As part of our research for a presentation on threat modeling automation and tooling, we examined the available threat modeling tools and compiled the list below to share publicly. This directory focuses exclusively on Threat Modeling Tools—software, code, libraries, or services that automate, guide, or support the design-time threat modeling process.
58 tools indexed — including organisation, AI capabilities, type, license, status, and description.
| Tool | Organisation | Released | AI | Type | License | Status | Description |
|---|---|---|---|---|---|---|---|
| ADTool | Université de Luxembourg | 2013 | No | Academic | MIT | Active | The Attack-Defense Tree Tool (ADTool) allows users to model and analyze attack-defense scenarios represented with attack-defense trees and attack-defense terms. |
| Adversarial Robustness Toolbox (ART) | Linux Foundation AI & Data | 2018 | Yes (2018) | Community | MIT | Active | An open-source Python library for testing and improving the robustness of machine learning models against adversarial attacks. |
| Agent Wiz | Repello | 2024 | Yes (2024) | Community | Apache-2.0 license | Active | A CLI tool for threat modeling and visualizing AI agents built using popular frameworks like LangGraph, AutoGen, CrewAI, and more. |
| AI Security Analyzer | Personal release | 2024 | Yes (2024) | Personal | MIT | Active | A powerful tool that leverages AI to automatically generate comprehensive security documentation for your projects |
| Aribot | Aristiun | 2023 | Yes (2023) | Commercial | Proprietary | Active | An AI-powered platform that automatically generates threat models, traceable security requirements, and cloud-specific mitigations from system architecture to improve proactive security and complia... |
| Arrows | FuzzingLabs | 2025 | Yes (2025) | Personal | No license stated | Active | AI Agent for Threat Modeling |
| AT-AT | Carleton University | 2022 | No | Academic | MIT | Active | AT-AT (Attack Tree Analysis Tool) is a application that allows users to develop and analyze attack trees. |
| Attack Tree GPT | Personal release | 2024 | Yes (2024) | Personal | No license stated | Active | A GPT-based tool that automatically generates attack trees from system descriptions. |
| AttackTree | Isograph | 2018 | No | Commercial | Proprietary | Active | Model system vulnerability, identify weakspots and improve security using threat analysis and attack trees. |
| AttackTree.online | Schneider IT-Security | 2023 | Yes (2023) | Freeware | Proprietary | Active | A web-based platform for creating and visualizing attack tree diagrams. |
| CAIRIS | Community release | 2012 | No | Community | Apache-2.0 license | Active | Computer Aided Integration of Requirements and Information Security |
| CyberSage | CyberSage | 2023 | Yes (2023) | Commercial | Proprietary | Active | An Azure Marketplace solution for automated, AI-enhanced threat modeling. |
| Deciduous | Community release | 2021 | No | Personal | GPL-2.0 license | Active | A lightweight attack tree modeling application focused on practical risk visualization. |
| Devici | Security Compass | 2023 | Yes (2023) | Commercial | Proprietary | Active | A risk modeling platform for simulating cyber threats and business impact scenarios. |
| Dragon-GPT | Community release | 2023 | Yes (2023) | Personal | MIT | Active | A GPT-powered tool for generating threat models using structured security frameworks. |
| Ent | Personal release | 2016 | No | Personal | GPL-3.0 license | Active | An attack tree generator built on electron |
| Evoke Security | Evoke Security | 2026 | Yes (2026) | Commercial | Proprietary | Active | Cybersecurity platform purpose-built to secure the agentic workforce. Provides AI Security Posture Management with threat modeling, automated agent/tool discovery, attack path mapping, and real-tim... |
| ForkTM | VerSprite | 2023 | No | Commercial | Proprietary | Active | A threat modeling collaboration platform for structured security design discussions. |
| Gram | Klarna | 2023 | No | Community | Apache-2.0 license | Active | An internal threat modeling automation tool developed by Klarna for secure system design. |
| Iriusrisk | IriusRisk | 2016 | Yes (2024) | Commercial | Proprietary | Active | A commercial threat modeling platform that integrates automated security design into the SDLC. |
| itemis SECURE | itemis AG | 2020 | No | Commercial | Proprietary | Active | Itemis SECURE is a model-based software tool for threat analysis and risk assessment of technical systems |
