Threat modeling is praised as the cornerstone of secure software design, yet only one-third of organizations have a documented process and fewer than four in ten use it systematically at scale. Sean Martin unpacks why adoption is so low—and why evolving processes, not just models, is the key to making it work.
Threat modeling is often called the foundation of secure software design—anticipating attackers, uncovering flaws, and embedding resilience before a single line of code is written. But does it really work in practice?
In this episode of AppSec Contradictions, Sean Martin explores why threat modeling so often fails to deliver:
Drawing on insights from SANS, Forrester, and Gartner, Sean breaks down the gap between theory and reality—and why evolving our processes, not just our models, is the only path forward.
👉 What’s your take? Share your experience with threat modeling in application security in the comments below. Is your organization able to integrate threat modeling into everyday work, or does it remain a one-off exercise? What changes to process or culture would make it valuable and visible across teams?
📖 Read the full companion article in the Future of Cybersecurity newsletter for deeper insights: https://www.linkedin.com/pulse/problem-threat-modeling-application-security-too-slow-martin-cissp-8n5ye/
🔔 Subscribe to stay updated on the full AppSec Contradictions video series and more perspectives on the future of cybersecurity: https://www.youtube.com/playlist?list=PLnYu0psdcllRWnImF5iRnO_10eLnPFWi_
________
This story represents the results of an interactive collaboration between Human Cognition and Artificial Intelligence.
Enjoy, think, share with others, and subscribe to "The Future of Cybersecurity" newsletter on LinkedIn: https://itspm.ag/future-of-cybersecurity
Sincerely, Sean Martin and TAPE9
________
Sean Martin is a life-long musician and the host of the Music Evolves Podcast; a career technologist, cybersecurity professional, and host of the Redefining CyberSecurity Podcast; and is also the co-host of both the Random and Unscripted Podcast and On Location Event Coverage Podcast. These shows are all part of ITSPmagazine—which he co-founded with his good friend Marco Ciappelli, to explore and discuss topics at The Intersection of Technology, Cybersecurity, and Society.™️
Want to connect with Sean and Marco On Location at an event or conference near you? See where they will be next: https://www.itspmagazine.com/on-location
To learn more about Sean, visit his personal website.
[00:00:00] Welcome to AppSec Contradictions, a seven-part video series presented by Sean Martin. The goal: to explore the gaps between promise and reality in application security.
In part two, the focus is on threat modeling. It is often described as the foundation of secure software design. But does it really work in practice?
Threat modeling is supposed to be the map for secure design: anticipating attacker behaviors, identifying flaws early, and building resilience into applications before code is even written.
But here’s the problem: in many organizations, it never lives up to that promise. Instead, it’s treated as a theoretical exercise, performed once and then forgotten. It requires specialist expertise, it rarely scales, and it’s practically invisible [00:01:00] to business leaders who struggle to see its value.
Research comparing risk-first and risk-last approaches showed that teams who put risk first, discovered twice as many high-priority threats.
Yet in the SANS 2025 CTI survey, only slightly more than one-third of organizations reported having a formal, documented threat modeling process.
And in four separate empirical studies, researchers found that not one agile team fully integrated threat modeling into their sprints, even when given tools and training.
Industry analysts reinforce this gap.
Forrester’s State of Application Security 2025 report found that fewer than four in ten organizations use systematic threat modeling at scale.
And Gartner’s Hype Cycle for Security Operations 2025 revealed that fewer than one in five enterprises have adopted AI-enabled threat modeling tools — and that broad [00:02:00] maturity is still five to ten years away.
[00:02:02] Both firms agree: adoption is low, and real impact is limited. And the consequences ripple across all stakeholders.
[00:02:10] Both firms agree: For developers, threat modeling feels like a slowdown rather than support.
[00:02:15] Both firms agree: For AppSec teams, it becomes a series of one-off workshops that never scale.
[00:02:20] Both firms agree: And for business leaders, the return on investment is invisible, because the value is measured by what doesn’t happen.
[00:02:27] Both firms agree: When threat modeling stays stuck in theory, everyone feels the impact.
[00:02:32] Both firms agree: Sean’s take is this:
[00:02:34] Both firms agree: First, he believes in formal risk management, and in-depth threat modeling should sit at its core.
[00:02:41] Both firms agree: Second, it must be baked into everyday processes — which means teams need to examine and update the way they work.
[00:02:49] Both firms agree: And third, the real gap isn’t the models themselves, but the failure to evolve our processes. That’s why threat modeling remains stuck in theory.
[00:02:59] Both firms agree: [00:03:00] Threat modeling should be the foundation of secure design — but in most organizations, it’s still just a theory.
[00:03:07] Both firms agree: Developers, AppSec professionals, business leaders — has your organization found a way to make threat modeling continuous and useful, or does it remain an afterthought? Share your stories so we can bridge the gap between promise and reality together.
[00:03:20] Both firms agree: If this contradiction resonates, read the full companion article where Sean digs deeper into the research, the data, and the implications for each role.
[00:03:30] Both firms agree: And to stay ahead on these conversations, subscribe to the Future of Cybersecurity Newsletter — where the rest of the AppSec Contradictions series will be shared along with more perspectives on the future of security and business.