Threat modeling is about identifying what bad can happen and what you can do about it. It can find logical flaws and reveal problems in architecture or software development practices. These vulnerabilities cannot usually be found by security tools or by penetration testers. Tools don’t solve all our problems yet: we also need the human brain. This is where threat modeling comes to play. Threat modeling helps you deliver better software, prioritize your preventive security measures, and focus your security testing on the riskiest parts of the system. The beauty of threat modeling is that you can assess security before you start the implementation work. Threat modeling shifts security left. The presentation covers various methods, such as evil user stories, for finding security and privacy threats. You will learn how to analyze your epics and user stories to continuously build a threat model that helps you identify what kind of security problems your system can face and what kind of protection you should design. The session also includes an interactive part where we’ll go through a threat modeling case example. Everyone can participate and find security threats from the system, share their ideas of possible attack scenarios, and suggest mitigations.