Blog

Thoughts and updates

On threat modeling, security architecture, and building ThreatKrew.

All posts ai architecture audit aws compliance engineering founders infrastructure iso-27001 lessons-learned maturity methodology mission nist product security soc-2 startups stride technical-debt threat-modeling
7 min read

Garbage In, Garbage Out: Why Documentation Quality Makes or Breaks Your Threat Model

Architecture documentation quality directly impacts threat model accuracy. Learn why GIGO applies to security and how to improve inputs for better threat modeling.

threat-modeling security ai product architecture
Dave Barton

Dave Barton

Co-founder
8 min read

Threat Modelling is a Conversation, Not a Checklist

Why iterative threat modeling produces dramatically better results than one-shot analysis. We show real before-and-after examples of how targeted clarification questions transform vague assumptions into precise, actionable security findings.

threat-modeling security methodology product
Dave Barton

Dave Barton

Co-founder
12 min read

AWS Least Privilege in Practice: SCPs, RCPs, and Zero Standing Credentials

How we built AWS infrastructure from scratch with least privilege IAM policies, Service Control Policies (SCPs), Resource Control Policies, OIDC federation, and organization-wide security guardrails — with code examples.

engineering security aws infrastructure lessons-learned
Dave Barton

Dave Barton

Co-founder
9 min read

NIST CSF Maturity Tiers: A Practical Security Guide

What are the four NIST CSF maturity tiers? A plain-language guide to security maturity levels, what each tier means in practice, and how threat modelling helps you climb the curve.

nist security threat-modeling compliance maturity
Dave Barton

Dave Barton

Co-founder
11 min read

Threat Modeling for Compliance: SOC 2, ISO 27001, PCI DSS

Every major compliance framework requires threat analysis. Here's what SOC 2, ISO 27001, PCI DSS, NIST CSF, HIPAA, and others actually require — and how to be ready.

compliance threat-modeling security audit nist iso-27001 soc-2
Dave Barton

Dave Barton

Co-founder
10 min read

STRIDE vs PASTA vs Attack Trees: Threat Modeling Compared

Compare threat modeling methodologies: STRIDE, PASTA, and Attack Trees. Understand strengths, limitations, and choosing the right framework for your architecture.

threat-modeling methodology stride security architecture
Dave Barton

Dave Barton

Co-founder
8 min read

Why It's Never Too Early for Security

Building a strong security foundation early isn't a burden — it's a strategic accelerator that helps startup teams ship faster and scale with confidence.

security startups technical-debt architecture
Dave Barton

Dave Barton

Co-founder
7 min read

Why Threat Modeling Matters

Learn what threat modeling is, why STRIDE analysis finds risks other tools miss, and how security architecture assessment is critical before deployment.

threat-modeling security architecture
Dave Barton

Dave Barton

Co-founder
9 min read

What We Learned Building Reliable AI for Security Analysis

Lessons from building a production AI system for threat modeling: why specialization matters, how to verify AI output, and principles for reliable security analysis at scale.

engineering ai lessons-learned security
Dave Barton

Dave Barton

Co-founder
5 min read

Why We Built Automated Threat Modeling

How years of manual threat modeling led us to build ThreatKrew's automated threat modeling platform. Making professional security analysis accessible to every team.

founders mission security
Dave Barton

Dave Barton

Co-founder