Key Takeaways:

- Imagination alone isn’t enough for adequate polycrisis strategies. Threat modeling grounds foresight in basics—actors, vulnerabilities, attack paths, and mitigations—and backcasts that logic into today’s budgets, controls, and policies.

- Existing literature offers tested methods (threatcasting), academic frameworks (multidimensional cyber-foresight), empirical studies (threat drivers), and practitioner playbooks (future-back modeling) for such transdisciplinary synthesis. Deeper integration is possible and necessary.

- Polycritical foresight is the disciplined synthesis of futures thinking, threat modeling, and systems thinking—a practice that not only envisions multiple possible crises but actively stress-tests them against adversaries, vulnerabilities, and cascading risks—then backcasts those insights into today’s policies, budgets, and defensive strategies.

The polycrisis describes an era in which multiple, overlapping, and interacting crises are unfolding simultaneously. Climate change, geopolitical instability, financial fragility, technological risks, pandemics, and social polarization are not only simultaneous but interdependent, impacting each other in ways predictable and not. Traditional foresight methods, such as scenario planning, horizon scanning, Delphi surveys, have long helped governments, corporations, and civil society navigate uncertainty, but the scale and interconnectedness of today’s challenges demand a deeper commitment to transdisciplinary approaches. What is needed for the scope and scale of polycrisis is what I call polycritical foresight.

So, how can we develop more robust preparedness in the face of polycrisis? First: by blending classic foresight with a discipline from cybersecurity: threat modeling. Done together, they move us beyond imagining plausible futures to stress-testing those futures against the actors, dynamics, and vulnerabilities that make crises contagious—and then backcasting to concrete actions we can take now. This is the essence of threatcasting, a relatively new methodology proposed by Natalie Vanatta and Brian David Johnson in 2018.

This proposal (among others) persuasively argues for synthesis between these two domains. But where a gap persists is in execution—these are typically framed in a reactive posture and/or set against dystopian backdrops. I believe there is further demand for futurists to incorporate threat modeling practices into foresight strategy across scales, and critically: take as given that the polycrisis is omnipresent in all scenarios, rather than generating scenarios that specifically depict or examine collapse (e.g., “decline and collapse” scenarios in Dator’s Four Futures). There has never been a greater need for linking the tactical affordances of threat modeling with foresight and systems thinking, weaving together imagination, historical analysis, and a grasp of the interrelatedness of contemporary crises. Polycritical foresight can strengthen the resilience of positive futures, ensuring that desirable pathways are not derailed by adversarial action or cascading fragility.

Comparing and Contrasting Foresight Strategy and Threat Modeling

Threat modeling and strategic foresight have traditionally been separate practices in risk management. Threat modeling is most often associated with cybersecurity and defense; it involves identifying potential adversaries, attack vectors, and system vulnerabilities in order to prioritize mitigations. Classic threat modeling approaches (such as STRIDE or PASTA frameworks) analyze known threat actor tactics and historical attack patterns to map out “worst-case scenarios” for a given system. This adversary-focused, often technical process helps organizations harden their systems against attacks we know how to expect.

Strategic foresight, on the other hand, comes from the futures studies and strategic planning domain. It involves looking over the horizon—systematically exploring how emerging trends and uncertainties might play out in multiple future scenarios, often 5, 10, or even 30 years ahead. Techniques are used to imagine different plausible futures (both desirable and undesirable) and to devise strategies that either encourage or prevent those outcomes. Rather than prediction, foresight is about preparedness; it helps anticipate emerging trends, rather than be surprised by change.

Put simply, where threat modeling asks “How could we be attacked next?” strategic foresight asks “What else could happen, and what would we do if it did?”

