OWASP Threat Dragon
What is Threat Dragon?
OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. Threat Dragon follows the values and principles of the threat modeling manifesto. It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication of the threat model components and threat surfaces. Threat Dragon runs either as a web application or as a desktop application.
Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai, provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.
Resources
Use the version 1 or version 2 documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020.
An introduction to Threat Dragon is provided by the OWASP Spotlight series, and the Threat Modeling Gamification seminar by Vlad Styran shows how using Threat Dragon can make threat modeling fun.
There are a couple of OWASP community pages that give overviews on Threat Modeling and how to get started: Threat Modeling and Threat Modeling Process.
The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack #project-threat-dragon project channel, you may need to subscribe first.
Related Projects
- OWASP pytm (Pythonic Threat Modeling)
- Threat Modeling OWASP Cheat Sheet
- Threagile - Agile Threat Modeling, an (non-OWASP) open source project
Threat Dragon: making threat modeling less threatening
Releases
| Release | Date | Location | Comments |
|---|---|---|---|
| v2.4.1 | Mar 2025 | github | Bug fix for diagram labels, TBA renamed TBD |
| v2.4 | Mar 2025 | github | Additional threat priorities, TLS credentials, export model diagrams, create new repo branches |
| v2.3 | Dec 2024 | github | suggest threats by element and threats by context, builds for ARM64 platforms and google sign-in feature |
| v2.2 | Feb 2024 | github | add GitLab support and user prompt to save model when quitting |
| v2.1.3 | Jan 2024 | github | bug fix for desktop menu discarding diagram edits, add schema for Open Threat Modeling (OTM) |
| v2.1.2 | Nov 2023 | github | add Bitbucket access, PLOT4ai threats and bug-fix for data-flows overwriting properties |
| v2.1.1 | Oct 2023 | github | desktop version provides guard advising of overwriting threats changes |
| v2.1 | Oct 2023 | github | desktop version provides guard advising of overwriting diagram changes |
| v2.0.9 | Oct 2023 | github | names for diagram data flow and trust boundary curves preserved when unselected |
| v2.0.8 | Oct 2023 | github | diagram component properties correctly displayed when selecting new component |
| v2.0.7 | Sep 2023 | github | fix bug when selecting trust boundary curves |
| v2.0.6 | Sep 2023 | github | ability to filter Github repos; translation for Finnish; improve data flow selection and handling |
| v2.0.4 | Aug 2023 | github | various bug fixes; |
| v2.0.2 | Apr 2023 | github | collection of bug fixes; PDF report button, threat IDs fixed, reporting expanded |
| v2.0 | Feb 2023 | github | substantial rewrite for new drawing library @antv/g6 |
| v1.6.1 | Mar 2022 | github | Docs now moved to the new site Last release of 1.x before version 2.0 |
| v1.6 | Dec 2021 | github | Automated threat and context threat generation |
| v1.5.8 | Sep 2021 | github | Shows ‘NA’ threats as completed/ mitigated Fixes bug in threat engine (web app only) Signed binaries for Windows |
| v1.5.5 | Sep 2021 | github | MacOS images are signed and notarized Linux Snap image available as snapcraft distribution |
| v1.4 | 5 May 2021 | github | Provides dotenv for environment variables updates to docker image substantial code reorganisation |
| v1.3.1 | 26 Oct 2020 | Web app Desktop |
update documentation link to point to new docs page |
| v1.3 | 3 Sep 2020 | Web app Desktop |
support for LINDDUN and CIA as well as STRIDE and desktop command line interface |
| v1.2 | 14 Apr 2020 | Web app Desktop |
description for diagram elements label applied to boundaries save button always enabled zoom functionality disabled hot key copy and paste for diagram elements |
| v1.1 | 15 Mar 2020 | Web app | Duplicate element/diagram feature |
| v1.1 | 10 Mar 2020 | Desktop | Bug fix for blank screen on new model, and duplicate element/diagram feature |
| v1.0 | 22 Feb 2020 | Desktop | First full desktop release for Windows, MacOS and Linux |
| v0.1.27-alpha | 28 Jul 2019 | Desktop | Windows desktop only |
| v0.1.26 | 16 May 2017 | Desktop | MacOS and Windows desktop only |
| 0.3.0 | 14 Mar 2017 | Web app | alpha release |
| v0.1.1-alpha | 14 Mar 2016 | Web app | alpha release |
Threat Dragon: making threat modeling less threatening
FAQs
-
Why do the earlier releases come from Mike Goodwin’s repo, not the OWASP repo?
