Threat modeling is often framed as defensive imagination. That is true, but incomplete. It is also an editorial discipline: a way of deciding what belongs in the frame, what is implied, and where the argument is weak.

Every diagram makes a claim. It says that a boundary matters, that a service deserves trust, that a path exists for a reason. The useful question is not whether the diagram is complete. It never is. The useful question is whether its omissions are intentional.

Assumptions

Assumptions should be visible enough to challenge. If an operator, key, network segment, or dependency is trusted, the model should say so plainly.

Security work improves when the system stops pretending to be self-evident.

Revision

The model becomes stronger as it loses decorative certainty. Remove vague arrows. Rename generic boxes. Collapse repeated abstractions. What remains should feel like a document with a point of view.