TMI newsletter 19 – The Role of Tooling in Threat Modeling


Hi there.

Welcome to the October edition of Threat Modeling Insider.

For this version, we have, as usual, picked and created the finest Threat Modeling contents of the month. Next month, we hope to share more about the new threat modeling community we are co-founding. Stay tuned!

But, for now, our TMI line-up looks as follows:

  • The Role of Tooling in Threat Modeling, by our guest blogger, Zoe Braiterman
  • Curated Content. “The Hybrid Approach to Threat Modeling”, a blog post by Chris Romeo, co-founder of Security Journey.
  • Curated content: How we’re creating a threat model framework that works for GitLab, a blog post by Mark Loveless, Security Engineer at GitLab.
  • “Threat Modeling Soft Skills”, a session with Sebastien Deleersnyder.
  • Toreon Tip: Creating Security Decision Trees with Graphviz, by Kelly Shortridge.

Happy reading!

Seba, Steven, Thomas

The Role of Tooling in Threat Modeling

In this blog post, Zoe Braiterman tells us more about TM tooling and how tooling can help to facilitate processes and discussions by automation and scaling.

The Role of Tooling in Threat Modeling

The practical value of threat modeling is about “People and collaboration over processes, methodologies, and tools”, as stated in the Threat Modeling Manifesto and various discussions amongst practitioners.  However, tooling certainly plays a role in the productive threat modeling.

Some useful features of software used for threat modeling

Threat Modeling as Code

This category of tooling includes pytm, an OWASP project led by Izar Tarandach.

Pytm is a Pythonic framework that achieves the following to facilitate threat modeling:

  • Enable developers with the  to easily generate data flow diagrams or sequence diagrams, using dot or PlantUML
  • Allow security experts to supply threats to the system, based on vulnerabilities
  • Generate a report that includes diagrams and findings


More on automated reporting

Potential threats that may impact a system are not limited to security threats. They also include privacy and compliance related threats.

Adaptive tooling empowers users with automated reporting of these various types of threats to enable users to properly understand and mitigate the risks that face the systems within their organizations.

For example, Irius Risk, allow users to create reports, including compliance reports, among the analytics and reporting features the product includes.


What this means for you

Some considerations in making decisions your team / organization may include the following.

  • The users of the threat modeling software:  Developers? Security professionals? Product managers? Consider the goals and level of technical expertise of each user persona.
  • The desired types of outputs:  What types of visual representations, reporting, analytics and integration will be useful for your case?
  • The ongoing discussion and cross-functional collaboration it facilitates: What type of meaningful discussion is the tooling, and its outputs, to facilitate?


Threat modeling is an iterative process, consisting of multiple activities and involving multiple stakeholders.

Tooling can help to facilitate such processes and discussion, making them automated and scalable.

Curated threat modeling content

“The Hybrid Approach to Threat Modeling”, a blog post by Chris Romeo, co-founder of Security Journey.

Should the threat model approach in your organization be mandatory or voluntary? Chris Romeo did a poll and wrote a blog post about it.

“How we’re creating a threat model framework that works for GitLab”, a blog post by Mark Loveless, Security Engineer at GitLab.

How do you do threat modeling in an organization working 100% remotely and 100% spread out over the planet? Check out the interesting series of blog posts, written by Mark Loveless.


Toreon Webinar: ``Threat Modeling Soft Skills``, a session with Sebastien Deleersnyder

On October 10th, we did a tl;dr sec community special training “Threat Modeling Soft Skills”.

Have a look at the full recording and learn more about the crucial soft skills that are necessary to turn an average TM meeting into an exciting workshop.

Also, do not miss our full Threat Modeling Practitioner training, covering 20 hours of self-paced training and in-person live labs. Afterwards you have one year access to the full training and workshop recordings and all our threat modeling resources. The next training cohort starts on the 28th of November 2022.

Toreon tip

In this post, Kelly Shortridge walks us through the creation of an example decision tree using Graphviz and a .DOT file.

We aim to make this a community-driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.

Kind regards,
Sebastien Deleersnyder
CTO, Toreon

Book a seat in our upcoming trainings

  • Whiteboard Hacking a.k.a. Hands-on Threat Modeling, hybrid onlinehosted by Global OWASP AppSec San Francisco (15-16 November, 2022)
  • Threat Modeling Practitioner training, hybrid online, hosted by DPI (next cohort starts on 28 November, 2022)
  • Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-personhosted by Black Hat Europe (5-6 December, 2022)

We also organize in-company training for groups as of 10 participants.

Start typing and press Enter to search

Shopping Cart