Written by Jordan Hardy

Why Thinking Like a Defender Beats the Attacker Mindset

“Think like an attacker.” It’s our industry’s favorite mantra, but for most engineering teams, it’s a setup for failure. It expects developers – who spend their days perfecting “happy flows” – to suddenly pivot into a destructive mindset that goes entirely against their nature.

This creates a bottleneck for organizations attempting to scale threat modeling, as engineers frequently find themselves paralyzed by “creator-blindness”—the natural cognitive inability to see flaws in a system they have specifically designed to succeed. To overcome this paralysis, many teams turn to GenAI for rapid answers, only to be caught in a validation gap where they lack the specialized security expertise required to distinguish between a helpful insight and a dangerous hallucination.

The truth is, you don’t need more “attackers” on your payroll. You need to lean into the Defender’s Advantage. Here’s why shifting the focus back to your own domain is the better way to make threat modeling stick.

The Myth of the "Attacker Mindset"

Telling a developer to think like an attacker is like telling a home cook to “think like a Michelin-starred chef”. In our threat modeling training, we often say: “When I’m in the kitchen, my wife saying ‘Think like Jamie Oliver’ doesn’t make me a better chef.” It’s a nice sentiment, but it isn’t prescriptive or clear.

Most people don’t know how an attacker spends their day or what tools they use. When we demand this mindset, we often just make engineers feel siloed or embarrassed that they “don’t get it”.

Saying “It would be helpful to you if you learned to think like an attacker” is exhorting people to learn that skill. Demanding that they do it, or implying that they’re stupid for not knowing how to do it is actively counter-productive.

Adam Shostack, 2008

Stop the “Attacker Mindset” struggle. Our Threat Modeling Training teaches engineers to secure what they build using the systems they already know.

Why a Defender Mindset Makes Threat Modeling Scalable for Developers

The “Defender’s Mindset” is built on what your engineers already know: their own software design. Instead of chasing an ever-evolving body of attacker knowledge, they focus on their span of control.

Leverage Domain Expertise: Your devs know their technology stack and the application architecture better than any external threat modeler.
Predictable Security: Focusing on security-by-design principles and best practices is a more stable way to improve security posture than reacting to the latest exploit.
Reduced Friction: It aligns security with DevOps speed by integrating it into existing workflows rather than imposing a “pull-down” requirement.

The GenAI Trap

Nowadays, when developers are told to think like attackers, they often turn to Generative AI. This can create a false sense of security, giving them a lot of “knowledge” on attacks without the ability to validate it. AI can list vulnerabilities, but it doesn’t make someone a threat modeler.

Training your team to be defenders allows them to use AI as a tool rather than a crutch, ensuring security is measured alongside your success objectives.

Our training doesn’t just teach you to find threats; it provides the structured framework necessary to validate AI outputs against your specific architecture, closing the dangerous ‘hallucination gap’ in automated security.

Bridging the Gap: Practical Steps

You don’t have to ignore attacks entirely. Use “thinking like an attacker” as a specific awareness tool to show how threats are realized in the real world. But for the day-to-day threat modeling, follow these steps:

Start with the diagram: Use structured methods, such as “STRIDE-per-interaction” to help people step outside their “creator-blindness”.
Focus on the stack: Train teams on the best practices for implementing security in their specific technology stack.
Empower, don’t outsource: Build the expertise internally in the product teams to reduce reliance on external experts.

Conclusion

Relying on the “attacker mindset” keeps security as an afterthought, driven by product compliance. By reframing threat modeling as a Defender’s Discipline, you empower your architects and engineers to take ownership of their security posture. This shift improves risk management, maintains compliance, and ensures you aren’t waiting for a breach to find your vulnerabilities.

Ready to empower your team to own their security?

Stop letting your architects and engineers feel siloed by unrealistic expectations. It’s time to move beyond the abstract “attacker” mantra and start “doing” with a practical, defender-first framework that actually fits your engineering workflow. By building this expertise internally, you bridge the validation gap and turn security from a bottleneck into a baseline.

About the Author

Sebastien (Seba) Deleersnyder, co-founder and CTO of Toreon, combines software engineering expertise with a passion for holistic product security. After earning his Master’s in Software Engineering from the University of Ghent, with a thesis on “Hyphenation using neural networks,” he became a driving force in the security community as the founder of the Belgian OWASP chapter, a member of the OWASP Foundation Board, and co-founder of BruCON, Belgium’s annual security conference. His leadership of OWASP SAMM and his decade-long role as a highly rated Black Hat trainer have significantly impacted global software security, earning consistently outstanding feedback from participants. Currently, Seba focuses on adapting security models for DevOps and expanding awareness of AI Threat Modeling.