🏋️ 𝗡𝗼𝗿𝘁𝗵𝗦𝗲𝗰 𝟮𝟬𝟮𝟲 𝗙𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻𝘀/𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴𝘀 (𝟮/𝟭𝟮): "Beyond Whiteboard Hacking: Master AI-Enhanced Threat Modeling" 𝗽𝗮𝗿/𝗯𝘆 Steven Wierckx (Toreon)

📅 Dates: May 11 and 12, 2026 (2 days)
📊 Difficulty: Medium
🖥️ Mode: On-Site

Description: "𝘛𝘩𝘪𝘴 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘵𝘢𝘬𝘦𝘴 𝘺𝘰𝘶 𝘥𝘦𝘦𝘱 𝘪𝘯𝘵𝘰 𝘵𝘩𝘦 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘢𝘭 𝘸𝘰𝘳𝘭𝘥 𝘰𝘧 𝘵𝘩𝘳𝘦𝘢𝘵 𝘮𝘰𝘥𝘦𝘭𝘪𝘯𝘨, 𝘤𝘰𝘮𝘣𝘪𝘯𝘪𝘯𝘨 𝘩𝘢𝘯𝘥𝘴-𝘰𝘯 𝘦𝘹𝘦𝘳𝘤𝘪𝘴𝘦𝘴 𝘢𝘯𝘥 𝘳𝘦𝘢𝘭-𝘸𝘰𝘳𝘭𝘥 𝘴𝘤𝘦𝘯𝘢𝘳𝘪𝘰𝘴. 𝘛𝘩𝘪𝘴 𝘩𝘢𝘯𝘥𝘴-𝘰𝘯 𝘵𝘩𝘳𝘦𝘢𝘵 𝘮𝘰𝘥𝘦𝘭𝘪𝘯𝘨 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘰𝘧𝘧𝘦𝘳𝘴 𝘢𝘯 𝘪𝘮𝘮𝘦𝘳𝘴𝘪𝘷𝘦 𝘦𝘹𝘱𝘦𝘳𝘪𝘦𝘯𝘤𝘦, 𝘨𝘳𝘰𝘶𝘯𝘥𝘦𝘥 𝘪𝘯 25 𝘺𝘦𝘢𝘳𝘴 𝘰𝘧 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘢𝘭 𝘦𝘹𝘱𝘦𝘳𝘵𝘪𝘴𝘦, 𝘢𝘯𝘥 𝘳𝘦𝘧𝘪𝘯𝘦𝘥 𝘧𝘰𝘳 𝘰𝘷𝘦𝘳 𝘢 𝘥𝘦𝘤𝘢𝘥𝘦 𝘰𝘧 𝘥𝘦𝘭𝘪𝘷𝘦𝘳𝘺 𝘢𝘵 𝘉𝘭𝘢𝘤𝘬 𝘏𝘢𝘵, 𝘢𝘷𝘰𝘪𝘥𝘪𝘯𝘨 𝘢 𝘭𝘦𝘤𝘵𝘶𝘳𝘦-𝘩𝘦𝘢𝘷𝘺 𝘢𝘱𝘱𝘳𝘰𝘢𝘤𝘩 (70% 𝘰𝘧 𝘵𝘩𝘦 𝘤𝘰𝘶𝘳𝘴𝘦 𝘪𝘴 𝘧𝘰𝘤𝘶𝘴𝘦𝘥 𝘰𝘯 𝘦𝘹𝘦𝘳𝘤𝘪𝘴𝘦𝘴 𝘵𝘰 𝘳𝘦𝘪𝘯𝘧𝘰𝘳𝘤𝘦 𝘭𝘦𝘢𝘳𝘯𝘪𝘯𝘨). 𝘉𝘺 𝘵𝘩𝘦 𝘦𝘯𝘥 𝘰𝘧 𝘵𝘩𝘪𝘴 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨, 𝘺𝘰𝘶 𝘸𝘪𝘭𝘭 𝘸𝘢𝘭𝘬 𝘢𝘸𝘢𝘺 𝘯𝘰𝘵 𝘫𝘶𝘴𝘵 𝘸𝘪𝘵𝘩 𝘬𝘯𝘰𝘸𝘭𝘦𝘥𝘨𝘦, 𝘣𝘶𝘵 𝘵𝘩𝘦 𝘢𝘣𝘪𝘭𝘪𝘵𝘺 𝘵𝘰 𝘱𝘳𝘢𝘤𝘵𝘪𝘤𝘦 𝘵𝘩𝘳𝘦𝘢𝘵 𝘮𝘰𝘥𝘦𝘭𝘪𝘯𝘨 𝘦𝘧𝘧𝘦𝘤𝘵𝘪𝘷𝘦𝘭𝘺 𝘪𝘯 𝘺𝘰𝘶𝘳 𝘰𝘳𝘨𝘢𝘯𝘪𝘻𝘢𝘵𝘪𝘰𝘯. "
🔗 Full Training Details: https://nsec.io/training/2026-beyond-whiteboard-hacking-master-ai-enhanced-threat-modeling/

