Lessons from Threat Modeling Intensive With AI
Actionable lessons from delivering Threat Modeling with AI, and using AI more generally.
Shostack + Friends Blog
Recent Blog Posts
Measuring the ROI of threat modeling: moving from activity to impact
Shostack + Associates COO Kymberlee Price shares her experience measuring the impact of secure design engineering practices on security outcomes
Adam reflects on BSides SF and RSAC
Adam finally caught his breath and sat down to reflect on BSides SF and RSAC 2026.
One week left for Threat Modeling AI Systems Early Bird pricing
One week left to take advantage of Early Bird pricing for our new Threat Modeling AI Systems course.
Artemis and Cybersecurity
Some thoughts on Artemis
DevSecOps: Lessons from the ST:TNG Crew
On First Contact Day, we dive into the lessons that security engineers can learn from the crew.
DevSecOps: What Every Security Engineer Should Learn from Star Trek
Security engineers in a DevSecOps world can learn a few things from Star Trek.
Appsec roundup - March 2026
This month kicks off with Donald Knuth being shocked by LLMs, then goes into the threat modeling impact of right to repair, and how to TM MCP, and a whole lot more!
Sunshine and Security – Kymberlee’s week at BSides SF and RSAC 2026
Some of the best parts of BSidesSF and RSAC 2026 don't make it into session recordings...
Wasting Failures at RSAC™ 2026 Conference
Cybersecurity should learn lessons from industries that are transparent about failure.
Threat Modeling AI Systems: Finding the Line Between Application Security and AI Security
Announcing a new course from the Shostack + Associates team.
Blackhat and Human Factors
BlackHat invites human factors work
Appsec roundup - Feb 2026
This month's roundup starts with losing oneself, continues with cool new threat modeling tools and applications, and continues into appsec, AI and regulation.
Layered Defenses at BSides Seattle
How do we use models to help us answer what are we going to do?