The Security Engineer Handbook

Written by Mark Wisde and Tom Park, FAANG security engineers and security consultants.

A short, edgy, bold mini-guide to being a security engineer. Learn to make it in a security team, develop a risk-oriented mindset, and discover the secrets of the industry.

$20
The Security Engineer Handbook

"You're on the losing team, the team that makes the company waste money. On the other side is the winning team, the one that makes the company money."

Chapter 1: The Losing Team

What's Inside

15 chapters on the realities of security engineering

Chapter 01
The losing team
Chapter 02
Threat modeling everything
Chapter 03
Mind your dependencies
Chapter 04
What am I supposed to do?
Chapter 05
Risk management
Chapter 06
Staying up to date
Chapter 07
How to get a good start on any project
Chapter 08
Forcing people to do things
Chapter 09
How bugs happen
Chapter 10
Dealing with white hats and black hats
Chapter 11
This is your world now
Chapter 12
Security reviews
Chapter 13
Who's with me?
Chapter 14
This is your life now
Chapter 15
Making it as a security engineer

"You don't start on a complex project and try to give it a hug, instead you stab it in the heart."

Chapter 7: How to Get a Good Start

Threat Modeling Everything

A threat model is a magical gift: it tells you what to do like it's the grown up in the room. It's the organizer in your life. It's the piece of paper that outlines what's important and what can wait.

You write a threat model to document your system, to identify what your attackers look like, what they can do, and to record what you've done to handle that. By doing this exercise, you'll identify single points of failure, dependencies that you blindly trust but you shouldn't, secrets and keys that are a bit too exposed.

Remember, the goal is to identify new work, pressing work. Be honest, be brutal, this is not a public relation piece.

Key Takeaways

  • Threat models document your system and identify what attackers can do
  • There's no great tool for threat modeling—a spreadsheet is often enough
  • You're not alone—producing a threat model takes several people

The Weakest Link

You're not playing a fair game. As a member of the blue team (the team that defends) you need to secure everything, and the red team (the one that plays offense) just has to find something you overlooked to get in.

A chain is only as strong as its weakest link, and you're the investigator in charge of finding that link. So clean your snout and sniff the shit out of your turf. You're looking for truffles, you're looking for the smelly prize.

The last thing you want to do is put a nice and solid wall in some places, and leave completely-opened spots everywhere else. So raise the bar, across the board, just raise it a bit more. That's all you gotta do.

"Introduce yourself, like a slice of ham in a sandwich, in-between some of the already-mandatory steps that developers have learned to blindly obey."

Chapter 8: Forcing People to Do Things

The Challenges You'll Face

  • As a security engineer you're often not seen as providing as much value as developers
  • Your job is to collaborate as much as you can—there's a lot of work and your time is limited
  • Management and incentives are some of the most powerful ways to direct people in companies
  • You're always fighting against the current

How to Succeed

  • Pick your battles—not everything can be critical
  • New ideas are nothing without someone to drive them
  • If nobody is willing to do something important, consider doing it yourself
  • Soft skills are important—the more you know someone, the easier it'll be to collaborate

"You're somewhat of a gardener, as you'll be slowly planting security seeds all around you. You're also an athlete, as you'll be most of the time swimming against current."

Chapter 14: This Is Your Life Now

The TUBE Feedback Loop

A practical framework for efficient security engineering

1

Threat Model

Look at your system holistically to make sure you're not missing anything

2

Urgency

Find the low hanging fruits from the attacker's point of view to prioritize

3

Break In

Find a way to get this done through relationships and convincing people

4

Execute

Drive your plan to completion, then go back to your threat model

"In the weather of your emotion it'll be cloudy, sunny, rainy, and snowing. So wear some flip flops but carry a big coat. You'll have zero clue what the expectations for your role are, and you'll end up wearing many hats."

Chapter 13: Who's With Me?

Planting Seeds

As you can't be everywhere, you'll have to rely on others to replicate your investigative efforts and report back. This can be hard as very few people are trained to think about security.

While you can't force people to do things, you can force ideas in their heads. You can mention security here and there, you can talk to them about what worries you, or what you think they should care about. They might sometimes seem like they're not listening, but it works.

"An idea is like a virus, resilient, highly contagious. The smallest seed of an idea can grow."

"You need credits. See them as coins that you can gain slowly by playing the right cards, and that you can lose in one hand. Without credibility, collaboration is impossible."

Chapter 7: How to Get a Good Start

Ready to Level Up?

You're the unsung hero. You're the dark knight.

$20

Last updated: Oct 25, 2025