Why “The AI Explained It” Isn't Good Enough: Introducing the SCORE Framework
Exploring what it means for an AI to explain itself, and why “it gave a reason” is not the same as accountability.
Shostack + Friends Blog
Recent Blog Posts
Summer Plans: Vienna, then Las Vegas
A roundup of where you'll find us over the next couple of months
Twenty Years of Scaling Threat Modeling
Reflecting on 20 years of work to scale threat modeling
Appsec roundup - May 2026
New repudiation threats, fascinating results from rewriting code in rust, a new strategic plan for OWASP, AIs love their own slop, two new books, and more!
UW Cyberday: Threat Modeling in the Age of AI
Slides for today's talk
Focus on high priority threats(?)
It’s easy to think prioritization is an easy problem, but it’s one deserving careful consideration.
Vulnerability Finding: Two Inflection Points
Understanding the numbers from Anthropic and the system that surrounds Glasswing gives us new possibilities for effective defense.
Remembering Peter Neumann
Peter Neumann helped define the field, and my career. He'll be missed terribly.
PHANTOM-B goes to Black Hat
A busy Black Hat: A new talk, a new practical tool, and a deadline you should know about
HIPAA Updates and Threat Models
HIPAA reform seems to lead to published threat models, and that’s going to be a hard change.
Claude Opus 4.7 and Threat Modeling
LLMs are great at providing credible answers to questions. And those answers are worth looking at closely.
Black Hat training earlybird pricing ends soon
All about the upcoming Threat Modeling Intensive with Complete AI at Black Hat and why you should be the early bird
Appsec roundup - April 2026
The importance of slow time in work is a theme for April, along with how Claude optimized away its own security rules. Also fun games collected at RSA!
Clever Clippings Star Wars Art
Showcasing some Star Wars art to celebrate Revenge of the Fifth
May the Fourth Be With You!
Celebrating Star Wars Day with a look at what Darth Maul’s training can teach you.