| Microsoft Threat Modeling Tool | Microsoft | 2008 | No | Freeware | Proprietary | Active | Microsoft's official tool for building STRIDE-based threat models for software systems. |
| OVVL (Open Weakness & Vulnerability Modeler) | University of Applied Sciences Offenburg | 2018 | No | Academic | No license stated | Active | An open-source modeling framework for representing and analyzing weaknesses, vulnerabilities, and threats across system architectures. |
| PILLAR | Fondazione Bruno Kessler | 2024 | Yes (2024) | Academic | Apache-2.0 license | Active | An AI-Powered Privacy Threat Modeling tool based on the LINDDUN framework by leveraging Large Language Models. |
| PLOT4AI Assessment | PLOT4AI | 2020 | Yes (2020) | Personal | CC-BY-SA-4.0 license | Active | An AI-focused threat modeling and risk assessment platform that uses a structured library of 130+ AI-specific threat cards to help teams identify, assess, and mitigate security, privacy, governance... |
| Prime | Prime Security | 2024 | Yes (2024) | Commercial | Proprietary | Active | Prime's AI Security Architect helps Product Security teams scale design-stage coverage without adding headcount by automating design reviews, surfacing missed risks, and delivering actionable mitig... |
| PyTM | OWASP | 2018 | No | Personal | Apache-2.0 license/MIT license | Active | Pythonic framework for threat modeling |
| Raindance | Personal release | 2019 | No | Personal | Apache-2.0 license | Active | A tool for visualizing and mapping attack surfaces and threat relationships to support structured security analysis. |
| RiskTree | 2T Security | 2014 | No | Commercial | Proprietary | Active | RiskTree is a structured approach for risk management. Based around the well-established concept of attack trees, it provides a systematic way of capturing and prioritizing the risks to your busine... |
| SAP Threat Modeling Tool | RedRays | 2024 | No | Personal | MIT license | Active | An open-source, on-premises web application that analyzes and visualizes connections between SAP systems to help identify potential security risks and vulnerabilities within an SAP landscape |
| SD Elements | Security Compass | 2011 | Yes (2024) | Commercial | Proprietary | Active | A commercial secure SDLC and threat modeling automation platform. |
| SeaMonster | Community release | 2007 | No | Community | GNU Library or Lesser General Public License version 3.0 (LGPLv3) | Archived | A graphical security modeling tool based on Eclipse frameworks, used for modeling attack trees, misuse cases, and vulnerability cause graphs. |
| SeaSponge | Mozilla | 2014 | No | Community | MPL-2.0 license | Archived | A web-based collaborative threat modeling and security diagramming tool for visualizing system components and identifying potential threats. |
| securiCAD | Foreseeti | 2014 | No | Commercial | Proprietary | Archived | Enabled users to get a holistic, in-depth view of the cybersecurity risk posture, triage and prioritize the risks, and identify and prioritize the risk mitigation actions with the best risk-mitigat... |
| SecurITree | Amenaza | 2001 | No | Commercial | Proprietary | Active | A professional attack tree modeling software with quantitative risk analysis capabilities. |
| securityreview.ai | we45 | 2025 | Yes (2025) | Commercial | Proprietary | Active | An AI-driven platform that analyzes system designs and architecture to automatically identify security gaps, threats, and recommended mitigations. |
| Seezo.io | Seezo Infosec India Private Limited | 2024 | Yes (2024) | Commercial | Proprietary | Active | A security design and architecture review service offering automated feedback and insights on risks and threats in system models. |
| SPARTA | KU Leuven | 2018 | No | Academic | Proprietary | Active | A research platform for structured privacy and security threat analysis. |
| StartLeft | IriusRisk | 2021 | No | Commercial | Apache-2.0 license | Active | automation tool for generating Threat Models written in the Open Threat Model (OTM) |
| STRIDE GPT | Personal release | 2023 | Yes (2023) | Personal | MIT | Active | A GPT-powered assistant for generating STRIDE-based threat models. |
| TaaC-AI | Community release | 2023 | Yes (2023) | Community | MIT | Active | AI-driven Threat Modeling-as-a-Code (TaaC-AI) |
