Career Transition from Offensive Security to AppSec and Threat Modeling

The author spent five years in pentesting, primarily conducting web app and internal network assessments, but noticed a decline in engagement depth as clients increasingly relied on automated scanners. After a dev team found their post-assessment explanation of architectural flaws more valuable than the report itself, they transitioned into threat modeling and AppSec. They now work in an AppSec role at a product company, finding the work more impactful, while occasionally freelancing to maintain offensive skills. The shift was aided by certifications and self-study in methodologies like STRIDE, PASTA, and MITRE ATT&CK.