ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
ALVOR
Platform
PricingCompare
Advisory
AboutBlog
Get Demo
← All Posts
July 16, 2026·7 min read

From Whiteboard Photo to Threat Model in an Afternoon

A walkthrough of one representative afternoon: a whiteboard photo becomes an editable architecture diagram, a written design explanation, a STRIDE threat model with mapped controls, and a signed design record before the end of the day.

Salman Khan·AIThreat ModelingSecurity Architecture

Full disclosure in one sentence: this is our workflow, in our product, and the pattern transfers to any tooling that treats diagrams as data instead of pictures.

Here is the failure mode this post is about. An architecture exists. It was designed by smart people who argued about it at a whiteboard, and the entire record of that argument is a photo in someone's camera roll, later pasted into slide 14 of a deck. The security review never happens, not because anyone objects to it, but because step one is "redraw all of this in a diagramming tool," and nobody has an afternoon to give. So the photo rots, the system ships, and the threat model joins the backlog of things everyone agrees are important.

The Threat Modeling Manifesto frames the discipline as four questions: what are we working on, what can go wrong, what are we going to do about it, and did we do a good job. Notice that the first question is where most teams die. Not because they cannot answer it, but because answering it in a reviewable form costs more than anyone budgeted.

What follows is one representative run of the alternative: a real afternoon's shape, not a benchmark. Timings are story beats from a typical session, and your system, your model, and your team will move at their own pace.

  1. 1
    Upload the whiteboard photo1:05 PM

    The Design with AI studio reads the photo with a vision-capable model and proposes real, editable shapes: components, datastores, data flows, external entities, trust boundaries.

  2. 2
    Correct the canvas1:20 PM

    The engineer who drew the original fixes what the model got wrong: a merged box split in two, an arrow reversed, a boundary redrawn around the data tier.

  3. 3
    Explain the design2:00 PM

    A structured interview: identity, data, connectivity, failure modes. The answers are drafted into a written design explanation the team edits rather than authors from zero.

  4. 4
    Model the threats3:00 PM

    The Threat Modeling Studio proposes STRIDE threats anchored to diagram elements, each with a suggested control mapping. One approval card per batch; the reviewer rejects what does not apply.

  5. 5
    Assemble the record4:15 PM

    A deterministic PDF export gathers the approved diagram, explanation, threat model, and decisions into one design document.

  6. 6
    Request sign-offs4:30 PM

    Named reviewers from security, engineering, and the data owner get the record. Approval baselines the design; drift after that is visible.

One representative afternoon, photo to signed record

1:05 PM: the photo becomes shapes

The upload is the anticlimax it should be. The photo shows six boxes, some arrows, a cylinder someone labeled "PG" in marker, and a dotted line that meant something at the time. The Design with AI studio proposes a diagram from it: an API gateway, three services, a Postgres datastore, a queue, and a trust boundary where the dotted line was.

It also gets things wrong, and it is worth being specific about that. In a typical run the model merges two boxes that were drawn too close together, reads a bidirectional arrow as one-way, and has no idea that the box in the corner was crossed out because the team abandoned it mid-session. Handwriting on a glossy board photographed at an angle is genuinely hard input.

This is why the output is not an image but a proposal of real shapes on an editable canvas, delivered in an approval card. The engineer who stood at that whiteboard spends fifteen minutes accepting the right elements, splitting the merged box, reversing the arrow, and deleting the abandoned service. Correcting a mostly-right diagram is a fundamentally different task from redrawing one, and it is the difference between "this afternoon" and "next sprint."

2:00 PM: the design gets explained in writing

A diagram shows shape, not reasoning. The second studio runs a structured interview with the team: how does authentication work between the gateway and the services, where does customer data live and for how long, what happens when the queue consumer dies, who can reach the database and from where.

The answers get drafted into a design explanation, the written artefact a reviewer, an auditor, or a new hire can actually read. The team edits the draft, which is faster than writing it and, more importantly, actually happens. In the old workflow this document is the single most-skipped artefact of the review, because prose production is the least appealing work in security.

3:00 PM: threats, anchored and answered

Now the first question has an answer, so the second becomes tractable. The Threat Modeling Studio walks the corrected diagram and proposes STRIDE threats anchored to the elements they target: spoofing against the gateway's service tokens, tampering on the queue payloads, information disclosure on the analytics read path that quietly crosses the trust boundary.

Each proposed threat arrives with a suggested mapping to a control from the team's own catalog, and each batch lands as an approval card. The reviewer works through them the way an editor works through a draft: accept, adjust severity, reject. Two proposals get rejected in this run, one because the internal endpoint it targets already requires mutual TLS, one because it duplicates an accepted threat at a different element. That judgment is the review. The model widened the search; the human made the calls; the audit log recorded both.

