OWASP ThreatAtlas
OWASP ThreatAtlas is a platform for community-driven threat modeling. It enables companies to run threat modeling sessions in a collaborative platform by inviting Developers, DevOps, Architects, and Security Engineers to keep track of their services in a dynamic environment.
ThreatAtlas brings threat modeling value to the real world by providing a useful platform to create, track, and mitigate all application and service threats in one central place.
🌟 Mission
To bridge the gap between generic security frameworks and real-world infrastructure through an interactive, collaborative platform. We aim to democratize threat modeling by enabling teams to visually map architectures, leverage community-driven threat intelligence, and integrate actionable security mitigations directly into their development lifecycle.
🏗 Why OWASP ThreatAtlas?
OWASP ThreatAtlas differentiates itself by:
- Being fully open-source and deployable by organizations
- Supporting multiple threat modeling frameworks in one platform
- Combining architecture diagramming with structured threat identification
- Enabling project-based collaboration
- Designed for DevSecOps integration (future roadmap)
- Framework extensibility (organizations can define their own methodology)
- Built as a modern web application rather than a documentation repository
🎯 The project purpose
The purpose of OWASP ThreatAtlas is to provide an open-source, extensible, and practical threat modeling platform that enables organizations to:
- Design system architecture diagrams
- Identify and document threats systematically
- Apply recognized threat modeling frameworks
- Track mitigations and risk evolution
- Promote secure-by-design principles
🌳 Project Structure
This repository contains both the project documentation and the application source code:
- ThreatAtlas Tool (App): The source code for the web application.
📖 Documentation
For detailed information on how to deploy and use ThreatAtlas, please refer to the following guides:
🛠 Installation & Setup
If you are looking to install and run the ThreatAtlas tool: 👉 Installation Guide
💻 Development & Contributing
If you are a developer looking to contribute to the codebase: 👉 Development Guide
👤 User Guide
If you are an end-user looking to learn how to use the UI: 👉 User Guide
Contributors
ThreatAtlas is a community-driven project. We are grateful to all our contributors who help make threat modeling more accessible and effective.
Core Team
- Ali Yazdani - Project Leader
How to Become a Contributor
We welcome contributions of all kinds!
- Code: Check our GitHub Repository.
- Threat Models: Help us expand the knowledge base for cloud-native services.
- Feedback: Join our Slack channel and share your thoughts.
See our Development & Contributing Guide for more details.
Documentation
Comprehensive guides for using and deploying ThreatAtlas.
🚀 Getting Started
- Installation Guide: How to set up ThreatAtlas using Docker or production deployment.
- User Guide: A step-by-step tutorial on creating products, diagrams, and managing threats.
- Development Guide: Technical setup for codebase contributors.
🛠 Technical Reference
- Backend API: The FastAPI backend provides interactive Swagger documentation at
/docswhen running the application. - Data Models: Documentation for our service-specific threat models and mitigation mappings.
🤝 Contribution Docs
- Development Guide: How to set up your environment and submit Pull Requests.
- Security Policy: How to report security vulnerabilities.