| td-ai-modeler | Personal release | 2025 | Yes (2025) | Personal | Apache-2.0 license | Active | An intelligent threat modeling application that uses Large Language Models (LLMs) to automatically generate security threats for Threat Dragon models. |
| Threagile | Personal release | 2020 | No | Personal | MIT | Active | An open-source "Threat Modeling as Code" framework for automated risk analysis. |
| Threat Composer | Amazon | 2023 | Yes (2025) | Commercial | Apache-2.0 license | Active | A web-based AWS tool for building threat models aligned with AWS architectures. |
| Threat Designer | Amazon | 2025 | Yes (2025) | Community | Apache-2.0 license | Active | A visual threat modeling tool for AWS workloads and cloud-native systems. |
| Threat Dragon | OWASP | 2015 | No | Community | Apache-2.0 license | Active | An open-source threat modeling tool supporting STRIDE and diagram-based modeling. |
| Threat Modeling GPTs - example | Personal release | 2024 | Yes (2024) | Freeware | Proprietary (Free) | Active | A custom GPT designed to assist users in creating structured threat models. |
| ThreatCanvas | SecureFlag | 2023 | Yes (2023) | Commercial | Proprietary | Active | An AI-powered automated threat modeling tool that generates threat model diagrams and suggested threats/controls from textual system descriptions and integrates with development workflows to help t... |
| Threatcl | Personal release | 2021 | No | Personal | MIT | Active | Threat Modeling with HCL (HashiCorp's Configuration Language) |
| ThreatModeler | ThreatModeler | 2010 | Yes (2023) | Commercial | Proprietary | Active | An enterprise-grade automated threat modeling and risk management platform. |
| ThreatPad | Threat-Modeling.net | 2025 | No | Personal | Unknown | Active | A collaborative online threat modeling and attack tree design tool. |
| ThreatPlaybook | we45 | 2018 | No | Personal | Unknown | Active | A structured methodology and resource for practical threat modeling exercises. |
| Threats Manager Studio | Microsoft | 2020 | No | Personal | Proprietary/Freeware | Active | A framework and guide for implementing structured threat management processes. |
| Threatspec | Personal release | 2019 | No | Personal | MIT | Active | A framework that lets developers embed threat modeling directly into source code and CI/CD workflows using structured annotations. |
| Threatware | Personal release | 2022 | No | Personal | Apache-2.0 license | Active | Simplifies the review and management of threat models. threatware works directly with threat models as documents in Confluence/Google Docs. |
| TicTaaC | Personal release | 2021 | No | Personal | Apache-2.0 license | Active | Threat modeling-as-a-Code in a Tick (TicTaaC) Lightweight and easy-to-use Threat modeling solution following DevSecOps principles |
| tmdd | Attasec | 2026 | Yes (2026) | Personal | Apache-2.0 license | Active | CLI tool for continuous threat modeling that integrates STRIDE-based threat models directly alongside code using YAML definitions. Uses AI coding assistants to analyse real codebases and generate s... |
| Tutamen Threat Model Automator | Tutamantic Sec | 2015 | No | Commercial | Proprietary | Archived | A cloud-based tool that automatically generates structured threat models and mitigation suggestions from system architecture and design inputs. |
Version 5 — March 2026
The threat modeling process is a continuous, design-time activity applied throughout the system development lifecycle. As defined in the Threat Modeling Manifesto, this involves analyzing system representations to highlight security and privacy concerns.
The primary requirement for inclusion is that the tool must be an actual application, library, or service that performs work. Specifically, it must be:
- Software, Code, Library, or Service: An executable artifact.
- Automating, Guiding, or Supporting: Must facilitate the design-time threat modeling process.
Important Distinction: Threat Modeling Tools are focused on design-time analysis, guiding architectural risk mitigation.
- We exclude Threat Intelligence and Threat Hunting tools as they are operational activities focused on the external threat environment or active intrusions in live systems.
- Not Solely a Methodology or Framework: Conceptual guides are excluded.
We welcome contributions to expand and enhance this list! If you have any additional tools you believe should be listed here, please open a pull request or an issue on this repository. Feel free to reach out to us on the Toreon Threat Modeling Page for questions or further discussion.