Known threat modeling tooling

Awesome Threat Modelling contains a good list of tools, but hasn’t been updated in a year, and hasn’t accepted any PRs either, so it seems worth capturing the content here as well (along with the PRs requested).

Free tools

  • OWASP Threat Dragon - An online threat modelling web application including system diagramming and a rule engine to auto-generate threats/mitigations.
  • Microsoft Threat Modeling Tool - Microsoft Threat Modeling Tool 2016 is a tool that helps in finding threats in the design phase of software projects.
  • Owasp-threat-dragon-gitlab - This project is a fork of the original OWASP Threat Dragon web application by Mike Goodwin with Gitlab integration instead of GitHub. You can use it with the Gitlab.com or your own instance of Gitlab.
  • Raindance - Project intended to make Attack Maps part of software development by reducing the time it takes to complete them.
  • Threatspec - Threatspec is an open source project that aims to close the gap between development and security by bringing the threat modelling process further into the development process.
  • PyTM - PyTM is an open source project providing a library for threat modeling with code. Describe your system using OO syntax (object.property = value) and have your threat modeling report automatically generated. 100+ threats currently supported.
  • MAL - MAL is an open source project that supports creation of cyber threat modeling systems and attack simulations.
  • Threagile - Threagile is an open-source toolkit for agile threat modeling
  • TicTaaC - Threat modeling-as-a-Code in a Tick (TicTaaC). Lightweight and easy-to-use Threat modeling solution following DevSecOps principles
  • Threat Modeling Online Game - Online version of the Elevation of Privilege and Cornucopia card games. The easy way to get started with threat modeling.
  • Deciduous - A web app that simplifies building attack decision trees. Hosted at https://www.deciduous.app/
  • drawio-threatmodeling - A collection of custom libraries to turn the free and cross-platform Draw.io diagramming application into the perfect tool for threat modeling.
  • Gram - A collaborative threat model diagramming web application with built-in threat/control suggestions, tutorial and more.
  • TaaC-AI - AI-driven Threat modeling-as-a-Code (TaaC).

Paid tools

  • Irius risk - Iriusrisk is a threat modeling tool with an adaptive questionnaire driven by an expert system which guides the user through straight forward questions about the technical architecture, the planned features and security context of the application.
  • SD elements - Automate Threat Modeling with SD Elements.
  • Foreseeti - SecuriCAD Vanguard is an attack simulation and automated threat modeling SaaS service that enables you to automatically simulate attacks on a virtual model of your AWS environment.
  • Tutamen Threat Model system - This tool allows threat model metadata to be added to any software diagram, turning that diagram into a threat model. It’s simple to use, requires no lock-in license, and is driven by the Common Weakness Enumeration, STRIDE and OWASP Top 10.
  • YAKINDU Security Analyst - YAKINDU Security Analyst is a model-based software tool for threat analysis and risk assessment of technical systems. You can identify your protection needs, analyze possible threats and calculate the resulting risks. The underlying assessment model and calculation logic are highly customizable and can be integrated into existing toolchains.
  • CyberSage Inc. - With an AI powered Threat Modeling engine, CyberSage incorporates contextual risk data as input including business value and risk, functionality, technology stack and existing controls to produce contextualized threat model. Through automation, CyberSage injects the contextualized threat model into life cycle of software development and security risk management.
2 Likes