Threat modeling that lives in a Confluence page nobody reads is theater. The threat models that protect real systems are the ones updated when the system changes — at PR time, not at audit time.
We treat the threat model as a section of the README for every service we ship. Three subsections: assets, trust boundaries, mitigated risks. A new endpoint forces an update. A new third-party integration forces an update. If the threat model and the code drift apart, we've failed before any attacker shows up.
Three patterns have proven load-bearing. First, name the trust boundary explicitly — 'this endpoint accepts unauthenticated requests, validates the JWT, then enters the trusted plane.' Second, capture the assumption that justifies each mitigation — assumptions are what break silently. Third, link each threat to a test that exercises the mitigation; the test is the only proof that it still works.
What we don't do: STRIDE-by-rote, attack trees nobody reads, third-party 'security platforms' that produce 200-page PDFs once a year. Those produce paperwork, not security.
The cost: about 30 minutes per service per quarter, plus PR overhead when a boundary moves. The return: when an audit happens, the threat model is the document the auditor wants. It already exists.