October Adam's New Thing!

Adam's New Thing!

Adam's New Thing is a mailing list announcing new thought leadership and training content. If you're not already subscribed, make sure to sign up from our contact page!

It’s spooky season… the time when shadows grow longer, mysteries deepen, and your LLM may start to whisper secrets. 👻

In the glow of the AI revolution, the world is ever changing. Staying curious and informed is the best way to protect yourself and your organization from the threats that go bump in the network.

Before the Halloween festivities begin, we wanted to let you know that our prices will be increasing around the end. We’ve held the line since 2021, but our prices are changing with the new times. You can lock in the current prices, even for next year, by booking now.

😁 It’s Raining Legos!

But first, let’s start with one of our success stories.

At Shostack + Associates, you’ve probably seen that we’re big on gamifying education (check out our full list of games here 😉). So, we were stoked when we saw Carmen L.’s LinkedIn post from Threat Modeling Connect.

In the Lego Serious Play workshop, learners were using our training materials, Elevation of Privilege card deck, AND Legos to learn about STRIDE and threat modeling principles. Damn it, why haven’t we thought of this yet?? This was a super cool sight that brought together community, security, and play in one space.

Let us know if you want to try this out (with our help or without)!

🎃 OWASP in Washington, D.C: Threat Modeling Intensive With AI!

Last call, Trick or Treaters!

Our popular Threat Modeling Intensive course is where you'll master the Four Question Framework. And you got a treat: this version has been revamped with AI. After honing your threat modeling skills, you'll learn how to safely harness AI to move faster, scale smarter, and understand the hallucinations that come with LLMs.

Every organization wants to deploy AI everywhere, but without proper threat modeling, a “friendly” chatbot could be full of vulnerabilities. Learn how to evaluate AI hallucinations and design responsibly while considering cost, convenience, and customization.

There’s so much to learn that this is our first-ever three day course!

• Register before the clock strikes midnight!
• November 3-5, 2025
• Washington, D.C.
• OWASP

We’re going to deliver the course, obsess over the feedback and then add it to our course catalog and teach more people to threat model using LLMs. If you’d like a version of this Threat Modeling Intensive with AI for your organization, let’s talk!

🔨 Usenix Enigma: “Risk is not a hammer”

Too often, organizations treat risk analysis like a universal tool. As if it were a “hammer” that can solve every cybersecurity problem.

But what if that hammer sometimes breaks things?

Adam's talk at USENIX ‘25 “Risk is Not a Hammer, and Most Hazards Aren’t Nails” explored why risk quantification alone can’t always guide effective decision-making.

These insights aren’t coming from the grave (had enough Halloween puns yet?). After consulting with businesses and coaching for decades, Adam has seen how businesses often rely on “risk” (and quantifying risk) as a foundation for their security programs. But by assuming “risk” is the start, we don’t always see the limitations.

If you’ve taken one of Adam's courses, you’ve heard him say, “All models are wrong, but some are useful.” Understanding the limits of risk analysis helps us find those that are actually helping us.

Check out the full talk and slides on Adam's blog: shostack.org/blog/risk-is-not-a-hammer-usenix-enigma/

🛠️ OWASP Keynote, “Stop Measuring Risk”

And if the USENIX talk spoke to you, Adam will be delivering the keynote “Stop Measuring Risk” at OWASP’s Global AppSec.

In Adam's trainings, he almost always get questions about how to quantify risk. Learners have come with books, articles, and more sharing different models of how to quantify risk.

But why?

The answer is that folks are looking for ways to prioritize the threats they uncover from threat modeling. But Adam's keynote at OWASP Global AppSec will explore why focusing on quantification may obfuscate the purpose of threat modeling in the first place.

If you’ll be attending OWASP Global AppSec, feel free to stop by and ask questions. See you there!

❄️ MxD in Chicago: Threat Modeling Intensive

If you’re looking forward to the winter, our next in-person, threat modeling intensive will be held in Chicago, Illinois in partnership with MxD!

MxD (Manufacturing x Design) advances economic prosperity and national security by strengthening U.S. manufacturing competitiveness. We’re excited to partner with MxD to provide hands-on experience to threat modeling, specifically for the manufacturing sector.

Like all of our Threat Modeling Intensives, you’ll learn about the Four Question Framework, STRIDE fundamentals, mitigation strategies, and complete an end-to-end exercise. Learners will leave with a robust understanding of threat modeling and confidence to implement at work.

We encourage small and medium manufacturers and seasoned technical professionals in either development or engineering to bring their teams. By learning as a team, you will align on consistent practices and language to produce secure-by-design deliverables.

If you’re not a MxD member, check out their membership page or reach out to Danielle Lewis (danielle.lewis@mxdusa.org) with questions.

• December 2-3, 2025
• Chicago, Illinois
• MxD

This Month’s Blog Posts:

• How could LLMs change threat modeling
• Apollo 15 Lunar Rover Vehicle and Lunar Rover Vehicle, Redux
• AI Insurance Won’t Save You
• Prompt Engineering Requires Evaluation
• LeanAppSec Announcement
• OWASP Board Thoughts 2025
• AppSec Roundup Sept 2025

What’s new in your threat modeling world — and how can we help?

This month’s stories — from Lego-powered workshops to AI-focused intensives — highlight how threat modeling continues to evolve beyond checklists and risk scores. As the boundaries between software, AI, and human decision-making blur, understanding why models work (and when they don’t) is becoming a strategic advantage.

Whether you’re leveling up your team’s skills, rethinking your approach to risk, or just looking for ways to make threat modeling more engaging, Shostack + Associates is ready to help you build smarter, safer systems.

Our latest trainings and talks are designed to help your teams apply structured thinking, challenge assumptions about risk quantification, and design securely in an AI-driven world.

Even if you're not looking for help, we're always curious: What do you see happening in the world of threat modeling and secure by design? Let us know!

Subscribe to Adam's New Thing for your next round of updates, stories, and trainings!

Originally published by Kris on 31 Oct 2025
Last updated on 31 Oct 2025
Categories:   security   threat modeling   ai