCON. Our friends at NTTM (@AppSecSeanner and his team) are launching another threat modeling contest at DEFCON next week. →threatmodel.us
- Aug 14 – TMC DACH Online Meetup: Join our friends at TMC DACH for an insider look into the TMC Hackathon 2025 → Register
- Nov 7-8 – ThreatModCon 2025 Washington, D.C: Our annual U.S. conference and the world’s largest threat modeling event. → Submit a talk (CfP closes Aug 8) OR Get your ticket at 50% off (Super Early Bird ends this month!)
Your Turn!
- Comment below if you attend any of the events above, or share your July wins.
- Join your chapter on TMC Slack to connect with others locally.