Shostack + Friends Blog

Recent Blog Posts

UW Cyberday: Threat Modeling in the Age of AI

Slides for today's talk (29 May 2026)

 

Focus on high priority threats(?)

It’s easy to think prioritization is an easy problem, but it’s one deserving careful consideration. (28 May 2026)

 

Vulnerability Finding: Two Inflection Points

Understanding the numbers from Anthropic and the system that surrounds Glasswing gives us new possibilities for effective defense. (26 May 2026)

 

Remembering Peter Neumann

Peter Neumann helped define the field, and my career. He'll be missed terribly. (23 May 2026)

 

PHANTOM-B goes to Black Hat

A busy Black Hat: A new talk, a new practical tool, and a deadline you should know about (21 May 2026)

 

HIPAA Updates and Threat Models

HIPAA reform seems to lead to published threat models, and that’s going to be a hard change. (19 May 2026)

 

Claude Opus 4.7 and Threat Modeling

LLMs are great at providing credible answers to questions. And those answers are worth looking at closely. (14 May 2026)

 

Black Hat training earlybird pricing ends soon

All about the upcoming Threat Modeling Intensive with Complete AI at Black Hat and why you should be the early bird (12 May 2026)

 

Appsec roundup - April 2026

The importance of slow time in work is a theme for April, along with how Claude optimized away its own security rules. Also fun games collected at RSA! (06 May 2026)

 

Clever Clippings Star Wars Art

Showcasing some Star Wars art to celebrate Revenge of the Fifth (05 May 2026)

 

May the Fourth Be With You!

Celebrating Star Wars Day with a look at what Darth Maul’s training can teach you. (04 May 2026)

 

LLM Threat Modeling Is Fun

Exploring the fun in LLM threat modeling, and how it’s both an interface choice and a possibly ‘dark pattern’ (27 Apr 2026)

 

Lessons from Threat Modeling Intensive With AI

Actionable lessons from delivering Threat Modeling with AI, and using AI more generally. (23 Apr 2026)

 

Measuring the ROI of threat modeling: moving from activity to impact

Shostack + Associates COO Kymberlee Price shares her experience measuring the impact of secure design engineering practices on security outcomes (17 Apr 2026)

 

Adam reflects on BSides SF and RSAC

Adam finally caught his breath and sat down to reflect on BSides SF and RSAC 2026. (14 Apr 2026)