Adam Shostack
@adamshostack.bsky.social
Threat modeling. BH Review Board. Affiliate Professor, UW. Fixed autorun. Helped create CVE.
Not sure why we're building graphs on yet another (effectively) centralized system. https://infosec.exchange/@adamshostack
Not sure why we're building graphs on yet another (effectively) centralized system. https://infosec.exchange/@adamshostack
Scaling threat modeling isn't about perfect methodology—it's about everyone on your team being able to answer four fundamental questions.
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion: creators.spotify.com/pod/profile/...
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion: creators.spotify.com/pod/profile/...
September 29, 2025 at 6:14 PM
Scaling threat modeling isn't about perfect methodology—it's about everyone on your team being able to answer four fundamental questions.
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion: creators.spotify.com/pod/profile/...
Don't let complexity prevent you from starting. Begin with these questions and improve iteratively.
Full discussion: creators.spotify.com/pod/profile/...
Loving @kendraserra.bsky.social talking history in #usesec25
August 13, 2025 at 11:13 PM
Loving @kendraserra.bsky.social talking history in #usesec25
Hot take: Threat modeling ≠ risk management
Threat = possible problem
Risk = quantified threat
Threat modeling finds issues → we engineer them away (TLS, MFA, etc.)
Risk management = when threats can't be easily fixed
Most execs care more about customer impact than CVSS scores 🤷♂️
Full: is.gd/5QEfVJ
Threat = possible problem
Risk = quantified threat
Threat modeling finds issues → we engineer them away (TLS, MFA, etc.)
Risk management = when threats can't be easily fixed
Most execs care more about customer impact than CVSS scores 🤷♂️
Full: is.gd/5QEfVJ
July 21, 2025 at 4:13 PM
Hot take: Threat modeling ≠ risk management
Threat = possible problem
Risk = quantified threat
Threat modeling finds issues → we engineer them away (TLS, MFA, etc.)
Risk management = when threats can't be easily fixed
Most execs care more about customer impact than CVSS scores 🤷♂️
Full: is.gd/5QEfVJ
Threat = possible problem
Risk = quantified threat
Threat modeling finds issues → we engineer them away (TLS, MFA, etc.)
Risk management = when threats can't be easily fixed
Most execs care more about customer impact than CVSS scores 🤷♂️
Full: is.gd/5QEfVJ
If you’re heading to BlackHat USA in early August, my Intensive has seats left! It’s the best threat modeling training available. A student in a recent class said, "this was my first course with Adam and he is among one the best instructors I've ever had.” www.blackhat.com/us-25/traini...
July 17, 2025 at 8:21 PM
If you’re heading to BlackHat USA in early August, my Intensive has seats left! It’s the best threat modeling training available. A student in a recent class said, "this was my first course with Adam and he is among one the best instructors I've ever had.” www.blackhat.com/us-25/traini...
I thought I'd ask Grok about the America Party
x.com/i/grok/share...
x.com/i/grok/share...
July 6, 2025 at 4:11 PM
I thought I'd ask Grok about the America Party
x.com/i/grok/share...
x.com/i/grok/share...
What's the party's position on immigration? Clean energy? Tax policy? "The middle" doesn't tell you.
"The Middle" isn't a philosophy of government, a set of ideals, or a guide to how your folks might vote.
The problem is that people have very different ideas about what government should do or not.
"The Middle" isn't a philosophy of government, a set of ideals, or a guide to how your folks might vote.
The problem is that people have very different ideas about what government should do or not.
July 6, 2025 at 4:04 PM
What's the party's position on immigration? Clean energy? Tax policy? "The middle" doesn't tell you.
"The Middle" isn't a philosophy of government, a set of ideals, or a guide to how your folks might vote.
The problem is that people have very different ideas about what government should do or not.
"The Middle" isn't a philosophy of government, a set of ideals, or a guide to how your folks might vote.
The problem is that people have very different ideas about what government should do or not.
