2026-03-13 –, Breakout
Threat modeling: all development teams should be doing it, but what's really happening in practice?
For a recent scientific study in collaboration with the NCSC in the Netherlands, we performed interviews at several large Dutch organizations in critical sectors to learn how they look at threat modeling, how they approach it, and what are their experiences.
In this talk, we'll explain what we discovered and discuss the do's and don'ts related to threat modeling in practice.
Koen Yskout is an associate professor in computer science at KU Leuven, campus Diepenbeek (Hasselt). He teaches courses on software engineering and security to bachelor and master students in Engineering Technology ("industrieel ingenieur" in Dutch). His research interests center around engineering secure and resilient software systems, with particular attention to (automated) threat modeling, capturing and applying reusable knowledge, and the human aspects of developing secure systems.
Stef is a researcher and PhD student in the DistriNet research group of KU Leuven (Belgium). His main research interests concern automated threat modeling, with a focus on producing more relevant and actionable results. This includes, among others, developing and evaluating tool support and analysis techniques to automatically reveal cause-effect relationships between security threats, and leveraging this information to allow automated attack scenario generation and traceable risk estimation with respect to business goals.