Threat Modeling Insider – May 2025

Written by Laurent Dupont

Threat Modeling Insider Newsletter

44th Edition – May 2025

Welcome!

Welcome to this month’s edition of Threat Modeling Insider! In our featured guest article, Champions of Change: How Security Champions Drive Threat Modeling at Scale, Stanley Harris explores how empowering the right people can accelerate secure development across your organization.

Meanwhile, on the Toreon blog, Sebastien Deleersnyder shares 5 Strategies to Sell Leadership on Security, a practical guide to getting executive buy-in for threat modeling when persuasion matters most.

There’s plenty of other actionable insight ahead, so settle in and let’s get started!

Read our previous newsletters
Threat Modeling Insider edition

Welcome!

Welcome to this month’s edition of Threat Modeling Insider! In our featured guest article, Champions of Change: How Security Champions Drive Threat Modeling at Scale, Stanley Harris explores how empowering the right people can accelerate secure development across your organization.

Meanwhile, on the Toreon blog, Sebastien Deleersnyder shares 5 Strategies to Sell Leadership on Security, a practical guide to getting executive buy-in for threat modeling when persuasion matters most.

There’s plenty of other actionable insight ahead, so settle in and let’s get started!

Read our previous newsletters

On this edition

Guest article
Champions of Change: How Security Champions Drive Threat Modeling at Scale, by Stanley Harris

Toreon Blog
Threat Modeling: 5 Strategies to Sell Leadership on Security, by Sebastien Deleersnyder 

Curated content
The Threat Modeling Bench

Curated content
Defining a new methodology for modeling and tracking compartmentalized threats

Tips & tricks
Microsoft Cybersecurity Reference Architectures

Training update
An update on our training sessions.

Guest article

Champions of Change: How Security Champions Drive Threat Modeling at Scale

Written by Stanley Harris, Co-founder & Chief Executive Officer at Katilyst

Threat modeling is one of the most powerful activities in a secure software development lifecycle. It’s proactive, systematic, and helps teams uncover design flaws early, before a single line of vulnerable code is shipped. 

But here’s the challenge: it doesn’t scale easily. 

Security teams are often outnumbered by engineering 100:1, 200:1, or worse. Developers are moving fast, and centralized security doesn’t always have the capacity to facilitate deep design reviews for every feature, sprint, or service. Threat modeling becomes yet another good practice with limited adoption. 

So the big question becomes: *Who owns threat modeling when security teams can’t be everywhere?* 

The answer: Security Champions. 

The four properties of Security Champions: Positioned to Lead from Within things

Security Champions are developers, QA engineers, or tech leads embedded in product teams who have an interest in security and serve as liaisons to the security function. But they’re more than just messengers. 

Champions understand the technical and business context of their teams. They speak the same AppSec language as their champion peers. And they already act as force multipliers – nudging their development teams toward secure decisions without slowing them down. That makes them ideal candidates to help embed threat modeling at the team level. 

Instead of threat modeling being a centralized “event,” champions can help make it a local, ongoing, and empowering habit. 

Five Ways to Enable Champions for Threat Modeling

The trick isn’t just assigning threat modeling to your champions, it’s enabling them to succeed. Here’s how: 

1. Teach Practical Threat Modeling Techniques

Not every champion needs to be a threat modeling expert. But they do need just enough skill and confidence to guide their teams. Finding ways to provide threat modeling knowledge as part of your security champion program experience can be key. 

Start by training your champions on pragmatic techniques like STRIDE, attack trees, or the “Four Question” method. Use real-world examples tied to the team’s domain. Keep it interactive and focused on learning by doing. Short workshops, lunch-and-learns, and facilitated walkthroughs can go a long way. 

2. Equip Them with Templates and Tools

Threat modeling can feel intimidating, especially if it starts with a blank canvas. Make it easier. 

Provide champions with: 

  • Lightweight threat modeling templates (e.g., step-by-step prompts) 
  • Reusable DFD stencils or architecture diagrams 
  • Links to collaborative tools like Miro, Lucidchart, or IriusRisk 

Aim for tools that fit the team’s existing workflow and skillset, not tools that force new behavior. 

3. Embed Modeling into Engineering Rituals

One of the most effective strategies I’ve seen is to stop treating threat modeling as a separate activity. 

Encourage and coach your security champions to insert threat modeling prompts into existing ceremonies: 

  • During sprint planning: “What could go wrong with this feature?” 
  • In design reviews: “Let’s put ourselves in an attacker’s shoes.” 
  • In retros: “Did we miss any risks in last sprint’s work?” 

This keeps modeling relevant, lightweight, and iterative – just like modern software development! 

4. Build Feedback Loops with Security

Champions are not expected to be security or threat modeling experts. They’re facilitators. That means they need an escalation path when they hit something complex. 

