Tooling

Threat Modeling Tools

Threat Dragon, pytm, Threagile, MS TMT — STRIDE / PASTA / data-flow diagrams.

Threat modeling asks "what could go wrong?" before code is written. Done well it is far cheaper than fixing things post-launch. Done badly it's a one-day Visio session that gets put in a drawer. The 2024–26 movement is "threat-modeling-as-code" — keep models in Git, regen on PRs. For static analysis to verify see Security Scanning. For runtime checks see Runtime Security. For compliance prep see Compliance (SOC 2 / ISO).

Free / OSS tools

  • OWASP Threat Dragon — modern web-based DFD-driven threat modeling; STRIDE-aware; runs locally or self-hosted. Free OSS — the reference 2024–26 OSS choice.
  • Microsoft Threat Modeling Tool (TMT) — free Windows-only; STRIDE-templated; the long-standing Microsoft reference.
  • pytm (Izar Tarandach) — Python; threat-model-as-code; generate DFD + reports from Python objects. Free.
  • Threagile — YAML model → reports + diagrams; DevOps-friendly; designed for Git workflows. Free OSS.
  • OWASP Cornucopia — card-based threat-model game; free.
  • OWASP pytm — see above.
  • Trike, VAST, OCTAVE — methodologies (not tools).

Frameworks / methodologies

  • STRIDE (Microsoft) — Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege. The most-used.
  • PASTA — Process for Attack Simulation and Threat Analysis; risk-driven, business-context-heavy.
  • DREAD (Microsoft, deprecated) — risk scoring; the D's were never really independent.
  • LINDDUN — privacy threat modeling; complementary to STRIDE.
  • MITRE ATT&CK mapping — common as the "what" once you have a STRIDE-type "where." See Threat Intelligence (MISP).
  • Trike, VAST, OCTAVE — academic / mature-org alternatives.
  • IriusRisk — commercial threat modeling SaaS / on-prem; library-driven; good for regulated industries.
  • SD Elements (Security Compass) — paid; requirement-driven; integrates with Jira.
  • ThreatModeler — paid SaaS.
  • Tutamen — paid.
  • Securicad (foreseeti / Kovrr) — attack graph + risk simulation.

Diagramming for DFDs

  • draw.io / diagrams.net — free; the universal whiteboard.
  • Excalidraw — collaborative whiteboard; great for kickoff sessions; see Diagrams & Flowcharts.
  • PlantUML / Mermaid — text-based; goes in Git alongside the model.
  • Lucidchart / Miro / FigJam — paid; classic.
  • Threat Dragon has a built-in editor.

Threat-modeling-as-code (the modern best practice)

  • Keep the model in Git. PRs to system mean PRs to the model.
  • pytm / Threagile — both designed for this; render diagrams + reports on PR.
  • MITRE Decider — free; helps with technique mapping.
  • C4 model — architecture diagrams that are also good DFD bases.

When threat modeling actually pays off

  • New service kickoff — 2 hours saves rewrites.
  • Major architecture change — new auth path, new data store, new third party.
  • Compliance milestone (SOC 2 / ISO) — auditors love a documented threat model.
  • Pre-pentest — gives the testers an enriched scope.
  • Post-incident — "could we have foreseen this?" → update the model.

Practical session pattern

  • 30-min DFD whiteboard — actors, processes, stores, trust boundaries.
  • Walk STRIDE per element — 10 min/element max.
  • Capture each threat with mitigation owner + Jira ticket.
  • Re-export the diagram to the repo.
  • Schedule a 6-month review.

What it is not

  • A penetration test.
  • A SAST/DAST run.
  • A guarantee of completeness — STRIDE will miss business-logic flaws.
  • An excuse to skip Security Scanning.

Pick this if…

  • Default OSS visual tool: OWASP Threat Dragon.
  • Microsoft / Windows shop, simple model: Microsoft TMT.
  • Threat-modeling-as-code, Python: pytm.
  • DevOps-friendly YAML: Threagile.
  • Regulated industry / large org: IriusRisk or SD Elements.
  • Privacy-side coverage: LINDDUN methodology in any of the above tools.

On this page