Black Hat training earlybird pricing ends soon
All about the upcoming Threat Modeling Intensive with Complete AI at Black Hat and why you should be the early bird
Shostack + Friends Blog
Recent Blog Posts
Appsec roundup - April 2026
The importance of slow time in work is a theme for April, along with how Claude optimized away its own security rules. Also fun games collected at RSA!
Clever Clippings Star Wars Art
Showcasing some Star Wars art to celebrate Revenge of the Fifth
May the Fourth Be With You!
Celebrating Star Wars Day with a look at what Darth Maul’s training can teach you.
LLM Threat Modeling Is Fun
Exploring the fun in LLM threat modeling, and how it’s both an interface choice and a possibly ‘dark pattern’
Lessons from Threat Modeling Intensive With AI
Actionable lessons from delivering Threat Modeling with AI, and using AI more generally.
Measuring the ROI of threat modeling: moving from activity to impact
Shostack + Associates COO Kymberlee Price shares her experience measuring the impact of secure design engineering practices on security outcomes
Adam reflects on BSides SF and RSAC
Adam finally caught his breath and sat down to reflect on BSides SF and RSAC 2026.
One week left for Threat Modeling AI Systems Early Bird pricing
One week left to take advantage of Early Bird pricing for our new Threat Modeling AI Systems course.
Artemis and Cybersecurity
Some thoughts on Artemis
DevSecOps: Lessons from the ST:TNG Crew
On First Contact Day, we dive into the lessons that security engineers can learn from the crew.
DevSecOps: What Every Security Engineer Should Learn from Star Trek
Security engineers in a DevSecOps world can learn a few things from Star Trek.
Appsec roundup - March 2026
This month kicks off with Donald Knuth being shocked by LLMs, then goes into the threat modeling impact of right to repair, and how to TM MCP, and a whole lot more!
Sunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026
Some of the best parts of BSidesSF and RSAC 2026 don't make it into session recordings...
Wasting Failures at RSAC™ 2026 Conference
Cybersecurity should learn lessons from industries that are transparent about failure.