Establish feedback channels like: 

  • Slack channels for async help from the security team 
  • Scheduled “office hours” with the AppSec team 
  • Shared threat modeling reviews for new services 

This connection builds trust both ways: security gets context, and champions get clarity. 

5. Celebrate and Recognize Success

Culture eats tooling for breakfast. If you want threat modeling to stick, make it visible and rewarding. 

Shout out great modeling examples in demos or all-hands. Offer badges or public praise. Show how champion contributions directly improved security outcomes as part of your OKR reporting. 

Small signals go a long way in reinforcing new behaviors! 

Avoiding Common Pitfalls

Enabling threat modeling through champions can be a huge success *if* you avoid these common traps: 

Lack of support: Don’t dump responsibility on champions without training and security backing. 

Tool overload: Stick to one or two tools that work well; avoid fragmentation. 

Checklist mentality: Threat modeling is a mindset, not just an audit step. 

No recognition: Humans respond positively to acknowledgement and praise, don’t forget to reward their efforts with appreciation. 

Above all, give champions autonomy and flexibility – they know how their teams work best. 

Conclusion: Scale Through People, Not Just Process

Threat modeling shouldn’t be a bottleneck. It should be a shared responsibility, championed from within. 

By empowering security champions, you embed security thinking into the flow of development. You scale without centralizing. And you create a culture where asking “What could go wrong?” is just part of how your teams design software. 

Start small. Share a template. Co-facilitate a session. Celebrate a champion’s modeling win. 

Let your people lead and your threat modeling program will scale with them. 

CURATED CONTENT

Handpicked for you

Toreon Blog: Threat Modeling, 5 Strategies to Sell Leadership on Security

The Threat Modeling Bench

Getting leadership to invest in threat modeling can feel like an uphill battle, but it doesn’t have to be. This blog post reveals five proven strategies to influence the C-suite and make threat modeling a business no-brainer.

Learn how to shift the conversation from cost to value, using psychology-backed techniques and a practical framework to drive real change. Ready to turn skepticism into support? Dive in and discover how to lead with impact.

Read the blog

Introducing TM-Bench, the world’s first benchmark purpose-built to evaluate how Large Language Models perform in security threat modeling. Created by Matt Adams, also behind STRIDE GPT, TM-Bench answers a pressing question for security teams: Which LLMs can actually deliver in real-world, local threat modeling scenarios? Designed for models that run on accessible hardware like an RTX 4090, TM-Bench empowers organizations to make informed, cost-effective decisions without relying on cloud APIs. If you’re exploring AI for security, this is the benchmark you’ve been waiting for.

Read More

Defining a new methodology for modeling and tracking compartmentalized threats

Cisco Talos and The Vertex Project have introduced a groundbreaking extension to the Diamond Model of Intrusion Analysis to tackle the rising complexity of compartmentalized attack kill chains. In these modern threats, multiple distinct actors collaborate across different stages of an attack, making traditional profiling tools less effective. The new “Relationship Layer” enriches threat modeling by capturing the context between adversaries, capabilities, infrastructure, and victims. This update, now supported in Synapse, is demonstrated through the ToyMaker–Cactus ransomware case, showcasing more accurate analysis and pivoting in multi-actor campaigns.
Read More

TIPS & TRICKS

Microsoft Cybersecurity Reference Architectures

The Microsoft Cybersecurity Reference Architectures (MCRA) provide a clear, practical framework for aligning Microsoft’s security capabilities with your organization’s end-to-end security goals. Whether you’re navigating complex threats, implementing Zero Trust, or optimizing your SecOps strategy, the MCRA is your strategic guide.

Learn more

Our trainings & events for 2025

Book a seat in our upcoming trainings & events

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, virtual, hosted by Black Hat USA, Las Vegas 

2-5 August 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 18 August 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, Blue Team Con, Chicago, USA

4-5 September 2025

Book your spot
Book your spot
Book your spot

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, virtual, hosted by Black Hat USA, Las Vegas 

2-5 August 2025

Book your spot

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 18 August 2025

Book your spot

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, Blue Team Con, Chicago, USA

4-5 September 2025

Book your spot

Hands-on Threat Modeling AI, in-person, hosted by BruCON, Belgium

22-24 September 2025

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 1 December 2025

Book your spot
Book your spot
Book your spot

Hands-on Threat Modeling AI, in-person, hosted by BruCON, Belgium

22-24 September 2025

Book your spot

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, OWASP Global AppSec, Washington DC

4-5 November 2025

Book your spot

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 1 December 2025

Book your spot

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, NDC Security Manchester, UK

1-2 December 2025

Book your spot

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Sign up now

Start typing and press Enter to search

Shopping Cart