At their intersection lies a crucial question: How can we better anticipate and mitigate future threats that lack historical precedent? This is increasingly salient as technological and geopolitical change accelerates. Cybersecurity professionals find that focusing only on yesterday’s attacks leaves blind spots for novel exploits. Likewise, national security strategists see the need to prepare for “unknown unknown” threats (from AI-enabled cyber weapons to bioengineered agents) which demand imaginative foresight. Thus, in the past decade, futurists and threat modelers have proposed blended approaches that incorporate forward-looking scenario analysis into the threat modeling processes. This is epitomized in threatcasting, mentioned above, as well as other proposals that include “strategic threat modeling” and “multidimensional cyber-foresight” (among others outlined below).

Foresight and its Limits in Polycrisis

Foresight is an essential tool for expanding strategic thinking. It encourages us to consider multiple futures rather than relying on a single prediction. Common foresight methods include: horizon scanning (systematically monitoring signals of change), scenario planning (building coherent narratives about alternative futures), Delphi methods (eliciting expert consensus about emerging risks), and trend analysis (projecting forward from historical data).

These methods are great for surfacing possibilities and challenging assumptions, but they often struggle with three key challenges in an environment of polycrisis:

1. Adversarial dynamics: Many crises aren't passive events; they involve deliberate actions by states, corporations, or other groups that exploit vulnerabilities. Traditional foresight often treats crises as environmental conditions rather than contested sites.

2. Systemic vulnerability: The polycrisis is all about interdependence. A single shock can cascade through multiple systems. While foresight sometimes maps these interdependencies, it often lacks the granularity to show how vulnerabilities actually propagate.

3. Actionability: Many foresight outputs inspire reflection but stop short of providing concrete steps for defense, resilience, and preparedness. In a polycrisis, we need more than just awareness; we need plans.

Enter: threat modeling.

What Is Threat Modeling?

Threat modeling originated in the field of information security as a way for organizations to proactively anticipate and mitigate cyber risks. It provides a structured way to think like an adversary and identify potential weak points before they are exploited. Its logic is based on a series of simple questions:

1. What are you protecting? (Assets)

2. Who might attack you? (Adversaries/Threats)

3. Where are your weak points? (Vulnerabilities)

4. How could a threat manifest? (Attack Vectors)

5. What can you do to reduce the risk? (Mitigations)

Like foresight, threat modeling isn’t about predicting the future. It’s about stress-testing a system to uncover blind spots and prioritize defensive investments. It's a proactive, rather than reactive, approach to risk management.

How Threat Modeling Enhances Foresight: Polycritical Foresight in Action

By integrating the logic of threat modeling, we can make our foresight work more robust and actionable.

Adding Adversarial Intelligence

Many foresight exercises treat crises like natural disasters—unavoidable external forces. But crises are often the result of deliberate choices, whether it's a trade war or a disinformation campaign. Threat modeling forces us to identify who the key actors are and what their motivations might be. This grounds foresight in the real-world politics and contestation that drive modern crises.

Mapping Vulnerabilities in Systems, Not Just Trends

While foresight often catalogs broad drivers of change (e.g., AI adoption), threat modeling drills down into the specific vulnerabilities of a system. It asks, “Where are the single points of failure?” This focus on weak points helps us understand how the polycrisis could actually reverberate across global systems—and the nth order effects that might follow.

Enabling Prioritization

A common criticism of foresight is that it can overwhelm decisionmakers with too many possibilities and signals. Threat modeling provides a way to triage these concerns by scoring threats based on likelihood and impact. This helps clients focus their resources where they matter most, even in an uncertain world.

Connecting Awareness to Mitigation

It’s easy to create a vivid scenario and then leave the audience wondering, "So what?" Threat modeling closes this gap by moving from vulnerabilities to concrete mitigation strategies. The goal is to identify defensive investments that are robust and effective across many different possible futures.

How Foresight Enhances Threat Modeling

Where foresight methodologies can benefit from threat modeling, the same is true in reverse. Many threat modeling frameworks still rely heavily on past attack patterns and overlook “unknown unknowns.” There is often an “insufficient integration of foresight into security strategies,” as one study noted, leading to an “unawareness gap” in preparing for emerging risks.

