With a systematic analysis of the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker, defenders can focus on what is most important to protect. It's systematic, and like penetration testing, a dance. Though pigeonholed into these stances, and though many assistive tools exist, the best results come from using all and none of them, using common sense, and including experienced other perspectives.
It all depends: On who the adversaries are, on the context, on what information needs protecting, on the assets (networks, software, data and information systems, development environments), on what is considered in scope and what not, and on the people using the system (i.e. the individuals working with the definition, implementation and maintenance of security policies), and whether lives depend on it or not.
Especially role-plays in which people play the role of the adversary can be quite enlightening and open the door for more overlooked solutions. This has lead us to adopting red teaming and adapting it to colourful teaming for including more directions (and mindsets). Its success depends on coalition building and further threat modelling.