Marco Morana is the Founder of Threat Modeling Academy, a global training initiative dedicated to advancing threat modeling and secure-by-design engineering for AI, cloud, blockchain, and FinTech systems. He also serves as Field CISO at Avocado Systems Inc., where he advises enterprises on embedding automated threat modeling, Zero Trust architecture, and runtime security into modern software and AI platforms.

With more than 25 years of cybersecurity leadership experience, Marco has held senior roles including Executive Director of Security Architecture, Head of Application Security, and SVP Security Architect at institutions such as J.P. Morgan Chase and Citi, where he led security strategy for critical financial applications, digital assets, and blockchain-based and decentralized platforms.

A recognized thought leader in adversarial risk analysis and secure design, Marco co-created the Process for Attack Simulation and Threat Analysis (PASTA) in 2015, a risk-centric threat modeling methodology that connects business objectives, threat intelligence, and technical controls. In 2013, he led the OWASP Application Security CISO Guide, helping shape how security leaders govern application risk, secure software development, and enterprise AppSec programs. He currently plays a co-leadership role with Matteo Meucci CEO of Synapsed.ai in the OWASP AI Testing Guide (AITG), the first industry-standard framework for systematically testing the security, safety, and reliability of AI systems (released November 2025).

Marco is also the author of Blockchain & Application Security: Developing Resilient Applications for Emerging Technologies (2025), a practical guide that connects modern threat modeling with secure engineering for cloud, blockchain, and decentralized applications. The book translates real-world lessons from securing smart contracts, custody models, and DeFi systems into patterns that engineers and architects can apply at scale.

Throughout his career, Marco has aligned application, cloud, blockchain, and AI security with business priorities, regulatory expectations, and enterprise engineering practices. His work emphasizes secure-by-design architecture, automated guardrails, and continuous risk assurance across DevSecOps and MLSecOps lifecycles, including smart contract, wallet, and decentralized application (dApp) security.

As an instructor and mentor, Marco designs and delivers advanced training on:
• Application Threat Modeling, Basic and Advanced
• LLM-powered threat modeling
• Security of AI applications and agents
• Blockchain and smart contract security by design
• Secure software engineering and cloud security

He regularly coaches security engineers, security architects, and global instructor teams, helping organizations build attack-resilient systems for AI, cloud, and decentralized technologies.