Cloud Security Podcast by Google

EP215 Threat Modeling at Google: From Basics to AI-powered Magic

Mar 17, 2025

Meador Inge, a security engineer at Google, dives into the intricacies of threat modeling, detailing its essential steps and applications in complex systems. He explains how Google continuously updates its threat models and operationalizes the information to enhance security. The conversation explores the challenges faced in scaling threat modeling practices and how AI, particularly large language models like Gemini, is reshaping the landscape. With a humorous twist, Inge shares insights into unexpected threats and effective strategies for organizations starting their threat modeling journey.

26:03

Creator website

Episode guests

Meador Inge

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Google's threat modeling process involves defining scope, identifying components, and collaborating with product teams for effective risk assessment.

Emphasizing iterative analysis, threat modeling enables manageable insights into complex systems, enhancing security posture while avoiding overwhelming details.

Deep dives

Understanding Threat Modeling

Threat modeling is discussed as a structured process crucial for identifying potential risks associated with a product or system. It begins by clearly defining the scope and identifying key components, data flows, and subject matter experts to garner accurate architectural insights. By utilizing this foundational understanding, teams can systematically enumerate potential threats and evaluate areas where security compromises may arise. This structured approach not only enhances the security posture but also empowers teams to anticipate challenges and implement effective mitigations.

Intro

4min

Navigating Threat Modeling in Complex Systems

13min

Transforming Threat Modeling with AI Innovation

2min

Mastering Threat Modeling

5min

Navigating the Unpredictable in Threat Modeling

2min

Guest:

Meador Inge, Security Engineer, Google Cloud

Topics:

Can you walk us through Google's typical threat modeling process? What are the key steps involved?
Threat modeling can be applied to various areas. Where does Google utilize it the most? How do we apply this to huge and complex systems?
How does Google keep its threat models updated? What triggers a reassessment?
How does Google operationalize threat modeling information to prioritize security work and resource allocation? How does it influence your security posture?
What are the biggest challenges Google faces in scaling and improving its threat modeling practices? Any stories where we got this wrong?
How can LLMs like Gemini improve Google's threat modeling activities? Can you share examples of basic and more sophisticated techniques?
What advice would you give to organizations just starting with threat modeling?

Resources:

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

Get the app

Cloud Security Podcast by Google

EP215 Threat Modeling at Google: From Basics to AI-powered Magic

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Understanding Threat Modeling

Practical Application of Threat Modeling

Collaborative Efforts and Continuous Learning

Remember Everything You Learn from Podcasts