🧩 June Appsec roundup:
🇺🇸 Exec Orders gutted—goodbye SBOMs, hello vibes-based security
🧠 Meta swaps humans for AI to judge privacy "risk"
⚙️ LLMs threat model better than us… or maybe I'm hallucinating
🚗 VW execs jailed
🍎 Apple says: maybe sandbox that sketchy code
#AppSec #Cybersecurity
🇺🇸 Exec Orders gutted—goodbye SBOMs, hello vibes-based security
🧠 Meta swaps humans for AI to judge privacy "risk"
⚙️ LLMs threat model better than us… or maybe I'm hallucinating
🚗 VW execs jailed
🍎 Apple says: maybe sandbox that sketchy code
#AppSec #Cybersecurity
July 1, 2025 at 4:50 PM
🧩 June Appsec roundup:
🇺🇸 Exec Orders gutted—goodbye SBOMs, hello vibes-based security
🧠 Meta swaps humans for AI to judge privacy "risk"
⚙️ LLMs threat model better than us… or maybe I'm hallucinating
🚗 VW execs jailed
🍎 Apple says: maybe sandbox that sketchy code
#AppSec #Cybersecurity
🇺🇸 Exec Orders gutted—goodbye SBOMs, hello vibes-based security
🧠 Meta swaps humans for AI to judge privacy "risk"
⚙️ LLMs threat model better than us… or maybe I'm hallucinating
🚗 VW execs jailed
🍎 Apple says: maybe sandbox that sketchy code
#AppSec #Cybersecurity
SBOMs didn’t end civilization.
Publishing your threat model won’t either. Unless your threat model is “Don’t publish threat models,”
in which case... awkward.
Let’s normalize sharing.
Security ≠ secrecy.
is.gd/bEVWB0
#ThreatModeling #CyberSecurity
Publishing your threat model won’t either. Unless your threat model is “Don’t publish threat models,”
in which case... awkward.
Let’s normalize sharing.
Security ≠ secrecy.
is.gd/bEVWB0
#ThreatModeling #CyberSecurity
June 16, 2025 at 5:14 PM
SBOMs didn’t end civilization.
Publishing your threat model won’t either. Unless your threat model is “Don’t publish threat models,”
in which case... awkward.
Let’s normalize sharing.
Security ≠ secrecy.
is.gd/bEVWB0
#ThreatModeling #CyberSecurity
Publishing your threat model won’t either. Unless your threat model is “Don’t publish threat models,”
in which case... awkward.
Let’s normalize sharing.
Security ≠ secrecy.
is.gd/bEVWB0
#ThreatModeling #CyberSecurity
I don't want to criticize Ottolenghi, but I feel they may need to spend a bit more time in Texas, maybe get a better feel for the local style.
June 8, 2025 at 5:14 PM
I don't want to criticize Ottolenghi, but I feel they may need to spend a bit more time in Texas, maybe get a better feel for the local style.
Please help spread the word about our free threat modeling training for impacted Federal workers (week of July 7).
This is a live-instruction version of our most popular training, Threat Modeling Intensive.
www.linkedin.com/feed/update/...
This is a live-instruction version of our most popular training, Threat Modeling Intensive.
www.linkedin.com/feed/update/...
May 30, 2025 at 7:48 AM
Please help spread the word about our free threat modeling training for impacted Federal workers (week of July 7).
This is a live-instruction version of our most popular training, Threat Modeling Intensive.
www.linkedin.com/feed/update/...
This is a live-instruction version of our most popular training, Threat Modeling Intensive.
www.linkedin.com/feed/update/...
Well I guess I can either play this for everyone in the restaurant or miss it, because Bluesky has some weird ideas about “reading later” tools. 🤷
May 24, 2025 at 12:44 PM
Well I guess I can either play this for everyone in the restaurant or miss it, because Bluesky has some weird ideas about “reading later” tools. 🤷
The @ericlipton.nytimes.com quote is even better in context, because literally, Trump has promised his buyers a White House tour, an official action by the US Government, as part of a direct benefit to a private transaction. The explicit quid pro quo is in the thread.
