Brett Crawley May 26, 2026 Post Quantum Cryptography

Get PQC Ready PDQ - Part 2

The Plan, the Order, and the Bill In Part 1 I argued that the quantum threat is closer than most engineering organisations are acting on, that AI-assisted cryptanalysis tightens the window further, that Mosca’s inequality already says you should have started, and that every major Western regulator has converged on…

PQC Part 2: The Plan, the Order, and the Bill

Brett Crawley May 13, 2026 Cryptography

Get PQC Ready PDQ - Part 1

Brett Crawley April 28, 2026 AI Security

Threat Modeling AI Systems: A Complete Playbook for Practitioners

Brett Crawley March 31, 2026 Dependency Pruning

Dependency Pruning and Tree Shaking

Brett Crawley March 22, 2026 Supply Chain Security

Threat Modeling Your Dependencies - Part 2

Recently Published

Sparse or Dense? Claude Mythos, Dan Geer, and Where We Should Actually Be Spending Our Effort

Last week, Anthropic announced Claude Mythos Preview and...

Software Engineering Has Regressed 50+ Years Since AI

Bear with me on this train of thought....

Threat Modeling Your Dependencies - Part 1

How One Bad Library Can Poison Your Entire...

Your SBOM Data Has Been Gathering Dust - Until Now

I’ve been talking about graphs for dependency analysis...

Why SAST is Broken!

Why SAST is broken, and how it could...

Cursor as your Secure Dev Team

Cursor as your Secure Dev Team What I...

Kicking Off Security Maturity

Building an AppSec Program: A Collaborative Approach Are...

Is Your AI Philosophy Broken?

AI-Generated Code: Productivity Gains, Security Pains, and the...

Ideas and Opinions from the Trenches

There are lots of ways we can optimise what we do, through a data driven approach, but we need to be careful and use critical and creative thinking.

What! Think before coding? WHY?

Why are so many people just diving, straight into the code? A minimum of requirements and design? Perhaps a threat Model?

Software Engineering Security Culture

We need to fix the culture, from top to bottom in the software engineering industry. Here are just some of the issues as I see them and what we should be doing about them.

Threat Modeling Gameplay with EoP

Coming soon to a bookshelf near you, Threat Modeling Gameplay with EoP: A reference manual for spotting threats in software architecture

Games with Purpose - Nov 2022

Some interesting security and creativity games plus a few more

Threat Modeling Remotely with Miro and EoP

Threat modeling with teams is a process that requires visuals, interaction between team members and discussion and so lends itself to everyone being in a room together. This has been quite hard the last two years. It also doesn’t look to be getting any easier, so we should probably get used to it. Here’s how I’ve been doing it with several teams.

Application Security is More than Just Pen Testing

So often organizations believe that Application Security stops at penetration testing and fixing vulnerabilities but it is more than that, penetration testing is the reactive side of things but you also need the proactive aspects of Application Security to reduce the flow.

CAPEC-STRIDE Mapping

Mapping between the Common Attack Pattern Enumeration and Classification (CAPEC) from Mitre and the S.T.R.I.D.E. Categories used in Threat Modeling.

See more articles

Recently Published

Browse all Topics