Hey everyone,
I’ve been experimenting with something I call Threat Modeling Driven Development (TMDD). The core idea is treating the threat model as a living development artifact (YAMLs) rather than a one-off exercise that becomes outdated. It’s well aligned with a whole AI-assisted development concept and I’ve been using that to increase the security of vibe-coded apps.
As part of my diploma thesis, I built a small CLI tool to explore this workflow: TMDD. I’m not claiming this is “the solution” or any type of product at this stage- more like an experiment I’d genuinely like practitioner feedback on.
Here you can find example threat model as YAMLs + generated report in out/ directory (modeling the tool itself):
https://github.com/attasec/tmdd/tree/main/.tmdd
Curious about your thoughts, especially around:
- Model drift / maintenance
- YAML vs other representations
- AI-assisted modeling workflows
Any critical feedback is very welcome!