Threat modelling in small loops
We run lightweight STRIDE-style sessions per feature area, not monolithic audits. The output is a short list of mitigations tied to tickets — encryption boundaries, authZ checks, logging — owned by the same squad shipping the code.
- One session per bounded feature slice, with notes that live next to the spec.
- Mitigations written as acceptance criteria, not vague “harden later” tasks.
- Revisit when the data model or trust boundaries change.
The goal is not a thick report — it is fewer surprises on launch day.