Jacob Kaplan-Moss

I’m a software developer, co-creator of Django, and engineering leader. I’m an owner and consultant at REVSYS, and am the Treasurer of the Django Software Foundation. Previous jobs: Latacora, Hangar, 18F, Heroku. If you’re looking to contact me, please see how to get in touch and the ways I’m available to help.

Writing

πŸ”— This World of Ours (James Mickens) (#)

I was reminded of this classic paper in the threat modeling literature canon. Hilarious and also insightful β€” worth a read if you haven’t seen it before.

August 12th, 2025 β€’ essays humor threatmodeling

πŸ“ Two Scenario Threat Modeling

A trap that many people fall into when trying to threat modeling or risk planning is a fear of being incomplete that leads them to not even try. People think, “there are so many possible things that could go wrong, so many potential risks. It’s going to be such a huge effort to enumerate all possible scenarios, and I don’t have time, so I guess I can’t do threat modeling.” That is, threat modeling seems so big, so hairy, that people believe it’s too complex to tackle.

This just isn’t true! Some planning is always better than no planning. In fact, you can get a surprising amount of value out of a very simple and fast technique: imagine a couple of scenarios – just two! – and game out what you could do to mitigate them.

August 8th, 2025 β€’ planning risk threat modeling

πŸ“ Comfort Scores: A risk mitigation tool for pre-trip briefings

A tool I like for pre-trip briefings the can help groups assess its ability to tackle a tricky objective.
August 4th, 2025 β€’ briefings decision making groups risk

πŸ”— Using AI to build a tactical shooter (#)

Via RC’s AI article, a fascinating recording of someone programming a game almost entirely by prompting Claude by voice. This feels truly β€œfuturistic” to me. Sure it’s clunky at times, but damn if this isn’t closer to the Star Trek computer than I ever thought I’d see in my lifetime.

July 28th, 2025 β€’ ai programming

πŸ”— Developing our position on AI - Blog - Recurse Center (#)

Detailed, nuanced, and well-thought-out. Tons of great and insightful quotes from RC alums. And their conclusion is, I think, perfect:

You should use AI-powered tools to complement or increase your agency, not replace it.

July 28th, 2025 β€’ ai llm programming recurse center

πŸ“ What if We Thought About Risk Decisions Differently?

Risk professionals often operate from the assumption that people are inherently bad at assessing risk, especially when it comes to low-probability, high-consequence scenarios. But what if this foundational belief is wrong? What if people are actually pretty good at understanding their own risks? What are some of the implications of approaching risk this way?
July 22nd, 2025 β€’ risk security

πŸ“ Ultralight Heresies

Stay off r/ultralight. Bring the gear that’s appropriate to your trip objectives and conditions.
July 21st, 2025 β€’ backpacking ultralight

πŸ”— Evan Reese - Custom OnShape features (#)

A bunch of really useful custom features for OnShape

July 12th, 2025 β€’ cad onshape

πŸ’‘TIL: 3d printed parts have different strength characteristics than conventionally-manufactured parts

An interesting 3d printing lesson about how the physical characteristics of printed parts differ from other manufacturing:

I needed to replace a rubber hydraulic hose retention strap on my tractor. The part’s $40 + shipping – ludicrous for a 6x2" strip of rubber – so perfect to try to replicate. I have some TPU filament that’s of similar flexibility, let’s go.

For V1, I just replicated the geometry exactly - including, without thinking about it, some little relief holes around the main hose holes:

July 8th, 2025 β€’ 3d printing

πŸ“ Potential causes of accidents in outdoor pursuits (the Meyer/Williamson matrix)

The Meyer/Williamson matrix is a framework enumerating pretty much all potential causes of accidents in outdoor activities. I first ran across it in Deb Ajango’s Lessons Learned II, but I’ve had a really hard time finding an original source to cite. It appears to be taken from various presentations that Dan Meyer and Jed Williamson have given over several decades. There are various PDF versions floating around the web, but they tend to linkrot and I’ve never found a good HTML version. I’m reproducing it here so that I’ve got a good stable HTML version to link to in the future.
June 17th, 2025 β€’ accidents outdoor risk

πŸ“ Changing Directions

I have two important announcements:

  1. I’m leaving the tech industry. Hopefully “for good”; if not, at least “for now”.

  2. As such, the content on this blog is going to shift, perhaps dramatically. I’m going to be writing about a broader range of topics that interest me (projects around my hobby farm, wilderness trips, emergency medicine) – more writing for me, less writing for some imagined audience. (I’ll probably still end up writing about some of the same topics as I’ve been covering since 2020, just less often.)

I’m writing this post mostly to give myself permission to make that change, and to give readers the opportunity to unsubscribe/unfollow if they’re not interested.

If you’re interested in more details about why I’m leaving the industry and what’s next for me and this blog, read on.

June 3rd, 2025 β€’ career personal

πŸ”— Decision making matrix for alpine climbing (#)

Great example of a simple risk framework in action.

May 13th, 2025 β€’ climbing decisions risk

πŸ“ How to report a security issue in an open source project

So you’ve found a security issue in an open source project – or maybe just a weird problem that you think might be a security problem. What should you do next?
March 27th, 2025 β€’ open source security

πŸ“ Beware tech career advice from old heads

If you’re new to tech – say, less than 5 years in the field – you should take career advice from people who’ve been in the industry more than 10-15 years with enormous skepticism.
March 13th, 2025 β€’ career jobs tech

πŸ”— Building a Community Privacy Plan (#)

Really great guide. I love the community focus β€” so many of these security guides are individually-oriented, which limits their applicability to groups, especially volunteer groups.

February 19th, 2025 β€’ community privacy security

πŸ“ Thinking About Risk: Sidebar #4: Quantitative Risk Revisited

In part 1 of this series, I briefly covered quantitative risk measuring – assigning a numeric value to risk, like “$3,500”, rather than a qualitative label like “medium” – only to quickly recommend against trying it. In this final sidebar, I want to come back to this topic. I’ll spend a bit more time explaining what I see as the pros and cons of quantitative risk measurement – why you might or might not want to use numeric values over more simple risk matrixes.
January 28th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #3: Two Flavors of Medium Risk

When you look at a likelihood/impact risk matrix, you might notice that “medium” appears twice – once as high-likelihood/low-impact, and once as low-likelihood/high-impact. These two “mediums” aren’t at all the same!
January 17th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #2: The Swiss Cheese Model

In the real world, accidents happen when a series of small missteps align to create severe consequences. This is something we call the “Swiss Cheese Model”: imagining a systems failure as a set of “holes” in our layers of defense that all line up to create a series accident.
January 16th, 2025 β€’ risk security

πŸ“ Thinking About Risk: Sidebar #1: "Exposure"

Risk is usually defined as the product of two factors: Likelihood and Impact. However, some disciplines include a third factor: Exposure. What’s that about, and when is it useful?
January 15th, 2025 β€’ risk security

πŸ”— Cognitive Biases Codex.pdf (#)

January 4th, 2025 β€’

Full Archive →