You don't need a heavyweight framework to start threat modeling. You need four questions: What are we building? What can go wrong? What are we going to do about it? And did we do a good job? That's the whole spine of it.

Take something you actually run — a personal site, an API key sitting in a config file, a home server exposed to the internet. Walk it through those four questions out loud. Where does data come in? Who could reach it? What happens if they do?

The point isn't to produce a perfect document. A rough threat model you finish in ten minutes beats a beautiful one you never write. Most of the value is in the act of looking.

What usually falls out are a few cheap wins: a secret that belongs in a vault instead of a file, a service running with more privileges than it needs, and the one log line you'll wish you'd had when something breaks. Write those down and fix them. That's a good day's security work.