Shostack + Friends Blog

Adam Featured on the AppSec Weekly Podcast

Learn more about threat modeling and the Four Question Framework

Screenshot of the cover of the Application Security Weekly podcast

Security professionals are often asked the question, "So, what's the chance of us getting hacked?" To which the response is usually head shakes and groans.

Adam seeks to redirect this conversation on the Application Security Weekly podcast. In this episode, Adam and host Joshua Marpet discuss why threat modeling is a more practical path than getting trapped in endless risk quantification. Filmed during the 2025 OWASP Global AppSec conference, this episode callsback to Adam's keynote on Stop Trying to 'Manage Risk'" and provides strategies for how we should move forward.

Start with these high-level takeaways and listen to find your third lesson!

Stop treating risk quantification like the answer. The push for precise numbers (e.g. "percent chance," "exact dollar impact") often consumes time and budget without improving real-world security decisions.
Use threat modeling to drive prioritization. Threat modeling creates a shared language for what can go wrong. As a result, teams align across technical and business priorities and can implement cheap fixes earlier in the lifecycle.

Ready for a third? Check out the podcast episode here with the full list of amazing speakers!

Originally published by Kris on 04 Feb 2026
Last updated on 04 Feb 2026
Categories: podcasts videos threat modeling

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.