Pick a small web feature you control (a login flow, a file upload, a comment system). Produce a 2-page threat model: dataflow with trust boundaries, STRIDE applied at each boundary, attack-tree sketch for one critical outcome, controls list with one per threat, and residual risk explicitly accepted. Review with one other engineer; iterate.