Threat modeling should be performed early in the application, system or product lifecycle to identify vulnerabilities before development. Threat modeling identifies vulnerabilities, prioritizes risks, guides security testing and monitoring, informs security requirements, and helps developers understand attacks to build defenses.