Last month, the TMC community kicked off a three-week threat modeling challenge–bringing together 30 mentors, 6 judges, 55 teams, and hundreds of TMC members for three weeks of learning and collaboration.
They all rallied around a single goal: to become stronger, sharper, more capable threat modelers–and to help secure the future by design. And they delivered.
Watch the highlights to catch the vibes:
What’s TMC Threat Modeling Hackathon?
Started in 2023, the TMC Threat Modeling Hackathon is a mult-week, team-based threat modeling challenge taking place virtually every spring. It’s become the world’s largest hackathon focused on threat modeling and secure by design, gathering threat modeling practitioners worldwide to learn, practice, and grow their threat modeling skills.
About the 2025 edition
The Challenge
This year’s theme was Smart Transportation Solutions. Teams were given just two weeks to build a comprehensive threat model for this system (with at least one subsystem explored in depth) to enhance its security posture.
View the system description here
Participants and Teams
There were 55 teams–most consisting of 3-6 people. About 15 teams were based in North America, 25 in Europe, and around 5 in Asia Pacific. Over half of the participants were new to threat modeling, with less than one year of experience.
Some participants signed up with teammates, while others joined solo and were assigned to a team with members in nearby time zones.
Each team had a Team Lead–a volunteer who stepped up to coordinate team schedules, handle communications with mentors, and make sure everyone was on the same page. This role was absolutely crucial. Each team was also paired with a mentor.
Mentors
The mentors were the backbone of this hackathon. We had 30 mentors this year, each bringing 3–10+ years of hands-on threat modeling experience—adding up to 100+ years collectively across industry, academia, and the public sector.
Many were returning mentors– @JohnT @edouardstoka @Mariia, @altazValani, @JonnyTennyson, and @jrabe3. Others, like @dragon44 @Ben @aulong, and @AbhishekKumarGoel were past participants who stepped up to give back to the community. All of them were seasoned threat modeling pros, eager to support and inspire the next generation of threat modelers.
They shared resources to level-set experience across the team, guided framework selection, and reviewed the threat model as they came together.
The journey
Week 0
Teams were announced 1.5 weeks before the event kicked off. Most met their mentors shortly after. Not every team had a smooth start–some faced member no-shows or low engagement and had to reshuffle. A true test of resilience, right from the beginning.
Week 1
Opening Ceremony
The event officially kicked off on April 1 with the Opening Ceremony. We had a pleasure to have @AviD join us and gave a keynote ‘Only Fools Rush to Love and Secure Design’–a hilarious, fun, and insightful April Fool’s–themed talk. Avi, a former mentor and judge of this hackathon, shared practical tips on what to focus on (and what to let go of) to get the most out of the hackathon. During the session, the judges also revealed the system description and judging criteria.
Training
Right after the ceremony, many participants joined a Threat Modeling Fundamentals workshop hosted by @roberthurlbut: Developing the Threat Modeling Mindset.
The training aligned @adamshostack’s famous “four-question framework” with four mindsets and four modeling steps. It was a great springboard for beginners to start thinking like threat modelers–because mindset is everything. The outputs from the exercises were incredible!
Week 2
Two weeks is a tight timeline (in previous years, teams had three). It pushed participants on all fronts:
- Collaboration (especially for teams of strangers)
- Time management (6am calls before work, late-night meetings, working sessions after)
- Modeling complexity (this year’s system was our most challenging yet)
In the second and final week of the submission period, most teams shifted their focus from scoping, threat hunting, and research to risk rankings and creating reports.
Week 3
38 out of 55 teams crossed the finish line–despite all odds. For more than half, this was their first-ever threat model, which made the achievement even more meaningful.
We had a Closing Ceremony on April 24, celebrating this journey, the teamwork, and the ‘threat modeling mindset’ that all participants developed and grew throughout this event. Some teams went a little bit further than others. But truly, everyone who participated achieved the most important goal: They became better threat modelers than when they started.
Threat model showcases 
Check out the collection of threat models built during this hackathon:
https://threatmodelingconnect.discourse.group/tag/hackathon-25
Side notes: The judging panel
Our judging panel is a dream team of threat modeling experts: @swierckx @Dave @roberthurlbut @Qasim @irene221b @agota.daniel.
We received 38 completed threat models, each with unique strengths–which made judging really tough.
As soon as the submissions closed, the judges spent a full week–including the Easter long weekend–evaluating submissions over two rounds and offering thoughtful feedback to each team. This same crew had been meeting almost weekly since January to design the system, set the judging criteria, and assemble a comprehensive resource pack that helped many teams hit the ground running.
It’s an understatement to say this hackathon wouldn’t have been possible without our dedicated judges – we truly appreciate their efforts.
Upcoming sessions
To share this hackathon with the broader community, a few members from the judging panel will be hosting a special session at ThreatModCon in Barcelona later this month, where they’ll share highlights from this year’s event and talk about how everyone in our community can be involved in this initiative – the biggest TMC event each year.
Can’t make it to Barcelona? Don’t worry–there’s another webinar next month: Judges Tell All, where the panel will dive into what went on behind the scenes and what to look forward in the next edition.
What should we model next year? Share your input 
Believe it or not, our judging panel has already started to plan for the 2026 edition!
Have an idea for a system you’d love to see threat modeled? Reply to this post and share your thoughts: What should we model next year?