👨‍🏫 About the trainer:
Steven Wierckx (Toreon) is a seasoned software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design. Steven shares his web application security passion by writing about and through training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He’s the OWASP Threat Modeling Project Lead and organises the BruCON student CTF. Last year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON, and provided threat modeling training at OWASP AppSec USA and O’Reilly Security New York.

#NorthSec #cybersecurity #threatmodeling #AIsecurity #LLM #DevOps #securitybydesign

Serverless SaaSless Networking: Building the Future Today

In the realm of serverless SaaSless networking, an architect doesn’t have to work in concrete. Some of us design networks.

Right now, the work I care about most is serverless, SaaSless networking: systems that run without a central point of truth and without a compulsory platform sitting in the middle. In other words, this approach builds the future today by making infrastructure that survives churn, pricing shifts, policy drift, and the sudden disappearance of a dependency everyone assumed would last forever.

Privacy follows from that choice. When the architecture stops funneling everything through a choke point, surveillance becomes harder, leakage becomes less likely, and “quiet repurposing” becomes far less tempting.

Cloud still has a place. However, forced dependence creates fragility.

A product that requires permanent permission from a third party isn’t really a product. Instead, it becomes a subscription to someone else’s stability.

What “serverless” and “SaaSless” mean in this context

Marketing turned “serverless” into a synonym for “someone else runs servers.” That model works for plenty of teams, yet it misses the deeper principle.

In this context, serverless means the network does not rely on a central server as the point of truth. Peers should discover each other, authenticate, exchange data, and recover without routing everything through a single authority.

Likewise, SaaSless means the core capability does not depend on an always-on subscription platform. Basic function should not sit behind tiers. Data should not live inside a proprietary dashboard with no clean exit. When a vendor can throttle, cut off, or reshape capability through closed APIs, control disappears.

That’s where architecture matters. It draws the line between a tool you own and a leash you tolerate.

A better metaphor than “roads versus theme parks” is public roads versus toll roads.

Public roads act as infrastructure. Anyone can use them, routes stay flexible, and no single company gets to decide who is allowed to travel. Toll roads can help too, but the experience changes the moment a gate sits in the middle. Then prices rise, rules shift, and access tightens. As a result, the journey starts depending on the operator’s incentives instead of the traveler’s needs.

That’s what SaaS-by-default networking creates. Movement still happens, but the gatekeeper sets the terms.

Why privacy becomes inevitable once the choke point disappears

Centralization attracts data. Then data attracts risk. Over time, risk becomes a breach email full of regret.

A privacy-first system takes a quieter path. It collects less, retains less, processes closer to the user, and reduces the number of places sensitive material can leak or be copied. Because of that, teams earn trust through engineering, not performance.

People don’t experience their lives as “data.” They experience messages, drafts, searches, locations, relationships, and decisions. So systems should treat those things with the seriousness they deserve.

Web3 identity, without the hype cycle

Web3 marketing created a mess, and the noise turns people off. Still, user-owned identity remains practical.

Most online identity works like a rental. Access can vanish. History can lock up. A policy change can turn an account into a liability overnight.

User-owned identity flips that relationship. A cryptographic anchor under the user’s control changes authentication from permission to proof. Additionally, it supports delegation, roles, and verification in ways auditors can check.

If a network aims to outlive trends, it needs identity built on owned ground, not rented ground.

Localized AI completes the design

Localized AI makes the whole approach feel coherent.