Bridging this gap will require greater collaboration among security experts and futurists, organizational culture shifts to embrace long-term thinking, and development of tools to systematically incorporate foresight insights into day-to-day risk management. Though it’s not in the scope of this article to elaborate on these points in depth, I will note that areas for improvement include developing metrics for success of foresight-informed security measures, training analysts in futurist techniques, and ensuring executive buy-in for proactive (rather than purely reactive) security investments.

What Scholarship Already Exists at This Intersection?

As I mentioned above, I’m not starting from zero here; there’s a growing body of work fusing foresight with threat analysis:

• Threatcasting (Vanatta & Johnson, 2018). A formalized 10-year threat methodology that integrates futures studies with military planning; outputs include narrative scenarios, early indicators (“flags”), and backcasted action plans.

• Multidimensional Cybersecurity Framework for Foresight (Onwubiko & Ouazzane, 2021–22). Proposes a six-domain framework (Physical, Cultural, Economic, Social, Political, Cyber) underpinned by situational awareness to ensure socio-technical drivers inform cyber risk planning.

• Strategic foresight for security (Vescent & Blakley, NSPW 2018). Ran structured foresight with security pros (interviews, scenarios, backcasting), deriving “new security paradigms” (e.g., from reactive to proactive security; human-centered design). Concluded that deeper futurist–security collaboration yields more robust strategies.

• Threat drivers research (Raban & Hauptman, 2018). Long-term foresight study eliciting major threat drivers and assessing how emerging technologies amplify defense and attack capabilities (e.g., IoT, biohacking, quantum/AI as dual-use).

• Industry practice notes. Futures Platform summarizes how to embed scanning, scenario workshops, and iteration into cyber strategy; Team Cymru frames adaptive threat models that merge strategic foresight with tactical preparedness.

• Future-back threat modeling (Vu Van Than, ISC2, 2025). A practitioner’s method to counter “past-pattern bias”—explicitly modeling hypothetical future attacks, challenging hidden assumptions, and using honeypots and anomaly-hunting to surface nascent tactics, techniques, and procedures (TTPs).

• Defense/intel foresight. National-security voices argue for layered time horizons (5/15/30-year) and dedicated threat-scenario programs for emerging science/tech risks—illustrated in analyses around “Havana Syndrome” and directed-energy concerns as a foresight failure case.

Toolbox: Practical Ways to Integrate Threat Modeling in Foresight

Scenario stress-testing with backcasting (adapted from threatcasting)

1) Build 3-4 divergent futures. 2) For each: enumerate assets, adversaries, vulnerabilities, and attack vectors. 3) Identify “flags” (what to watch) and “gates” (interventions). 4) Backcast to today’s concrete actions and owners.

Polycrisis “attack trees”

Translate interdependencies into multisystem attack/cascade trees (e.g., drought begets crop failure begets export bans begets food-price spikes begets unrest), then mark intervention points and mitigation portfolios (redundancy, circuit breakers, governance). This approach is aligned with threat-model practice and complements cyber-foresight playbooks.

Actor-centered scanning (adapted from Multidimensional Cyber-Foresight)

Expand scanning to behaviors of actors (states, firms, platforms, dark networks) that could exploit vulnerabilities—paired with trend drivers (tech, policy, culture). Multidomain lenses help catch risks that originate outside “tech.”

Resilience portfolios

Use modeled threats to assemble mitigation portfolios robust across scenarios (technical controls + process + policy). Industry guidance now frames threat modeling as a business-aligned, continuously updated program rather than a one-off artifact.

Hypothetical Case Studies

What follows are broad examples to depict how threat modeling can enhance scenarios produced using foresight methodologies. These are meant as invitations to possibility rather than exhaustive breakdowns.