May 12, 2025 at 4:10 PM
The @ericlipton.nytimes.com quote is even better in context, because literally, Trump has promised his buyers a White House tour, an official action by the US Government, as part of a direct benefit to a private transaction. The explicit quid pro quo is in the thread.
BlueSky requires me to "select" interests, not define them.
Tell me again why talking about decentralization without doing it is a good idea?
Tell me again why talking about decentralization without doing it is a good idea?
May 10, 2025 at 3:58 PM
BlueSky requires me to "select" interests, not define them.
Tell me again why talking about decentralization without doing it is a good idea?
Tell me again why talking about decentralization without doing it is a good idea?
Just dropping this to troll @chup.blakereid.org
www.washingtonpost.com/food/2025/05...
The current front page shows
www.washingtonpost.com/food/2025/05...
The current front page shows
May 1, 2025 at 11:05 PM
Just dropping this to troll @chup.blakereid.org
www.washingtonpost.com/food/2025/05...
The current front page shows
www.washingtonpost.com/food/2025/05...
The current front page shows
There’s an inordinate amount of confusion around #threat modeling and #AI. I want to share some of the models I’m using to simplify and focus conversations into productive analysis. Like everything touched by LLMs, they're rapidly changing...
shostack.org/blog/strateg...
shostack.org/blog/strateg...
March 7, 2025 at 4:14 PM
There’s an inordinate amount of confusion around #threat modeling and #AI. I want to share some of the models I’m using to simplify and focus conversations into productive analysis. Like everything touched by LLMs, they're rapidly changing...
shostack.org/blog/strateg...
shostack.org/blog/strateg...
March 6, in the final session of this @rsaconference.bsky.social webinar, Kyle Wallace
and I will be talking about Threat Modeling with ATT&CK
www.rsaconference.com/library/virt... Lots of other great folks talking about building resilient systems, too.
and I will be talking about Threat Modeling with ATT&CK
www.rsaconference.com/library/virt... Lots of other great folks talking about building resilient systems, too.
March 4, 2025 at 7:27 PM
March 6, in the final session of this @rsaconference.bsky.social webinar, Kyle Wallace
and I will be talking about Threat Modeling with ATT&CK
www.rsaconference.com/library/virt... Lots of other great folks talking about building resilient systems, too.
and I will be talking about Threat Modeling with ATT&CK
www.rsaconference.com/library/virt... Lots of other great folks talking about building resilient systems, too.
Post your Favourite [#DoctorWho](skeets://tag?tag=DoctorWho), wrong answers only
January 13, 2025 at 8:15 PM
Post your Favourite [#DoctorWho](skeets://tag?tag=DoctorWho), wrong answers only
"You‘ve been kidnapped. The characters from the last TV show you watched are trying to rescue you. Who is coming to save you?"
Good news: I get rescued. Bad news: (a) No one believes me and (b) they have to go back to the delta quadrant, unable to stay near 21st century Earth, again.
Good news: I get rescued. Bad news: (a) No one believes me and (b) they have to go back to the delta quadrant, unable to stay near 21st century Earth, again.
January 4, 2025 at 7:37 PM
"You‘ve been kidnapped. The characters from the last TV show you watched are trying to rescue you. Who is coming to save you?"
Good news: I get rescued. Bad news: (a) No one believes me and (b) they have to go back to the delta quadrant, unable to stay near 21st century Earth, again.
Good news: I get rescued. Bad news: (a) No one believes me and (b) they have to go back to the delta quadrant, unable to stay near 21st century Earth, again.
Is it my imagination or does MS Office waste disk for the same fonts in each app? In /Applications/
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
January 1, 2025 at 10:13 PM
Is it my imagination or does MS Office waste disk for the same fonts in each app? In /Applications/
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
Is it my imagination or does MS Office waste disk for the same fonts in each app? In /Applications/
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
January 1, 2025 at 10:11 PM
Is it my imagination or does MS Office waste disk for the same fonts in each app? In /Applications/
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)
ls -l *.app/Contents/Resources/DFonts/yuminl.ttf
(Also, FFS, I can upload an image of the output, but the output is too many characters...)