Threat Modeling Tools
Threat Dragon, pytm, Threagile, MS TMT — STRIDE / PASTA / data-flow diagrams.
Threat modeling asks "what could go wrong?" before code is written. Done well it is far cheaper than fixing things post-launch. Done badly it's a one-day Visio session that gets put in a drawer. The 2024–26 movement is "threat-modeling-as-code" — keep models in Git, regen on PRs. For static analysis to verify see Security Scanning. For runtime checks see Runtime Security. For compliance prep see Compliance (SOC 2 / ISO).
Free / OSS tools
- ★ OWASP Threat Dragon — modern web-based DFD-driven threat modeling; STRIDE-aware; runs locally or self-hosted. Free OSS — the reference 2024–26 OSS choice.
- Microsoft Threat Modeling Tool (TMT) — free Windows-only; STRIDE-templated; the long-standing Microsoft reference.
- pytm (Izar Tarandach) — Python; threat-model-as-code; generate DFD + reports from Python objects. Free.
- Threagile — YAML model → reports + diagrams; DevOps-friendly; designed for Git workflows. Free OSS.
- OWASP Cornucopia — card-based threat-model game; free.
- OWASP pytm — see above.
- Trike, VAST, OCTAVE — methodologies (not tools).
Frameworks / methodologies
- ★ STRIDE (Microsoft) — Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege. The most-used.
- PASTA — Process for Attack Simulation and Threat Analysis; risk-driven, business-context-heavy.
- DREAD (Microsoft, deprecated) — risk scoring; the D's were never really independent.
- LINDDUN — privacy threat modeling; complementary to STRIDE.
- MITRE ATT&CK mapping — common as the "what" once you have a STRIDE-type "where." See Threat Intelligence (MISP).
- Trike, VAST, OCTAVE — academic / mature-org alternatives.
Paid commercial
- IriusRisk — commercial threat modeling SaaS / on-prem; library-driven; good for regulated industries.
- SD Elements (Security Compass) — paid; requirement-driven; integrates with Jira.
- ThreatModeler — paid SaaS.
- Tutamen — paid.
- Securicad (foreseeti / Kovrr) — attack graph + risk simulation.
Diagramming for DFDs
- draw.io / diagrams.net — free; the universal whiteboard.
- Excalidraw — collaborative whiteboard; great for kickoff sessions; see Diagrams & Flowcharts.
- PlantUML / Mermaid — text-based; goes in Git alongside the model.
- Lucidchart / Miro / FigJam — paid; classic.
- Threat Dragon has a built-in editor.
Threat-modeling-as-code (the modern best practice)
- ★ Keep the model in Git. PRs to system mean PRs to the model.
- pytm / Threagile — both designed for this; render diagrams + reports on PR.
- MITRE Decider — free; helps with technique mapping.
- C4 model — architecture diagrams that are also good DFD bases.
When threat modeling actually pays off
- New service kickoff — 2 hours saves rewrites.
- Major architecture change — new auth path, new data store, new third party.
- Compliance milestone (SOC 2 / ISO) — auditors love a documented threat model.
- Pre-pentest — gives the testers an enriched scope.
- Post-incident — "could we have foreseen this?" → update the model.
Practical session pattern
- ★ 30-min DFD whiteboard — actors, processes, stores, trust boundaries.
- Walk STRIDE per element — 10 min/element max.
- Capture each threat with mitigation owner + Jira ticket.
- Re-export the diagram to the repo.
- Schedule a 6-month review.
What it is not
- A penetration test.
- A SAST/DAST run.
- A guarantee of completeness — STRIDE will miss business-logic flaws.
- An excuse to skip Security Scanning.
Pick this if…
- Default OSS visual tool: OWASP Threat Dragon.
- Microsoft / Windows shop, simple model: Microsoft TMT.
- Threat-modeling-as-code, Python: pytm.
- DevOps-friendly YAML: Threagile.
- Regulated industry / large org: IriusRisk or SD Elements.
- Privacy-side coverage: LINDDUN methodology in any of the above tools.