New pages for Threat Model Library and Threat Modeling projects

.github/pull_request_template.md

@@ -19,7 +19,11 @@ Thanks for submitting a pull request, please make sure:
 
 - [ ] content meets the [license](../blob/main/license.txt) for this project
 - [ ] you have read the [contribution guide](../blob/main/contributing.md) and agree to the [Code of Conduct](../blob/main/code_of_conduct.md)
-- [ ] any [use of AI](../blob/main/contributing.md#use-of-ai) has been declared in this pull request
+- [ ] *either* no AI-generated content has been used in this pull request
+- [ ] *or* any [use of AI](../blob/main/contributing.md#use-of-ai) in this pull request has been disclosed below:
+  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie, etc]`
+  - LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro, etc]`
+  - Prompts: `[Summarize the key prompts or instructions given to the AI tools]`
 
 **Other info** :  
 

.wordlist-en.txt

@@ -104,6 +104,7 @@ GCM
 GCP
 GDPR
 GHSL
+GPT
 GRC
 GRPC
 Gasteratos
@@ -179,6 +180,7 @@ Matteo
 Microservices
 Misconfiguration
 MLSec
+Modelling
 ModSecurity
 Multifactor
 NIST
@@ -193,6 +195,7 @@ NoSQL
 Node.js
 NodeJS
 NuGets
+OATs
 OAuth
 OBOM
 ODF
@@ -301,6 +304,7 @@ TPS
 Tasklist
 Tesauro
 Threagile
+ThreatAtlas
 Tink
 ToC
 Trivy

docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md

@@ -0,0 +1,95 @@
+The [Threat Model Project][tmproject] is an over-arching project provided by OWASP
+that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm].
+
+#### What is the Threat Model project?
+
+The Threat Model project is not intended to be a primary source on the threat modeling domain;
+there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.
+
+Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp]
+for applications and systems of all types, with a focus on current and emerging techniques.
+
+To do this project intends to gather techniques, methodologies, tools and examples.
+There is also the intention to foster a threat modeling community and support it through initiatives and forums.
+
+Note that much of this is what the project intends to provide in the future.
+As of January 2026 the project is going through a change process that will better provide this information and guidance.
+
+#### Why refer to this project?
+
+The Threat Modeling project can be seen as an umbrella for the other threat modeling projects and resources.
+
+It can be used as a landing page for all things threat modeling;
+the starting point for finding [resources and tools][tmpres] as well as the core concepts.
+For example there is an introduction to Shostack's [Four Question Framework][4QFW]
+that guides the user to the primary source if they need to know more.
+
+#### Other threat modeling projects
+
+Threat modeling is a wide domain and OWASP provides many projects alongside the Threat Modeling project :
+
+**Production**:
+
+- [Cornucopia][cornucopia]
+- [pytm][pytm]
+
+**Lab**:
+
+- [Automated Threats to Web Applications][oats] (OATs)
+- [Cumulus][cumulusproject]
+- [Threat Dragon][tdtm]
+
+**Incubator**:
+
+- [Dragon GPT][dgpt]
+- [Lets Threat Model][ltm]
+- [Ontology Driven Threat Modeling Framework][odtmf]
+- [SAP Threat Modeling Builder][saptmb]
+- [Threat Model Library][tml]
+- [Threat Modeling Playbook][tmpb] (OTMP)
+- [Threat Modelling Guide][tmgproject]
+- [ThreatAtlas][threatatlas]
+- [Rapid Developer-driven Threat Modeling][rdtmproject]
+
+These projects have been categorized by OWASP according to their importance and maturity.
+
+#### References
+
+- OWASP [Threat Modeling][tmproject] project
+- OWASP [Threat Modeling toolkit][toolkit]
+- OWASP [Threat Modeling Cheat Sheet][cstm]
+- OWASP [Attack Surface Analysis Cheat Sheet][asacs]
+- OWASP community pages on [Threat Modeling][tmcommunity] and [Threat Modeling Process][tmprocess]
+- Shostack's [Four Question Framework][4QFW]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue040101] or [edit on GitHub][edit040101].
+
+[4QFW]: https://github.com/adamshostack/4QuestionFrame
+[asacs]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet
+[cornucopia]: https://owasp.org/www-project-cornucopia/
+[cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet
+[cumulusproject]: https://owasp.org/www-project-cumulus/
+[dgpt]: https://owasp.org/www-project-dragon-gpt/
+[edit040101]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md
+[issue040101]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/01-threat-modeling-project
+[ltm]: https://owasp.org/www-project-lets-threat-model/
+[oats]: https://owasp.org/www-project-automated-threats-to-web-applications/
+[odtmf]: https://owasp.org/www-project-ontology-driven-threat-modeling-framework/
+[pytm]: https://owasp.org/www-project-pytm/
+[rdtmproject]: https://owasp.org/www-project-rapid-developer-driven-threat-modeling/
+[saptmb]: https://owasp.org/www-project-sap-threat-modeling-builder/
+[tdtm]: https://owasp.org/www-project-threat-dragon/
+[threatatlas]: https://owasp.org/www-project-threatatlas/
+[toolkit]: https://www.youtube.com/watch?v=KGy_KCRUGd4
+[tmpb]: https://owasp.org/www-project-threat-modeling-playbook/
+[tmcommunity]: https://owasp.org/www-community/Threat_Modeling
+[tmgproject]: https://owasp.org/www-project-threat-modelling-guide/
+[tml]: https://owasp.org/www-project-threat-model-library/
+[tmpapp]: https://owasp.org/www-project-threat-modeling/#div-application-tm
+[tmpres]: https://owasp.org/www-project-threat-modeling/#div-resources
+[tmprocess]: https://owasp.org/www-community/Threat_Modeling_Process
+[tmproject]: https://owasp.org/www-project-threat-modeling/
+[tmptm]: https://owasp.org/www-project-threat-modeling/#div-threatmodeling

