
OWASP Global AppSec EU 2026 Recap (Next up, BlackHat!)
Reflecting on the S+A team's adventures in Vienna and excitement for BlackHat 2026

Reflecting on the S+A team's adventures in Vienna and excitement for BlackHat 2026

From near misses to a new book on the C4 model and fundamental work by NIST showing the limits of today’s AI Guardrails, lots of exciting news about Application security.

When was the last time you read the Declaration? It remains an amazing document.

It's a trap. (The trap being: can five Threat Modeling Manifesto working group members sit on the ThreatModCon EU Unkeynote stage together and agree on how AI requires them to amend their own work?)

Why are we big fans of using games as a learning tool? Michael makes the case for experience-driven learning.

A look at what's happening in the Threat Modeling Intensive session this week in Vienna

Exploring what it means for an AI to explain itself, and why “it gave a reason” is not the same as accountability.

A roundup of where you'll find us over the next couple of months

Reflecting on 20 years of work to scale threat modeling

New repudiation threats, fascinating results from rewriting code in rust, a new strategic plan for OWASP, AIs love their own slop, two new books, and more!

Slides for today's talk

It’s easy to think prioritization is an easy problem, but it’s one deserving careful consideration.

Understanding the numbers from Anthropic and the system that surrounds Glasswing gives us new possibilities for effective defense.

Peter Neumann helped define the field, and my career. He'll be missed terribly.

A busy Black Hat: A new talk, a new practical tool, and a deadline you should know about