About

Threat Dragon is a free, open-source, cross-platform threat modeling application. This tool provides for the creation of threat model data-flow diagrams and entering of associated threats along with their remediations.

Threat Dragon supports STRIDE¹, LINDDUN², CIA³, DIE⁴ and PLOT4ai⁵

Threat Dragon is an OWASP Lab Project and follows the values and principles of the threat modeling manifesto. An introduction to Threat Dragon is provided by the OWASP Spotlight series, and a different take on Threat Dragon is provided by Threat Modeling Gamification.

There is a good overview of threat modeling and risk assessment from OWASP, and this expands on what the Threat Dragon project aims for:

• to be simple and intuitive
• easy construction of data flow diagrams
• identifying threats
• recording of mitigations and counter measures

The application comes in two variants:

1. Web application: The web application can be run from the source or as a container using the docker image. Depending on the configuration the web application can store threat model files on :
   • local filesystem
   • GitHub
   • Github Enterprise
   • Bitbucket
   • Bitbucket Enterprise
   • GitLab
2. Desktop application: There are installers available for Windows, Mac OSX and Linux. The model files are stored on the local file system only; repository access for the desktop variant could be a future enhancement.

Internationalization

The following translations are built into the Threat Dragon application:

• العربية (ara-SY)
• Deutsch (deu-DE)
• English (eng-US)
• Ελληνικά (ell-GR)
• español (spa-ES)
• Suomi; (fin-FI)
• français (fra-CA)
• मानक हिन्दी (hin-IN)
• Bahasa Indonesia (ind-ID)
• 日本語 (jpn)
• português (por-BR)
• Malay (ms)
• 中文 (zho-CN)

Demonstration site

Threat Dragon maintains a Demo Instance that is hosted on Heroku. We strongly recommend using a self-hosted instance or the desktop application as the most secure options.

^{1: Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege}

^{2: Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance}

^{3: Confidentiality, Integrity, Availability}

^{4: Distributed, Immutable, Ephemeral}

^{5: Privacy Library Of Threats 4 Artificial Intelligence}

Threat Dragon: making threat modeling less threatening