DRAFT — This article is in progress. Content is placeholder only.
Security has a reputation problem inside engineering teams. It arrives late, asks for changes to things already built, speaks in a language nobody else uses, and slows down releases without obvious benefit. That reputation is often earned. Not because security is wrong to raise concerns, but because of when and how it gets raised. The teams that have changed this pattern did it by changing where in the development process security happens, not by doing less of it.
Why security usually slows things down
The most common version of this problem goes like this: a feature is nearly ready to ship. Security reviews it. Security finds issues. Engineering has to rework code that was already written, tested, and ready to deploy. The release slips. The engineering team resents the process. Security gets blamed for the delay. The actual problem is not security — it is that security arrived at the point where change is most expensive.
What "built-in security" actually means
Built-in security is not a checklist that developers tick before shipping. It is the result of engineers having a clear, shared picture of the risks in what they are building — early enough that the picture influences the design. When that happens, security requirements are not surprises that arrive before go-live. They are part of the spec from the start.
How threat modeling creates this shared understanding
A threat modeling session is a structured conversation — typically a few hours — where the people building a system work through what could go wrong with it. The questions are straightforward: what does this system do, who could want to attack it, and what would they do? Working through those questions as a team produces something more durable than a policy document: a shared understanding of where the real risks are, and what the team needs to build to address them.
The development velocity effect
At one major UK bank, the standard security assurance process before Threatplane's engagement was creating significant delays — teams did not know what security requirements applied to their work until late in the development cycle, and the last-minute review process was becoming a bottleneck across multiple DevOps teams. After introducing structured threat modeling across the program, development velocity improved by 3x. Not because security requirements were relaxed — but because teams had the information they needed, earlier.
What this looks like in practice for a scale-up
For a growing technology business without a dedicated security team, the question is not whether to do security — it is how to do it without it consuming the engineering capacity you need to build the product. Threat modeling, run well, is one of the highest-leverage activities you can invest in. A three-hour session on a new feature often surfaces issues that would have taken weeks to fix if found in a pen test or, worse, after a breach.
Security slows development when it arrives late and speaks in a language engineers cannot act on. Built-in security — through collaborative threat modeling at the design stage — gives teams the clarity they need to build right the first time. The evidence from clients is that this actually accelerates delivery rather than slowing it.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →