MAYANK VATS
Mayank Vats is a Principal Software Engineer at Workday, where he focuses on designing secure, large-scale AI and conversational platforms. He has led multiple initiatives around agentic AI systems, low-code frameworks, and enterprise-grade automation, bridging the gap between developer experience, system reliability, and security.
With a background spanning both enterprise software architecture and applied AI, Mayank’s recent work explores how vision models and LLMs can enhance traditional security processes, particularly in areas like automated threat modeling and developer-centric risk analysis.
At BSidesPDX 2025, Mayank shares his lessons learned from building an AI-assisted threat modeling agent that “sees” architecture diagrams and generates structured STRIDE analyses automatically. His talk dives into what works, what breaks, and how AI can make threat modeling faster, more accessible, and actionable for modern engineering teams.
Session
Threat modeling has always been critical but also slow, manual, and often skipped. What if your security champions could generate a first draft of a STRIDE analysis from architecture diagram itself ? In this talk, we’ll explore how vision models (like Gemini Vision) and LLMs can automate early threat modeling by “seeing” system diagrams and translating them into structured security insights.
I’ll show how we built an agent that ingests architecture diagrams, interprets flows and trust boundaries, and outputs threat models in a developer-friendly format. We’ll cover practical benefits (speed, adoption, developer engagement) as well as real challenges: hallucinations, missing context, and having humans in the loop. Finally, I’ll share how we turn these outputs into generating adversarial test cases, making threat modeling more actionable.
Attendees will leave with a framework to experiment with their own AI-assisted threat modeling pipeline, lessons learned from real reviews of AI agents, and a realistic sense of what today’s vision models can (and can’t) do for security.