Your Threat Model Is Lying to You: Why Modeling the Design Isn't Enough in 2026
Farshad Abasi
BSidesSF 2026 · Day 1 · AMC Theatre 10
In his compelling BSides SF talk, "Your Threat Model Is Lying to You: Why Modeling the Design Isn't Enough in 2026," Farshad Abasi challenges the prevailing wisdom in application security. Abasi, a veteran in the field, argues that traditional threat modeling, which predominantly focuses on design-time artifacts like architecture diagrams and data flow diagrams, has become fundamentally insufficient for securing modern software systems. The core premise is that **design intent often diverges significantly from production reality**, creating critical security blind spots that attackers readily exploit.
AI review
Abasi correctly identifies a real practice gap — the missing feedback loop between scan outputs and threat model maintenance — and wraps it in a clean six-step workflow that practitioners can actually use. The core argument is sound and the supporting data points (XM Cyber's 80% misconfiguration stat, the Firefly infrastructure codification numbers) are well-chosen. But this is a BSides talk in the AppSec practitioner lane, and judged there: the insight isn't novel enough to rank above solid.