When Security Became the Brake on a Bank's Transformation

About the customer

This is one of the UK's major high street banks, undertaking a significant multi-year programme to modernise its technology infrastructure. The programme involved migrating legacy services and building new cloud capabilities across more than 250 AWS accounts, with dozens of DevOps teams working simultaneously on shared platform components — encryption services, vulnerability management, data storage, analytics — that would underpin the bank's digital products for years to come. Internal customers, including the C-suite, were watching closely.

The situation

The programme set out to gold-plate security from the start. Instead, it became a bottleneck that blocked every other engineering team.

New services were being blocked days before they were due to go live, with urgent security demands that appeared out of nowhere. Engineers were frustrated by last-minute requirements that had been entirely foreseeable but somehow went unaddressed until the final moment. Product owners were missing deadlines. Internal customers were losing faith in the promise of fast, agile cloud delivery.

The turning point

We started with a full audit of the AWS environment. With around 60 accounts at that stage, it was a substantial exercise; and we had it done within a week.

It gave both us and the bank a clear high-level view of infrastructure and maturity. That laid the groundwork for what came next: threat modeling.

The first threat model covered a single critical workload. That session did something that months of audits hadn't managed: it got engineers, product owners, risk managers and security leads in the same room, talking about the same thing, agreeing on what actually mattered. The output gave everyone the clarity they needed to make fast, confident decisions. It also revealed something that would prove important across the whole programme — around half the security work those teams were doing was addressing things that weren't real risks at all.

Scaling the programme

That first model worked well enough that they asked us to keep going. We ran one threat model a week at peak velocity, covering the full range of workloads being built across the platform — shared infrastructure, business-critical services, compliance-sensitive systems. Over the following years we delivered more than 70 threat models across the bank's cloud estate. Each one reduced duplication, redirected effort toward genuine risks, and gave the teams involved a shared understanding of where the real boundaries were.

Threat modelling quickly became the most valued security exercise by product owners because of the delivery risk mitigated by bringing it forward and our ruthless focus on what mattered from a risk perspective.

The result

The models went on to be the clearest documentation across the programme, being regularly used in decision making by product and security leaders owing to their blend of simplicity, clarity and focus.

Before Threatplane, most development teams were buried in security overhead: meetings, questionnaires, extra tickets, and back-and-forth that had little bearing on actual risk. Across the programme, around half of that overhead was eliminated. The time saved went in two directions — addressing the genuine risks that threat models surfaced, and getting back to building features that mattered to the business.

Teams that had been stuck second-guessing themselves now had a clear picture of where the real risks were and where the red lines sat. Security stopped being the thing that slowed everything down and became the thing that gave teams permission to move faster.