Appsec roundup - June 2026
From near misses to a new book on the C4 model and fundamental work by NIST showing the limits of today’s AI Guardrails, lots of exciting news about Application security.
This month leads off with Close Calls in Cyberspace: Strengthening Cybersecurity by Learning from Near-Misses by Tommy van Steen, Jeroen Wolbers, and Cristina Del-Real. I’m happy to see research on how we can learn faster and better. All of our security work should be informed by experience, and near misses should be a rich source of such experience.
Threat Modeling
- Simon Brown has an O’Reilly book on the C4 Model. Amazon says it’ll be out this month.
- ThreatModCon Vienna happened: I was honored to be part of the
unkeynote, which focused on the role of the Threat
Modeling Manifesto in a changing world. We talked about the
importance of a journey of understanding, and how AI can exemplify
both the “Hero Threat Modeler” and “Tendency to Overfocus”
anti-patterns. I also led a mastermind session on how to apply
layers, and James Reason’s “Swiss Cheese Model” to
defenses stretching our answers to “What are we going to do about it?” beyond “controls” or mitigations. - Saving the best for last, the conference awarded Brook Schoenfield a lifetime achievement award. Brook was coincidentally in Vienna for vacation earlier in the week, so we presented him with the certificate on Tuesday, and I led a celebration on Saturday. (I hope to blog more about each of these over the coming weeks.)

Appsec
- In A Grounded Conceptual Model for Ownership Types in Rust, Will Crichton, Gavin Gray, and Shriram Krishnamurthi take a problem: Why don't people understand the borrow checker, and run it down from "how might they understand it now (and how can we find the problems they really experience), how can we teach it to them, and how can we evaluate that work?"
- The CVE program has a blog post, Preserving Vulnerability-Level Identification in a Time of Increased Disclosure Volume arguing that a CVE identifies a vulnerability. It’s a useful reminder.
- Relatedly, Jay Jacobs and Art Manion wrote The Vulnerability Identity Crisis, about what we need to know to assign an identifier to a vulnerability. I kicked off a side conversation on Mastodon, here.
AI
- NIST released a Mathematical Proof Supports Transition to a Continuous-Monitor-and-Update Security Model for AI Systems. Their summary says “The proof provides a rigorous explanation of the importance of transitioning from a ‘one and done’ security model.” I prefer Covertswarm’s summary, AI guardrails will always fail, and their pull quote: “There is no finite set of guardrails that is universally robust against adversarial prompts.” Of course, this is what Shoshana Cox has been saying for years and that’s part of why we’re so excited that she and Mike Novack designed and teach our Threat Modeling AI Systems course: they understand the limits of today’s defenses, and have not been shy about speaking about them. If you’re interested in the only training course that’s ahead of that news, we’d be happy to hear from you.
Games Received
- Cyber Defense Dice, created by Steven Furnell and team and the University of Nottingham. “A Cyber Awareness Game of Attack and Defence for 2 Players or Teams. Easy to play and suitable for casual use or as an engaging activity for cyber security awareness-raising sessions.”

Shostack + Associates News
- Adam and team will be delivering Threat Modeling Intensive with Complete AI at Blackhat August 1-4.
- Adam will be presenting Threat Modeling LLMs: The PHANTOM-B model Wednesday, August 5 | 11:05am-11:45am ( Oceanside C ). He’ll reprise the talk at the AppSec Village during DEF CON.