docs/en/04-design/01-threat-modeling/05-linddun-go.md

@@ -1,5 +1,4 @@
 LINNDUN GO is a card game used to help derive privacy requirements during the software development life cycle.
-The LINNDUN GO card set can be [downloaded][linddun-go-cards] as a PDF and then printed out.
 
 #### What is LINDDUN GO?
 
@@ -44,7 +43,7 @@ The advice from the LINDDUN GO 'getting started' instructions is that this team
 
 The application should have already been described by an architecture diagram or data flow diagram
 so that the players have something to refer to during the game.
-[Download][linddun-go-cards] and printout the deck of cards.
+The LINNDUN GO card set can be [downloaded][linddun-go-cards] as a PDF and the deck of cards printed out.
 
 Follow the [set of rules][linddun-go-rules] to structure the game session, record the outcome and act on it.
 The outcome of the game is to identify possible privacy threats and propose remediations;
@@ -53,11 +52,11 @@ as well as having a good time of course.
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
-then [submit an issue][issue060105] or [edit on GitHub][edit060105].
+then [submit an issue][issue040105] or [edit on GitHub][edit040105].
 
 [cornucopia]: https://owasp.org/www-project-cornucopia/
-[edit060105]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/05-linddun-go.md
-[issue060105]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/05-linddun-go
+[edit040105]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/05-linddun-go.md
+[issue040105]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/05-linddun-go
 [linddun]: https://linddun.org/
 [linddun-go]: https://linddun.org/go/
 [linddun-go-cards]: https://downloads.linddun.org/linddun-go/default/latest/go.pdf

docs/en/04-design/01-threat-modeling/06-threat-model-library.md

@@ -0,0 +1,24 @@
+The [Threat Model Library][tml] is a collection of threat models which provide examples of best practice
+and have been donated to the public domain.
+This is an OWASP Incubator project with [several models][tmboms] available already and more to come.
+
+#### What is the Threat Model Library?
+
+#### Why use these models?
+
+#### How to view the models
+
+#### References
+
+* OWASP [Threat Model Library][tml]
+* [Threat models][tmboms] in TM-BOM format
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue040106] or [edit on GitHub][edit040106].
+
+[edit040106]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/06-threat-model-library.md
+[issue040106]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2004-design/01-threat-modeling/06-threat-model-library
+[tmboms]: https://github.com/OWASP/www-project-threat-model-library/tree/main/threat-models/
+[tml]: https://owasp.org/www-project-threat-model-library/

docs/en/04-design/01-threat-modeling/01-threat-modeling.md → docs/en/04-design/01-threat-modeling/07-practical-threat-modeling.md

