Most security assessments end with a report. The report describes what was found, ranks the findings by severity, and recommends remediation steps. It is comprehensive, well-intentioned, and — in a significant number of cases — sits unread on a shared drive. The problem is not the content. It is the format. A report is passive. It asks the team to receive information and act on it independently. A workshop is active — the team builds the understanding together, which changes how they relate to the findings.
(Taking this to the next level are workshops augmented by platforms. More on that later in this article...)
Why security reports do not stick
A security report is, at its best, a comprehensive record of findings delivered to someone who then has to act on it. The challenge is the gap between "finding recorded" and "finding fixed." That gap is where most security remediation effort is lost. Teams receive a list of issues they did not help identify, written in language they do not work in, with no clear guidance on priority beyond, if you're lucky, a severity score, though without ever defining "severity".
What a workshop creates that a report cannot
The people building your systems understand them better than any external assessor. A workshop starts from that knowledge. The engineering team explains how the system works; the security practitioner works through what that means from a threat perspective. Both sides learn. The output — a shared threat model — reflects both the technical depth of the team and the security expertise of the assessor. It is more accurate, more specific, and more actionable than either party could produce alone.
What good workshops look like

The process we use runs over four structured stages. It starts with business context. What does this system do, what happens if it fails, what is the realistic impact on the business? That framing shapes everything that follows.
The architecture stage maps how the system actually works, often revealing details that the security team did not know and the engineering team had not thought about from a security perspective.
The threat assessment works through what could go wrong, using that shared understanding as its foundation. This includes delving into likely attack paths and means of entry for an attacker. We often use frameworks like STRIDE for this, and security teams will often invoke MITRE ATT&CK as well to inform vectors, though care must be taken with security frameworks like ATT&CK here not to crowd out the model with vectors that the framework suggests but that aren't actually relevant to the model. Experienced threat modellers will also be keen to look for non-technical attack vectors, such as social engineering attacks, stolen devices and the like, which align well to real-world attacks.
The controls prioritisation stage connects findings to business impact and produces a clear, prioritised roadmap. This prioritisation is key to making the process workable: only controls that actually address important risks and that are reasonable to implement in terms of cost are actually planned in for implementation. Depending on your context you may have the engineering team implement controls directly, or pass this off to a security engineering team or third party.
The downstream effects of shared understanding
The most significant downstream effect of a well-run threat modeling workshop is what happens months later. Engineering teams make different decisions — better security decisions — because they have a shared threat model in mind. They know which parts of the system carry the most risk. They know which controls are non-negotiable and which are optional. They can have a design conversation about a new feature that includes security thinking without pausing to escalate to a security expert.
What good looks like: comparing approaches
Automated scanning finds what it is trained to find. Traditional consultancy reports record what a skilled assessor found. A collaborative threat modeling workshop produces something different: a shared understanding, built by the people who own the system, of what could go wrong and why it matters. That shared understanding is what drives lasting change — not the findings themselves, but the people who understand them deeply enough to act on them.
The format of a security engagement matters as much as the quality of the findings. A report delivers information; a workshop builds understanding. For engineering teams responsible for complex, bespoke systems, that understanding is what actually changes how they build — and what changes how secure those systems become over time.
Workshops become even more powerful when they are backed by a purpose-built platform. Ours captures threat model data in a structured way, generates reports tailored to different audiences — including business leaders and other stakeholders who need the picture without the technical detail — and integrates with the tools your teams already use. It also makes it straightforward to share models across teams and keep them up to date as systems evolve, which is where most standalone workshop outputs eventually fall short.
If you want to run better threat modeling workshops, our threat modelling service gives you experienced facilitators who know how to get the most from your engineering teams. And if you want to go further, our platform gives those workshops lasting structure, making it easy to track, share and act on what you find.

Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →