Threat-Modelling

You can paste a system description into an LLM and get back a STRIDE analysis in 30 seconds. A full threat list, categorised by type, with suggested mitigations. It looks thorough. It might even be thorough. That’s the problem. What LLMs Are Actually Good At Start with the honest case for using AI in threat modelling, because it’s real. Breadth coverage. A well-trained LLM has processed thousands of architecture descriptions, CVEs, and security design documents. It won’t forget to check for SSRF. It won’t skip repudiation because the session ran long. It has no blind spots born from familiarity with the system. For the common, well-documented threat categories, it’s genuinely reliable. ...

Most security work is reactive. Something breaks, you fix it. Threat modelling is the opposite: you sit down before anything breaks and ask what could go wrong? Then you build defences before the attacker shows up. It sounds obvious. Most teams still skip it. What Threat Modelling Is Threat modelling is a structured process for identifying what you’re protecting, who might attack it, how they’d do it, and what you’re going to do about it. OWASP distils it into four questions: ...