Is anyone using threat modeling as a means of continuous architecture? Meaning, you have a threat mode for the entire organization and you periodically review it to ensure your current architecture is capable of handling emerging and changing threats.
I think this is what most people do but as I mentioned on another comment, it was suggested to me to do threat models instead or as an addition (I forgot which way the person pitched it to me). So naturally, I was curious to see if anyone else actually did that as it seems like this would be a significant effort.