Security, though part of software development since its early days, has recently become increasingly important. Still, thinking about security is often something that only happens at the beginning and at the end of a project. During the early phase of a project, a lot of concerns and possible mitigations are brought up on the drawing table in a euphoric atmosphere. Then a (longer) period of development often follows, i.e. implementation. When the release is looming, someone brings up penetration testing, which then produces a bunch of issues that have to be fixed before the initial go-live. Is there a better approach to your project’s security than the notorious “security sandwich”? Is there a more structured way to identify threats and make threat modeling part of every story and a continuous project companion? Are there tools that might provide you a little bit of support? How can you best decide whether a threat is a real risk for your company? This talk tries to give a brief overview of threat modeling and provide a good starting point for your project.