The best-laid plans of devs and security often go awry—which is why after initial threat modeling has been done, we perform runtime analyses to make sure the software that we built lives up to our initial design standard; and make adjustments to the threat model accordingly. At speed and scale, alternating between (and properly balancing) designing for security, implementation, and evolving our threat models becomes the basis of effective DevSecOps and the secure-by-design principle.