OWASP Global AppSec EU 2026 Recap (Next up, BlackHat!)
Reflecting on the S+A team's adventures in Vienna and excitement for BlackHat 2026
The S+A team had a blast in Vienna at OWASP Global AppSec EU 2026 leading Adam Shostack's Threat Modeling Intensive. This was a 2-day intensive filled with discussions about the Four Question Framework, data flow diagrams, STRIDE threats, kill chains, and more. In only 48 hours, learners left the classroom with new understandings about diagramming systems, communicating risk, and translating vulnerability to action through breakout discussions, live exercises, and more.
Like Michael Novack (AI Security & Safety Engineer at Cranium and an instructor in our new Threat Modeling AI Systems) shared in his post on why interactive learning sticks in cybersecurity, our 2-day Intensive uniquely positions attendees to learn through experiences rather than passive learning. This practice of active recall and interaction ensures that attendees actually know how to apply a classroom concept to a real-life scenario.
In this iteration of the Intensive, learners were especially curious about the ways in which AI and LLMs are changing the threat modeling landscape. How do we respond to ever-evolving threat actors who are utilizing AI in their attack patterns daily? What does "thinking like an attacker" even mean anymore?
While we can't cover all possible topics in the 2-day intensive, the S+A team invites you to attend our new 4-day Threat Modeling Intensive with Complete AI course at BlackHat 2026. This interactive class introduces participants to modern threat modeling, the Four Question Framework, and asking what can go wrong? By day 2, participants will then be introduced to LLMs with a focus on understanding how they are created, operated, and where they can go wrong in ways that deterministic software doesn't. At the end of day 2, we shift to LLM-specific skills and approaches. By the end of the course, attendees learn how to threat model using LLMs and unpack specific threats to AI applications.
Join us at Black Hat USA 2026
Adam and the team will be at Black Hat USA in Las Vegas, August 1-6. The Threat Modeling Intensive with Complete AI course runs August 1-4, alongside the briefing Threat Modeling LLMs: The Phantom-B Model.
Regular pricing ends July 17.
Register Now