Threat Modeling Tools
A 2025 view of threat modeling tools
People frequently ask me what threat modeling tooling they should use. My answer is always: The best threat modeling tool for you is the one that solves a specific problem that you can articulate. To help you articulate the problems, this is one part of a two-part series. The second post will dive deep into LLMs for threat modeling.
Threat modeling tools generally fall into four groups:
- General purpose tools like whiteboards or Google docs
- Programmer threat modeling tools tools (eg, pytm)
- Individual/small team threat modeling tools (eg, MS-TMT or Threat Dragon)
- Enterprise threat modeling tools (eg, IriusRisk)
This model foreshadows how LLMs fit in. (Spoiler: Any of these can add an LLM, which limits the value we get from talking about “AI supported threat modeling,” and which is why it’s helpful to start with this model of types of tools.)
Any threat modeling project or program has tools, even if they’re not specialized. Editors, drawing tools and more get picked because they’re familiar, integrated into workflows, and often insufficient because they don’t do things that you hope they’d do, like analyze your diagram. But from whiteboards to Word to Miro, your existing tools can take you a long way — and leave you wanting more.
As we consider threat modeling specific tooling, we should consider who’ll use it. “Scaling” is a common goal, and usually involves more people threat modeling. Considering their learning curve and other elements of adoption can help us to think about what can go wrong and what we’re going to do about those things. Familiarity is valuable, but not the only value. It’s one of the things that keeps companies running on Excel long past the time when they should replace it.
I often use the metaphor of Excel versus SAP or Oracle Financials to illustrate the relationship between Microsoft’s TMT and IriusRisk. Microsoft TMT is the Excel in this metaphor. You can manage files and otherwise make it work as you grow, but it's not an enterprise tool with permissions, change management, approvals, project status, et cetera. There’s a tremendous amount of error-prone busywork in trying to scale Excel to running a business.
When people talk about LLMs to help threat modeling, there’s a few ways they might be working with them. Those are:
- Standard chatbots
- Standard chatbots with structured prompts, used manually
- Security chatbots (Deep Hat (Formerly Whiterabbit), StrideGPT)
- Security chatbots, structured prompts
- One time investment in RAG (etc) to provide structure
- Ongoing product development effort
LLM support for threat modeling can fit into any of the tool types above (programmer, small team, or enterprise) or work in the general purpose tools. I don’t really want an LLM-enabled whiteboard, but here we are.
Scaling is a very common goal for tooling. If you’re thinking carefully about what I’m saying, you’ll see I’ve outlined at least two scaling challenges that tools can help address. The first is “more people threat modeling,” the second is “managing the process and outputs.” Being even more specific, more people threat modeling may involve help in creating diagrams, analyzing what can go wrong, or selecting or implementing mitigations. Being precise will make it easier to reach a goal and see that you’re reaching it.
I’ll walk through some of the tradeoffs for LLMs in another post shortly.
Midjourney: a photograph of a robot standing at a whiteboard, trying to explain a crazy complicated diagram to a group of people seated around a conference table. On the conference table are old fashioned brass and glass scientific tools. the people at the table are bored:3 and skeptical:2. --ar 8:3 --v 6.1