Climate x Finance

The accelerating shift toward decarbonization has tied climate policy directly to global financial stability. As green investments, carbon-credit markets, and critical-mineral supply chains scale rapidly, they open up new avenues for both opportunity and exploitation. Imagine a future where the success or failure of climate policy is inseparable from financial resilience: energy security hinges on fragile supply chains, carbon markets become targets for speculation, and authoritarian regimes weaponize resource access. In this context, the intersection of climate and finance becomes a critical front line for adversarial action, cascading systemic risks, and potential crises of public trust.

• Assets: financial stability, energy supply, public trust.

• Adversaries/threats: opportunistic hedge funds, authoritarian regimes manipulating energy markets, cybercriminals targeting carbon-trading platforms.

• Vulnerabilities: overconcentration of green investment in a few technologies, dependence on fragile supply chains for critical minerals, politicized central banks.

• Attack vectors: speculative bubbles in carbon credits, coordinated ransomware on energy infrastructure, disinformation undermining climate policy.

• Mitigations: diversified investment strategies, stronger cybersecurity standards, international agreements on mineral supply governance.

Polycritical foresight techniques allow financial regulators, energy policymakers, and international institutions to anticipate where climate action intersects with financial fragility and adversarial behavior. Monitoring flags such as sudden volatility in carbon-credit markets, anomalous cyber activity targeting energy infrastructure, or sharp fluctuations in critical mineral supply chains can provide early warnings of systemic stress. With these indicators in hand, leaders could activate gates such as implementing temporary trading circuit breakers, enforcing rapid cybersecurity protocols for energy providers, or coordinating international stockpiles of critical minerals. In this way, polycritical foresight doesn’t just map vulnerabilities in the climate-finance nexus—it ensures that efforts toward a sustainable energy transition are insulated from manipulation, cascading failures, and crises of public trust.

AI-Driven Healthcare and Adversarial Misuse

AI-driven healthcare systems—ranging from diagnostic algorithms to robotic surgery platforms—promise efficiency and expanded access, but they are also vulnerable to adversarial misuse. Consider a future scenario where a nation’s healthcare infrastructure relies heavily on AI diagnostic tools integrated into hospitals and telemedicine networks.

• Assets: Patient health data, trust in healthcare institutions, availability of accurate diagnosis and treatment.

• Adversaries/Threats: Cybercriminal groups seeking to ransom hospital networks; hostile state actors attempting to destabilize public trust; insider threats manipulating algorithms for financial or political gain.

• Vulnerabilities: Dependence on opaque machine-learning models susceptible to adversarial inputs; fragile supply chains for AI-enabled devices; insufficient regulatory frameworks around algorithmic accountability.

• Attack Vectors: Adversarial data poisoning that subtly degrades model accuracy; ransomware attacks targeting hospital AI infrastructure; disinformation campaigns exaggerating algorithmic errors to erode trust in the healthcare system.

• Mitigations (Gates): Rigorous adversarial testing of healthcare algorithms before deployment; redundant diagnostic pathways that ensure human-AI collaboration; encrypted, resilient patient-data pipelines; international standards for AI validation in medicine.

By applying polycritical foresight, policymakers and healthcare organizations can anticipate these misuse scenarios and design safeguards in advance. For example, monitoring flags such as unexplained spikes in diagnostic error rates, coordinated social-media narratives about AI “failures,” or supply-chain disruptions of critical AI hardware could provide early warnings. With those indicators in hand, leaders could activate gates such as algorithm audits, public reassurance campaigns, or rapid-response protocols for affected hospitals.

Biosecurity and Engineered Pathogens

Advances in synthetic biology and gene-editing technologies offer potentially enormous benefits for medicine, agriculture, and sustainability, but they also create new risks of engineered pathogens or accidental releases. Consider a future in which cheap, widely available bioengineering tools enable both state and non-state actors to design novel viruses faster than global health systems can respond.

• Assets: Public health and safety, global mobility, trust in scientific institutions, continuity of healthcare systems.

• Adversaries/Threats: Rogue states seeking asymmetric advantage, extremist groups experimenting with bioagents, insiders at research labs, or “biohackers” unintentionally generating harmful organisms.

