For the last 20 years, assessment of the security of proposed systems has been a standard. Indeed, NIST-14 (1996) states, "Security requirements should be developed at the same time system planners define the requirements of the system.” Yet, threat modeling remains something of a “black art”, understood solely by the innercognoscenti, “security architects”. Indeed, at most companies, threat models are regarded as highly classified, need-to-know materials. This secretive approach hasn’t served the industry, nor the 10’s of thousands of “systems” that get developed each year. Join author and Distinguished Engineer, Brook Schoenfield, for a participatory session unlocking the shrouded mysteries of threat modeling, revealing the inner secrets, initiating participants into the society of practitioners. We will grapple with thorny issues like assessing risk, decomposition of the architecture, and appropriate architectural views.