| layout | col-sidebar |
|---|---|
| title | OWASP Threat Dragon |
| tags | threatdragon |
| project | true |
| level | 3 |
| type | tool |
| pitch | OWASP Threat Dragon is a threat modeling tool for both developers and defenders alike. Run it as a local application or as a web application. |
{: .image-right }
OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application.
Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.
Use the version 1 or version 2 documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020.
An introduction to Threat Dragon is provided by the OWASP Spotlight series, and the Threat Modeling Gamification seminar by Vlad Styran shows how using Threat Dragon can make threat modeling fun.
There are a couple of OWASP community pages that give overviews on Threat Modeling and how to get started: Threat Modeling and Threat Modeling Process.
The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack #project-threat-dragon project channel, you may need to subscribe first.
- pytm (Pythonic Threat Modeling)
- Threat Modeling Cheat Sheet
- Threat Modeling Project
- Threat Model Library
Threat Dragon: making threat modeling less threatening