Pankaj Upadhyay
Pankaj Upadhyay is a Principal Cybersecurity Engineer at Workday, where he focuses on secure architecture, threat modeling, and the emerging challenges of AI/ML security. He has been recognized across the industry through published CVEs, responsible disclosures, and inclusion in multiple security “Hall of Fame” acknowledgments (Google, Adobe, Cert-EU etc.) for his contributions to improving software security.
With a background spanning application security, cloud security, and open-source research, Pankaj’s recent work explores how generative AI and vision models can augment traditional security processes from automated threat modeling to adversarial testing of AI agents.
At BSidesPDX 2025, Pankaj shares his lessons learned from building an AI-assisted threat modeling agent that “sees” architecture diagrams and generates structured analysis automatically. His talk dives into what works, what breaks, and how AI can make threat modeling faster, more accessible, and actionable for modern engineering teams, if done with an interactive feedback loop and constant user engagement.
Session
Threat modeling has always been critical but also slow, manual, and often skipped. What if your security champions could generate a first draft of a STRIDE analysis from architecture diagram itself ? In this talk, we’ll explore how vision models (like Gemini Vision) and LLMs can automate early threat modeling by “seeing” system diagrams and translating them into structured security insights.
I’ll show how we built an agent that ingests architecture diagrams, interprets flows and trust boundaries, and outputs threat models in a developer-friendly format. We’ll cover practical benefits (speed, adoption, developer engagement) as well as real challenges: hallucinations, missing context, and having humans in the loop. Finally, I’ll share how we turn these outputs into generating adversarial test cases, making threat modeling more actionable.
Attendees will leave with a framework to experiment with their own AI-assisted threat modeling pipeline, lessons learned from real reviews of AI agents, and a realistic sense of what today’s vision models can (and can’t) do for security.