-
Why do I get ‘Apple cannot check it for malicious software’ errors after installing on MacOS?
-
Why do I get ‘Permissions failure opening Mac desktop app’ when installing from the zip file?
-
Why do I get ‘developer can not be verified’ errors after installing on MacOS?
-
Is there a command line interface for Threat Dragon Desktop?
-
When is Threat Dragon’s birthday? And does Threat Dragon have a theme tune?
Threat Dragon: making threat modeling less threatening
Version 2.5: in progress
- provide an API for CI/CD pipelines
- provide a CLI for scripting based on TD’s existing use of yargs
Version 2.3: released December 2024
- automated threats (both by element and by OATS)
Version 2.2: released February 2024
Threat model access for web app:
- load models from various repos :
- github enterprise
- gitlab
- github enterprise
- BitBucket
Version 2.1: released October 2023
Stable version of 2.x.x with bug fixes and usable diagram tools. Still not feature complete:
- missing CLI for scripting based
- missing automated threats (both by element and by OATS)
Version 2.0: released February 2023
migrate to a combined application for both desktop and webapp:
- be strictly open source
- use Vue for frontend application
- use @antv/g6 for the drawing library
- frontend logging using bunyan and optional logging to the console during development
- use electron to wrap webapp for desktop
- provide auto-update using electron
- expand electron unit tests using WDIO Electron Service
- webapp unit test framework Jest
- component test Vue testing library
- end-to-end test cypress
- set up ZAP to provide security testing on commit
- design files are to be backwardly compatible to Threat Dragon json
demonstration pages:
- an online demonstration to be provided on threat dragon’s site
- demo should either be a snapshot or a release version
Version 1.4: released May 2021
- written in javascript ES6 / ECMAScript 2015 or compatible
- run on node.js server
- use express for backend application
- provide a dockerfile for running in docker, similar to existing TD
- static code analysis using ESLint
- webapp test runner Karma with Jasmine for Vue Test Utils
- backend unit test framework MochaJS and assertions from chai
- bundle the application and api for production using webpack
- be strictly open source, avoiding using languages or frameworks maintained outside the open source community
documentation:
- documentation should be updated at the threat dragon github pages
- version 1.x docs are preserved and migrated to version 2.0
- docs should be static pages based on Jekyll and markdown
Previous versions
Mike Goodwin’s initial roadmap for the project is archived here. The original roadmap had various milestones, most of which were achieved by late 2020.
Milestone 4: Dev lifecycle integration
- Some CLI interface available mid 2020
Milestone 3: Release 1.0
- production version released February 2020
- version 1.3.1 released October 2020
Milestone 2: Beta release: Threat/mitigation rule engine
- achieved May 2017 with version 0.1.26
Milestone 1: Alpha release - Basic threat modelling experience
- achieved October 2015
Threat Dragon: making threat modeling less threatening
Threat Model File (TMF) format
Threat Dragon version 1.x and Threat Dragon version 2.x use closely related but incompatible JSON file formats. In addition both these file formats are arranged around diagram elements used by the graph editing engines: JointJS for version 1.x and AntV/X6 for version2.x. The data model use in the Threat Dragon file format would be better centred round threat model information rather than the data used for the graph editing.
Both Threat Dragon file formats are incompatible with other open source Threat Modeling files such as pytm, Threagile and Open Threat Model.
The intention is to change the model file format in Threat Dragon version 3.x onwards. The goal will be to define a schema that is flexible enough to easily convert from the existing:
- OWASP Threat Dragon versions 1.x and 2.x
- OWASP pytm pythonic threat modeling
- Threagile open-source toolkit for agile threat modeling
- Open Threat Model (OTM) file format
There is an open discussion for suggestions and debate on this subject.