Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
A threat model is worthless if it doesn't change the code. Every identified threat must either get a concrete control (validation, rate limit, encryption, audit log) or get explicitly accepted with a written justification. The discipline of mapping threats → controls → tickets is what separates security theatre from real engineering.
Threat: 'attacker brute-forces login credentials'. Possible controls: rate limit per IP (cheap, partial), rate limit per account (better, harder), CAPTCHA after N failures (annoying, effective), WebAuthn for high-value accounts (slow rollout, gold standard). Decision: ship the first two now, plan the next two.
Use these three in order. Each builds on the one before.
In one paragraph, explain why mapping threats to controls is the load-bearing step.
Walk me through translating a threat model into a backlog of security tickets.
Some threats can't be controlled, only accepted. Walk me through the discipline of explicit risk acceptance.