Recently, I had some discussions with threat modellers on which parts of the job can be automated, and which we can’t seem to find great tools.
When on the Threat Modeling Hackathon, some teams report difficulties in translating system architecture into data-flow diagrams (DFDs) or some other useful representation.
Where AI seems to be doing a good job is in being able to scale threat modelling, such as what this article purports (Scaling Threat Modeling with AI: Generating 1000 Threat Models Using Gemini 2.0 and AI Security Analyzer - xvnpw personal blog) with prompts such as these (fabric/patterns/create_stride_threat_model/system.md at main · danielmiessler/fabric · GitHub).
I had a go at using some tools like ThreatCanvas to try to obtain DFDs based on what we know of the system architecture. For example, ThreatCanvas can produce a decent DFD (by no means that accurate), but it only allows text-based prompts.
Here’s the question: have anyone reported much success with translating information they acquire during the information gathering and scoping phase and cast it in a DFD in a time-efficient way? If yes, what are your tricks?