Backlog Quality & Planning Enablement
Prioritized backlog mixing business and NFR, clear scenarios, estimation aligned to DoD, velocity tracking, retrospectives to plan, baseline compliance & threat modeling.
Milestone: Foundation
foundational
LT
DF
Job to be done: When stories lack acceptance criteria and NFRs arrive as surprises, I want scenario-based planning with threat modeling, so I can ship reliably with clear done criteria and no late security rework.
For engineers
Write stories using Given/When/Then scenarios, apply STRIDE threat modeling in refinement to surface security NFRs early, track backlog health metrics, and convert retrospective actions into process improvements and backlog tags.
What you’ll implement
These are the roadmap epic features, organized as a starter backlog.
1
Definition of Done Standard2
Non-Functional Requirements in Backlog3
Lightweight Threat Modeling4
Retrospective Action Item Tracking5
Basic Capacity PlanningExecution guide
Practical guidance aligned to the Execution Kit Definition of Done.
Outcome
Teams ship reliably through scenario-based stories, balanced NFR backlogs, and data-driven retrospectives.
Before to After Transformation
× BEFOREAd-hoc planning with late NFRs
Stories lack clear acceptance criteria, security added as afterthought, retrospectives produce no changes
# Before state:
- Stories: "Implement user profile page"
- NFRs: None defined during planning
- Threat modeling: Done at launch review (too late)
- Retrospectives: "Things went okay, keep going"
# Typical sprint outcome:
- 40% stories carry over (unclear acceptance)
- 2 security findings at launch review (delay)
- No process improvements from retrospectives
- Velocity unpredictable (30-50 point swings) AFTERScenario-driven planning with embedded quality
Clear acceptance criteria, threat modeling in refinement, continuous improvement from retrospectives
# After state:
- Stories: Given/When/Then scenarios
Example: "Given I am a user, When I view my profile, Then I see my name, email, and avatar"
- NFRs: Tagged and prioritized (20% of backlog)
Example: "[nfr-security] Implement rate limiting on profile API"
- Threat modeling: STRIDE checklist in refinement
Outcome: 3 security NFRs identified before coding
- Retrospectives: Action tracking with owners
Example: "RETRO-42-1: Reduce WIP limit to 3 to P50 cycle time 6d to 4d"
# Typical sprint outcome:
- 95% stories completed (clear acceptance)
- 0 launch review security surprises
- 3-4 process improvements per sprint
- Velocity stable (±10% variance)
# DORA improvements:
# - Deployment frequency: weekly to daily
# - Lead time: 7 days to 2 daysSymptoms
Stories are vague 'implement feature X' without acceptance criteria
NFRs (security, observability, resilience) added last-minute or skipped
Threat modeling happens only pre-launch or not at all
Retrospectives produce no actionable changes to process or backlog
Prerequisites
A backlog grooming or refinement cadence (weekly or biweekly)
A sprint retrospective process
At least one product owner and one engineering lead engaged
Implementation steps
Week 1
- Introduce Definition of Ready template with scenario (Given/When/Then) requirement
- Add threat modeling checklist to refinement agenda (STRIDE questions for user-facing stories)
- Create backlog health dashboard (story age, NFR ratio, estimation coverage)
Week 2
- Pilot scenario-based stories for 2-3 features (Gherkin or plain Given/When/Then)
- Run first threat-modeling session in refinement (capture findings in backlog as NFRs)
- Define NFR types (security, observability, performance, resilience) and tag them
Week 3
- Review backlog health metrics in planning (story age, NFR balance, estimation coverage)
- Run retrospective with explicit improvement backlog review
- Add retro action items to next sprint's DoR/DoD or backlog tags
Definition of Done
- Definition of Ready includes scenario-based acceptance criteria
- Threat modeling checklist used in refinement for user-facing stories
- Backlog health dashboard tracks NFR ratio and story age
- Retrospective actions captured in backlog or process improvements
- Practice integrated into team workflow
Metrics
Leading Indicators
- % stories with scenario-based acceptance criteria
- NFR ratio (target: 20-30%)
- Story age distribution (% < 30 days)
- Retrospective actions completed per sprint
- Threat modeling coverage (% user stories reviewed)
Lagging Indicators
- Lead time for changes (DORA)
- Deployment frequency (DORA)
- Defect escape rate
- Unplanned work ratio
- Velocity stability (variance sprint-to-sprint)
Failure modes
Scenario criteria become verbose user manuals instead of concise Given/When/Then
Threat modeling is a checkbox exercise with no actual mitigations
NFRs are tagged but never prioritized or delivered
Retrospective actions are created but not tracked or revisited
Backlog health metrics exist but nobody acts on them
Ownership
Product Owner
- Enforce Definition of Ready with scenario criteria
- Balance functional and NFR priorities in backlog
- Accept residual risks from threat modeling
Engineering Lead
- Facilitate threat modeling in refinement
- Maintain backlog health dashboard
- Track retrospective actions to completion
Teams
- Write scenario-based acceptance criteria collaboratively
- Surface NFRs during refinement
- Propose actionable retrospective improvements
What good looks like (by org scale)
Small Teams
- Definition of Ready template with Given/When/Then examples
- STRIDE checklist printed and used in refinement
- Simple backlog age report in spreadsheet
Medium Orgs
- Gherkin scenarios for all user stories
- Threat modeling findings tracked as NFRs with tags
- Automated backlog health dashboard (Jira/Azure DevOps)
- Retrospective action board with completion tracking
Enterprise
- Scenario-driven development across all products
- Threat modeling integrated into Jira workflow with required fields
- Portfolio-level backlog health visibility (PMO dashboards)
- Retrospective outcomes linked to OKRs and DORA metrics
References
Resources
Templates and related materials for this kit.
Templates
Copy/paste artifacts that support this kit.
Related capabilities
Capabilities tracked under this epic in the roadmap.
- Definition of Done StandardTeam-wide DoD template applied to >= 90% of work items before sprint planning.
- Non-Functional Requirements in BacklogNFRs (performance, security, reliability) explicitly tracked in >= 70% of epics.
- Lightweight Threat ModelingSTRIDE checklist applied to >= 60% of features touching sensitive data or external integrations.
- Retrospective Action Item Tracking>= 80% of retrospective action items tracked to closure with owner and due date.
- Basic Capacity PlanningTeam tracks velocity over >= 3 sprints and forecasts completion dates for epics with +/- 1 sprint accuracy.
Related kits
Other kits in the same milestone or with similar DORA impact.