Shostack + Friends Blog

 

A few thoughts closing out 2025

Prompted by participants, a few closing thoughts for 2025 An LLM generated image

As the very intense and sometimes demoralizing 2025 wraps up, I want to thank everyone who trusted us to help with their threat modeling work. Many of you showed up eager to learn, bringing real systems, real constraints, and questions you were genuinely trying to answer. Those questions shaped the trainings and the new course on Threat Modeling Using LLMs, and they kept the work grounded in what people actually need when they go back to their day jobs. Helping people meet the material where they are and grow from there is the part I take most seriously.

In December, we ran a training with MxD, and today two participants wrote about their experiences, prompting this post. Nitin Uchel drew on his years of experience delivering solutions to customers to explore how threat modeling connects with cognitive electronic warfare. Angelika Szymanowska wrote about her experience in the two-day workshop, describing how working through concrete exercises like data-flow diagrams and attacker scenarios helped her grasp core threat modeling questions. I appreciated reading about how the deliberate pacing and clear explanations made the material accessible even when it got dense for her as a non-native English speaker.

We also ran the first version of Threat Modeling Using LLMs at OWASP Global AppSec. We’re still digesting what happened in that course, but one concrete outcome stood out. During the sessions, Mike Ensing built a set of rules and instructions as we worked through the material, using it to explore what was and wasn’t effective. After the conference, he released the work on GitHub and has continued to improve it. It’s a solid example of how participants took the ideas from the course and turned them into something concrete and useful.

What I saw this year were people trying to make the world a little better. Often that meant designing and delivering better systems. Participants brought hard questions, real tradeoffs, and the constraints they face in their jobs into our courses. That seriousness runs through everything we do. We don’t treat threat modeling as an abstract exercise, but as a way to make clearer decisions and improve what gets built. I’m grateful to everyone who engaged at that level and carried the work back into how they deliver.

LLMs have a very weird idea of what snow is.

Originally published by Adam on 31 Dec 2025
Categories:   security   threat modeling