DRAFT — This article is in progress. Content is placeholder only.
Most technology businesses treat penetration testing as their primary security activity. It produces a report, the report gets filed, and the team feels like something has been done. But pen testing finds problems after they exist in production — often after they have been there for months. Threat modeling finds them before code is written. Understanding which to use, when, and in what order is one of the most practical security decisions a CTO or CISO can make.
What penetration testing actually does
Penetration testing simulates an attacker attempting to compromise your systems. A skilled tester — working within agreed scope and rules of engagement — probes for vulnerabilities in running code, live infrastructure, and real configuration. It is valuable, rigorous when done well, and an important part of a mature security program. But it has a fundamental timing constraint: it only tests what already exists.
What threat modeling actually does
Threat modeling starts with a question: what are we building, who might want to attack it, and what could they do? Done well, it maps the systems and data flows involved, identifies realistic threat actors and their motivations, and works through what could go wrong in a structured way. The output is not a list of CVEs — it is a prioritised view of risks, connected to the business impact of each, with clear guidance on where to invest security effort.
Why the sequence matters
If threat modeling identifies a flaw in how your authentication architecture is designed, fixing it takes a design conversation and a changed spec. If a pen tester finds the same flaw six months later in running code, fixing it means rearchitecting a system that is already in production, retesting, and possibly delaying a release. The cost difference is not marginal — it is often an order of magnitude.
When each tool fits best
Use threat modeling when you are designing something new, changing an architecture, or trying to understand where your custom application's real risks lie. Use penetration testing to validate that what you built is actually secure and to maintain assurance on live systems over time. The best programs use both: threat modeling to build right, penetration testing to verify.
The custom application problem
Most penetration testing methodology is built around known vulnerability classes — SQL injection, XSS, broken access control. These matter, but they are not the whole picture for businesses running bespoke technology. A custom application built around proprietary business logic has risks that no automated scanner or standard methodology will surface. The integration between your order management system and your payment processor, or the specific way your platform handles research data from multiple sources, requires someone who understands your system. A generic checklist will not find those risks.
Threat modeling and pen testing are complementary, not competing. The right question is not "which one?" but "what is the right sequence for what we are building?" For teams building custom applications — especially in regulated sectors — both are important. Threat modeling should come first to establish what matters and why, pen testing should validate that the controls are working.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →