🛡 Open source · Self-hostable · Claude or OpenAI

AI-powered
threat modeling
for engineering teams

STRIDE, DREAD, LINDDUN, PASTA and OWASP Top 10 in one tool. Paste a description, upload a diagram, or build a DFD — get a prioritized threat list in seconds.

🚀 Run locally 📄 View sample report ⭐ View on GitHub
STRIDE DREAD LINDDUN PASTA OWASP Top 10 ✦ new
Branches

Where to find everything

Everything now lives on main — a single source of truth. The former feature/enhancements branch has been merged in.

main
Original application
The clean, unmodified original codebase. STRIDE, DREAD, LINDDUN, PASTA. Interactive DFD builder, project management, auth, reports.
4
Frameworks
~800
app.py lines
View main →
main · enhanced
All enhancements ✦
OWASP Top 10, MITRE ATT&CK mapping, CVSS 4.0, compliance controls, custom rules, dark mode, keyboard shortcuts, share links, AI code fixes, PostgreSQL, health checks, CI/CD, and more.
5
Frameworks
+15
New features
+7
New endpoints
78
Total files
View on main →
Quick start

Run locally in 4 steps

Runs from the main branch. Python 3.11+ required.

1
Clone the repo
Everything is on main
git clone \
  https://github.com/rootabhi1/\
  Automated-Threat-Modelling
cd Automated-Threat-Modelling/threat-modeler
2
Create virtual env + install
Isolate dependencies
# Mac / Linux
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

# Windows
python -m venv .venv
.venv\Scripts\activate
pip install -r requirements.txt
3
Set environment variables
3 required · rest are optional
# Required
export INITIAL_ADMIN_EMAIL=admin@example.com
export INITIAL_ADMIN_PASSWORD=changeme123
export JWT_SECRET=$(python3 -c \
  "import secrets; print(secrets.token_urlsafe(48))")

# Optional — enables Claude AI features
export ANTHROPIC_API_KEY=sk-ant-...
4
Start the server
Visit http://localhost:8000
# Option A — launcher script
chmod +x run.sh && ./run.sh

# Option B — Python directly
python app.py

# Option C — with auto-reload
uvicorn app:app --reload --port 8000

# Option D — Docker
docker compose up --build
Verify it's working: curl http://localhost:8000/healthz → should return {"status":"ok","version":"2.1"}  ·  Then open http://localhost:8000/docs for the interactive API explorer.
Features

What's in the feature branch

All features on top of the original — nothing removed or broken.

🎯
OWASP Top 10 2021
10 categories, 22 threats covering A01 Broken Access Control through A10 SSRF. Auto-registered — just tick the checkbox.
NEW
MITRE ATT&CK mapping
Every threat now shows its ATT&CK Technique ID and tactic. Clickable badge links directly to attack.mitre.org.
NEW
📋
Compliance controls
SOC2, ISO 27001, and PCI-DSS control IDs mapped from CWE per threat. Shown in expanded threat cards and CSV export.
NEW
🔧
AI code fix generator
Click Fix on any threat — Claude generates a before/after code snippet in your stack. Copy to clipboard.
NEW
⚙️
Custom threat rules
Define domain-specific threats in the UI. They persist to DB and run alongside built-in analysis every time.
NEW
🔗
Share link
Generate a 7-day read-only URL. Stakeholders can view the interactive report with no login required.
NEW
🌙
Dark / light mode
Toggle in the header. Preference saved to localStorage. Full dark theme with CSS variables.
NEW
⌨️
Keyboard shortcuts
n component · f flow · b boundary · a auto-layout · Ctrl+S save · ? help overlay.
NEW
📊
Release diff view
Compare two saved threat models: new threats, resolved, severity changes, and attack surface delta.
NEW
🖼️
Diagram upload
Drop an architecture PNG/JPG/WebP. Claude Vision extracts components, flows, and trust boundaries automatically.
📐
5 system templates
SaaS Web App, Mobile + API, Microservices, Data Pipeline, IoT. Load in one click and edit before analyzing.
📄
Executive report
Claude writes the narrative — Executive Summary, Top Risks, Actions. Download as HTML or PDF (WeasyPrint).
API reference

All 22 endpoints

Full Swagger docs at http://localhost:8000/docs after starting the server.

POST/api/auth/loginGet JWT token
POST/api/analyzeRun threat model (dedup + custom rules + notify)
POST/api/extract-from-textText description → components
POST/api/extract-from-diagramClaude Vision → components
GET/api/templates5 built-in system templates
POST/api/custom-rulesCreate custom threat ruleNEW
GET/api/custom-rulesList your custom rulesNEW
POST/api/threat-statusSet per-threat remediation status
POST/api/threat-status/bulkBulk update multiple statusesNEW
POST/api/share/:idGenerate 7-day read-only share linkNEW
GET/share/:tokenView shared report (no auth)NEW
GET/api/releases/:a/diff/:bCompare two saved threat modelsNEW
POST/api/threat/fixAI before/after code fix (Claude)NEW
POST/api/report/csvDownload risk register CSV
POST/api/report/executiveClaude-narrated executive HTML/PDF
POST/api/create-ticketCreate GitHub Issue or Jira ticket
GET/healthzLiveness probeNEW
GET/readyzReadiness probe — pings DBNEW
Troubleshooting

Common issues

Most problems are solved by setting the 3 required env vars and activating the venv.

🔴 Server starts but LLM features show "disabled"

Set ANTHROPIC_API_KEY=sk-ant-... — the app works without it (rules-based analysis runs, diagram upload returns a stub), but Claude Vision, AI fixes, and executive report narration need the key.

export ANTHROPIC_API_KEY=sk-ant-...
🔴 ModuleNotFoundError on startup

Your venv isn't activated or pip install wasn't run. You should see (.venv) in your terminal prompt.

# Mac/Linux
source .venv/bin/activate
pip install -r requirements.txt
🔴 Port 8000 already in use
uvicorn app:app --reload --port 8001
# or kill whatever is using 8000:
lsof -ti:8000 | xargs kill
🔴 401 Unauthorized on API calls

Token expired (15 min TTL) or server restarted without a persistent JWT_SECRET. Re-login to get a fresh token. Set a permanent JWT_SECRET value so tokens survive restarts.

TOKEN=$(curl -s -X POST http://localhost:8000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@example.com","password":"changeme123"}' \
  | python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
🔴 Tests fail with fixture or DB errors

Run pytest from inside the threat-modeler/ directory with env vars set.

cd threat-modeler
export INITIAL_ADMIN_EMAIL=admin@example.com
export INITIAL_ADMIN_PASSWORD=changeme123
export JWT_SECRET=test-secret
pytest tests/test_new_endpoints.py -v
💡 Interactive API docs (Swagger)

FastAPI auto-generates interactive docs. Go to http://localhost:8000/docs, click Authorize, paste your Bearer token, and test any endpoint without writing curl commands.