2024-2025
State of Threat Modeling Report
The first-of-its-kind community-led report on the practice of threat modeling.
.svg)
.png)
What is the community that created this report? Threat Modeling Connect is an incredible global community that is powered by IriusRisk. It formed in 2022 and has since seen monthly virtual talks from community members, and in-person workshops, to annual ThreatModCon experiences and other events, as well as a growing list of Local Chapters across the world.
Perhaps there are similar reports in existence that have been curated by selected vendors. This State of Threat Modeling (SOTM) Report is different. It is a 100% community-driven effort, thanks to two crucial community members, Dave Soldera and Grant Ongers. With insights from over 60 organizations, the report offers real-world perspectives that help practitioners reflect on, compare, and improve their own threat modeling practices. After all, we all have a vested interest in secure software, and threat modeling supports our ability to create secure by design products and services.
.png)
Download the report for the full insights, but here’s a quick look at what we learned:
1- Challenges - The average number of threat modeling related challenges a company faces is 10. It's clear we need a community to help support each other.
2- Producing 10-100 threat models a year? That puts you in line with the majority of your peers–regardless of company size, industry, or region.
3- STRIDE is still the most common approach to threat modeling with an 88% response rate. But most companies blend it with elements from 3+ other methods.
4- 52% of survey responders said that they have no regular reporting to management, and only 25% have a threat model dashboard of any kind
The project is currently looking for contributors! Reach out to Grant Ongers and Dave Soldera if you’re interested in contributing to the development of the next edition.
Not yet a part of Threat Modeling Connect? No problem! Join the 6,000 members that we have to date, with a mixture of seasoned practitioners as well as those with less than 1 year experience in threat modeling. Everyone is welcome. TMC community members help world-class organizations secure their products through threat modeling.
.png)