• Vulnerabilities: Uneven biosecurity standards across labs, gaps in international governance, reliance on centralized vaccine production facilities, lack of rapid surveillance in low-income regions.

• Attack Vectors: Release of engineered pathogens (deliberate or accidental), manipulation of genetic supply chains (e.g., contaminated DNA synthesis orders), disinformation campaigns undermining trust in vaccines and public health responses.

• Mitigations (Gates): Stronger oversight and certification of DNA synthesis providers; global standards for lab safety; investment in distributed, rapid vaccine production platforms; integration of genomic surveillance into public health systems; international data-sharing agreements for early outbreak detection.

Through polycritical foresight approaches, global health agencies, national security bodies, and biotech companies can anticipate scenarios where synthetic biology risks spill over into pandemics or geopolitical crises. Monitoring flags such as spikes in unusual DNA synthesis requests, unexplained clusters of illness in regions with biotech hubs, or coordinated narratives sowing doubt about public health authorities could provide early warnings. With these indicators in hand, leaders could activate gates such as halting suspicious synthesis orders, deploying rapid-response epidemiology teams, or invoking emergency collaboration agreements for vaccine scale-up. In this way, polycritical foresight strengthens not only pandemic preparedness but also global governance, helping prevent biotechnological developments from being misused—and from catastrophic cascading effects when they are.

Implementation Pattern (What “Good” Looks Like)

The polycrisis is dynamic, so polycritical foresight must be too. Futurists can adopt the following sample implementation plan to ensure that strategy, facilitations, and advisory are robust:

1. Standing cadence. Quarterly horizon-scan + semiannual scenario labs + annual “future-back” threat modeling sprint; plug outputs into the risk register and budget cycle.

2. Indicator architecture. Maintain a shared list of flags (early indicators) mapped to each modeled threat; instrument dashboards to watch them.

3. Backcasted roadmaps. For each priority scenario, identify “gates” (policies/controls) and assign accountable owners, deadlines, and test criteria.

4. Multidomain coverage. Use the six-domain lens to catch extra-technical drivers.

5. Red/blue teaming with futures. Test tomorrow’s potential tactics, techniques, and procedures (drawing on game theory and frameworks like MITRE ATT&CK) through tabletop exercises or live-fire drills (mirrors best practices in both industry and defense operations).

6. Program maturity. Tracking how well threat-modeling practices are actually adopted and used—who owns them, how often they’re updated, and whether they inform real decisions—rather than just producing artifacts (emphasis on governance over outputs reflects current enterprise best practice).

Toward Polycritical Foresight

We now live in an era when crises are no longer isolated events but part of a dense web of interacting risks. Foresight has always been about expanding our imagination, but imagination alone is not enough. We need sharper tools to identify where we are exposed, who might exploit those exposures, and how crises could ripple through our interconnected systems. Threat modeling without futures thinking risks clinging to yesterday’s attack patterns.

Bringing these two fields together isn’t without its challenges. Threat modeling, which works well for bounded systems, can be messy when applied to the global scale. There's also the risk of creating a false sense of precision, fostering undue paranoia, inducing scope creep, or running into political sensitivities when naming adversaries. Furthermore, more collaboration is necessary between futurists and security researchers to ensure they have a shared language to minimize cross-talk and blindspots.

Still, I believe the juice is worth the squeeze, resulting in more actionable foresight that is better attuned to the complex, interconnected nature of the polycrisis. This fusion does more than help us anticipate collapse. It equips us to improve strategic recommendations across all futures—even ones framed in a positive light—by making them more specifically resilient to adversaries, weak links, and cascading risks. Polycritical foresight weaves together foresight to expand the horizon of what might unfold; threat modeling to sharpen that horizon into actors, vulnerabilities, attack paths, and mitigations; and a clear grasp of how the polycrisis represents an interdependent system rather than a list of disparate crises. This practice is how we build strategies strong enough to withstand cascading risks—and flexible enough to adapt when confronted with unexpected emerging realities.

Share