Privacy-first design does not pair well with exporting sensitive prompts to third-party model APIs by default. Instead, running models on-device, on-prem, or inside controlled infrastructure keeps private inputs inside a boundary you can actually defend.

The practical benefits show up fast. You get lower latency, predictable costs, and fewer moving parts. You also reduce exposure to training pipelines you cannot properly audit. Most importantly, the boundary stays intact, and thought stays close to home.

For that reason, localized AI belongs in the architecture, not as a bolt-on feature.

The future worth normalizing

Here’s the normal worth building:

• Identity stays portable.
• Data stays minimal and encryptable.
• Networks keep functioning when vendors disappear.
• AI runs locally for sensitive workflows.
• Audit trails stay verifiable, not vibes.

None of this requires utopian thinking. Instead, it requires disciplined engineering.

Call to action

Pick one place in your stack where a platform sits in the middle by default.

Then run three questions against it:

A single “yes” signals progress. Two points to direction. Three makes the future arrive early.

Privacy First. Security Always. Not as branding. As architecture.

If this resonates, share it with someone who builds systems for real users. Also, drop a comment with the one dependency you’d love to remove in 2026, or the one privacy-first change you plan to ship first. I read the replies and I’ll respond.

Key Takeaways

• Serverless SaaSless networking eliminates reliance on central authorities, allowing autonomy and privacy in data management.
• This architecture minimizes risk by decentralizing data collection and reducing points of possible leakage.
• User-owned identity enhances security, transforming authentication from permission-based to proof-based.
• Localized AI integration ensures sensitive data remains secure and allows for efficient processing without third-party dependencies.
• The article encourages assessing existing platform dependencies to foster a more privacy-focused and resilient system architecture.

🔐 Security ist kein Last-Minute-Feature.

Wer #SecurityByDesign früh umsetzt, verhindert teure Fixes und Risiken wie im Fall von Subaru – verursacht durch eine Webapplikation mit schwacher Sicherheitsarchitektur.

In seiner aktuellen Kolumne «Schlicht und einfach» zeigt @madmas, wie Shift Left und #DevSecOps helfen, #Security als durchgehende Verantwortung früh im Entwicklungsprozess zu verankern:

👉 https://www.inside-it.ch/schlicht-und-einfach-security-by-design-20251204

#CyberSecurity #SoftwareArchitecture #WeAreKarakun

Computer Security Day 2025: Fraunhofer FOKUS und das @Weizenbaum_Institut betonen digitale Resilienz für Staat, Wirtschaft & Gesellschaft. Cyberangriffe und Regulierung erfordern #SecurityByDesign und Zusammenarbeit aller Akteure: ➡️ https://www.fokus.fraunhofer.de/de/newsroom/news/computer_security_day.html

#Cybersecurity #Cybersicherheit #SecurityByDesign

𝗜𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗖𝘂𝗿𝗮𝘁𝗼𝗿𝘀 𝗼𝗳 𝘁𝗵𝗲 𝗡𝗲𝘄 𝗖𝗣𝗦𝗔-𝗔 𝗠𝗼𝗱𝘂𝗹𝗲 𝗘𝗠𝗕𝗘𝗗𝗗𝗘𝗗𝗦𝗘𝗖! 🔐

We spoke with Felix Bräunling and Isabella Stilkerich about the new Advanced Level module #EmbeddedSecurity for Architects. They share why embedded security matters, how safety and security intersect, and which skills architects need to design secure embedded systems.

Dive into the full interview 👉 https://t1p.de/k3rzl

#CPSA #AdvancedLevel #SoftwareArchitecture #EMBEDDEDSEC #SecurityByDesign #EmbeddedSystems #iSAQB

Die #Denkwerkstatt2025 steht vor der Tür! Diskutiert mit uns über die Zukunft der #Cybersicherheit und entscheidet über die neuen Workstreams. Grundlage: 12 Ideen-Skizzen, von denen zwei in agile Projekte überführt werden. Die Bandbreite reicht von #ThreatIntelligence für die öffentliche Hand, über #ZeroTrust an der Hochschule bis zu #SecurityByDesign in #KI. Seid am 14. und 15. November in Berlin dabei. 👉 https://www.dialog-cybersicherheit.de/denkwerkstatt/

#DiCySi