What does not happen matters as much: nothing was written to the threat model without a person approving it, and the count of unmitigated threats is now a live number on the project instead of a guess.

4:15 PM: the record, assembled

The last step is the one that used to eat a day by itself: producing the document. The design-document export is deliberately not AI: it deterministically assembles the approved diagram, the design explanation, the threat model with its control mappings, the decisions, and the sign-off state into one PDF. Nothing in the export is model output that a human did not already review on its way in.

Sign-off requests go to named people: the security reviewer, the engineering owner, the data owner. When they approve, the design baselines, and from that point the record is not a snapshot but a reference: if the architecture drifts later, the drift is visible against the baseline instead of silently invalidating slide 14.

The photo in the deck

  • Lives in a camera roll and slide 14
  • Unreadable by anything downstream
  • The threat model stays on the backlog
  • The design drifts; nobody can tell
  • The review happens after the incident

The governed record

  • Editable diagram with explicit boundaries
  • Written explanation a reviewer can read
  • STRIDE threats mapped to real controls
  • Named sign-offs; the design is baselined
  • Done before the end of the day
The same whiteboard, two fates

What this honestly requires

A vision-capable model from your own provider: Alvor is bring-your-own-model (Anthropic, OpenAI, Google, Azure OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint), and photo reading is only as good as the model you bring. Every write the studios propose pauses on an approval card, and every acceptance is audit-logged. The speed comes from removing artefact production, not from removing judgment.

Why the afternoon matters

The point of compressing this work into an afternoon is not the afternoon. It is that reviews which cost an afternoon actually occur, for the second service and the tenth, not just the flagship. The whiteboard photo stops being where architecture goes to die and becomes the intake format it always secretly was.

And because the threats, controls, and decisions land in a connected system rather than a document, the afternoon keeps paying: mapped controls become build requirements, accepted risks appear in the risk register, and the next design review starts from a threat library that already knows this team's patterns. If the process itself is what you are missing, start with what a security design review contains and work backwards from the record you want.

If you would rather see the workflow than read about it, meet the assistant. Bring your own model and a photo of your worst whiteboard.

Questions this guide gets asked

Can AI really read a whiteboard photo?

Yes, with caveats. A vision-capable model reads the photo and proposes diagram elements: components, datastores, flows, and boundaries. It misreads things: a crossed-out box, an ambiguous arrow, handwriting. The proposals land on an editable canvas precisely so a human can fix them in minutes. Extraction is a draft, never a verdict.

What if the AI gets the diagram wrong?

You correct it on the canvas, which is the point of proposing real shapes instead of a flat image. Every element the studio suggests arrives in an approval card; nothing is written to the design until a person accepts it. Wrong shapes get rejected or edited the same way you would edit any diagram.

Which AI models does this require?

Alvor is bring-your-own-model: Anthropic, OpenAI, Google, Azure OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint. Reading photos specifically requires a vision-capable model from your provider. There is no bundled model, so your data goes to the provider you already govern.

Is the final design document AI-generated?

No. The design-document PDF is assembled deterministically from the approved artefacts: the diagram, the design explanation, the threat model, decisions, and sign-offs. The AI drafts some of those inputs; humans approve them; the export itself contains no model output that was not reviewed.

SK

Written by

Salman KhanCo-Founder & CEO, Alvor

Salman co-founded Alvor, the security and compliance platform, and leads its security architecture practice. He writes about design reviews, threat modeling, and running security programs that engineering teams don't route around.

Related in Alvor

The AI Assistant

One assistant across every module: it drafts diagrams, threat models, and policies, and every write pauses on an approval card you decide.

Learn more →
← All Posts
ALVOR

Security architecture, management, and compliance: connected into one source of truth.

Security, Simplified.

Platform

  • Overview
  • AI Assistant
  • Security Architecture
  • Assets
  • Components
  • Dependency Mapping
  • Data Governance
  • Secure by Design
  • Security Design Review
  • Threat Modeling
  • Risk
  • Compliance
  • Policy
  • Program
  • Business Continuity
  • TPRM

Solutions

  • Startups
  • Mid-Market
  • Enterprise

Company

  • About
  • Advisory
  • Compliance
  • Blog
  • Security
  • Pricing
  • Compare

Legal

  • Privacy
  • Cookie Policy
  • Terms
  • Disclosure

© 2026 Alvor, Inc. All rights reserved.

LinkedIn