@@ -223,7 +223,7 @@ then that is also a perfectly good choice.
 * OWASP [Threat Modeling Cheat Sheet][cstm]
 * OWASP [Threat Modeling Playbook (OTMP)][tmpb]
 * OWASP [Attack Surface Analysis Cheat Sheet][asacs]
-* OWASP community pages on [Threat Modeling][TM] and the [Threat Modeling Process][TMP]
+* OWASP community pages on [Threat Modeling][tmcommunity] and the [Threat Modeling Process][tmprocess]
 * [The Four Question Framework For Threat Modeling](https://youtu.be/Yt0PhyEdZXU) 60 second video
 * Lockheed's [Cyber Kill Chain][chains]
 * VerSprite's Process for Attack Simulation and Threat Analysis ([PASTA][pasta])
@@ -244,7 +244,7 @@ then that is also a perfectly good choice.
 ----
 
 The OWASP Developer Guide is a community effort; if there is something that needs changing
-then [submit an issue][issue060101] or [edit on GitHub][edit060101].
+then [submit an issue][issue040107] or [edit on GitHub][edit040107].
 
 [4QFW]: https://github.com/adamshostack/4QuestionFrame
 [asacs]: https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet
@@ -255,8 +255,8 @@ then [submit an issue][issue060101] or [edit on GitHub][edit060101].
 [cstm]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet
 [culturetm]: https://owasp.org/www-project-security-culture/stable/6-Threat_Modelling/
 [eop]: https://shostack.org/games/elevation-of-privilege
-[edit060101]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/01-threat-modeling.md
-[issue060101]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/01-threat-modeling/01-threat-modeling
+[edit040107]: https://github.com/OWASP/DevGuide/blob/main/docs/en/04-design/01-threat-modeling/07-practical-threat-modeling.md
+[issue040107]: https://github.com/OWASP/DevGuide/issues/new?labels=enhancement&template=request.md&title=Update:%2004-design/01-threat-modeling/07-practical-threat-modeling
 [linddun]: https://linddun.org/
 [nist-cvss]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
 [pasta]: https://versprite.com/blog/what-is-pasta-threat-modeling/
@@ -271,8 +271,8 @@ then [submit an issue][issue060101] or [edit on GitHub][edit060101].
 [tmpb]: https://owasp.org/www-project-threat-modeling-playbook/
 [tmproject]: https://owasp.org/www-project-threat-modeling/
 [tmmanifesto]: https://www.threatmodelingmanifesto.org/
-[TM]: https://owasp.org/www-community/Threat_Modeling
-[TMP]: https://owasp.org/www-community/Threat_Modeling_Process
+[tmcommunity]: https://owasp.org/www-community/Threat_Modeling
+[tmprocess]: https://owasp.org/www-community/Threat_Modeling_Process
 [TMdesigning]: https://shostack.org/books/threat-modeling-book
 [TMpractical]: https://threatmodeling.dev/
 [TMT]: https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

docs/es/04-design/01-threat-modeling/04-cornucopia.md

@@ -1,7 +1,7 @@
 ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 }
 
-No hay traducción de esta página, consulte [versión original en inglés][en060104].
+No hay traducción de esta página, consulte [versión original en inglés][en040104].
 
 ----
 
-[en060104]: https://devguide.owasp.org/en/04-design/01-threat-modeling/04-cornucopia/
+[en040104]: https://devguide.owasp.org/en/04-design/01-threat-modeling/04-cornucopia/

docs/es/04-design/01-threat-modeling/05-linddun-go.md

@@ -1,7 +1,7 @@
 ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 }
 
-No hay traducción de esta página, consulte [versión original en inglés][en060105].
+No hay traducción de esta página, consulte [versión original en inglés][en040105].
 
 ----
 
-[en060105]: https://devguide.owasp.org/en/04-design/01-threat-modeling/05-linddun-go/
+[en040105]: https://devguide.owasp.org/en/04-design/01-threat-modeling/05-linddun-go/

docs/es/04-design/01-threat-modeling/06-toolkit.md

@@ -1,7 +1,7 @@
 ![WIP logo](../../../assets/images/dg_wip.png "Trabajo en curso"){ align=right width=180 }
 
-No hay traducción de esta página, consulte [versión original en inglés][release060106].
+No hay traducción de esta página, consulte [versión original en inglés][release040106].
 
 ----
 
-[release060106]: hhttps://devguide.owasp.org/04-design/01-threat-modeling/06-toolkit/
+[release040106]: https://devguide.owasp.org/en/04-design/01-threat-modeling/06-toolkit/