Skip to content

Threat Modeling

What I've learned (so far) by threat modeling with teams across Europe

I've been running threat modeling workshops with teams across Europe for over 10 years. Sweden, Norway, Switzerland, Austria, Greece. The differences are real — some teams lean on individual expertise, others on collective knowledge. Group dynamics vary a lot depending on culture, seniority mix, and frankly how much the team trusts the security function.

But the goal is always the same: bring the team together, understand the risks they're facing, and figure out what they can actually do about it.

Different cultures, different dynamics — same pressure to deliver fast and secure. Here's what I've picked up along the way, condensed into practical points you can use in your next workshop.

Threat Modeling in the Age of AI — Time to Rethink the Process

Threat modeling isn't one-size-fits-all. Never was, never will be. The threat landscape for a SaaS application is fundamentally different from a Windows desktop app running locally on a machine — and both of those are worlds apart from something like an MCP server. Context matters, a lot. The tech stack matters. The use case matters. If you're not anchoring your threat modeling to those specifics, you're probably producing something generic enough not easily consumable by the product teams.