Threat modeling proactively identifies threats during design — before code is written. Frameworks: STRIDE (Microsoft), PASTA, DREAD, Attack Trees.
Best time to threat model: design phase (cheapest fix). STRIDE is the most exam-tested framework. Even a simple 2-hour threat modeling session prevents costly vulnerabilities. Threat modeling + secure code review = most effective SDLC security combination.