OWASP Threat Dragon is an open-source threat modeling tool that enables security teams and developers to create threat model diagrams, identify threats using established methodologies (STRIDE, LINDDUN, CIA, DIE, PLOT4ai), and generate comprehensive reports. Threat Dragon runs as both a web application and desktop application (Windows, macOS, Linux), supporting distributed teams working collaboratively on threat models. Version 2.x provides drag-and-drop diagram creation, an auto-generation rule engine for threats and mitigations, and PDF report output for documentation and GRC compliance.
| Category | Threat Type | Description | Example |
|---|---|---|---|
| S | Spoofing | Impersonating a user or system | Stolen session tokens |
| T | Tampering | Modifying data in transit or at rest | SQL injection altering records |
| R | Repudiation | Denying an action occurred | Missing audit logs |
| I | Information Disclosure | Exposing sensitive data | API returning excessive fields |
| D | Denial of Service | Making a service unavailable | Resource exhaustion attack |
| E | Elevation of Privilege | Gaining unauthorized access | Broken access control |
| Category | Threat Type | Description |
|---|---|---|
| L | Linkability | Associating data items across contexts |
| I | Identifiability | Identifying an individual from data |
| N | Non-repudiation | Inability to deny an action (privacy risk) |
| D | Detectability | Determining if data about a subject exists |
| D | Disclosure | Exposing personal information |
| U | Unawareness | User unaware of data collection |
| N | Non-compliance | Violating privacy regulations |
Desktop Application: Download the installer from the OWASP Threat Dragon releases page for Windows (.exe), macOS (.dmg), or Linux (.AppImage/.deb/.rpm).
Web Application (Docker):
docker run -p 3000:3000 \
-e ENCRYPTION_JWT_SIGNING_KEY=$(openssl rand -hex 32) \
-e ENCRYPTION_JWT_REFRESH_SIGNING_KEY=$(openssl rand -hex 32) \
-e ENCRYPTION_KEYS='[{"isPrimary":true,"id":0,"value":"'$(openssl rand -hex 16)'"}]' \
-e NODE_ENV=production \
owasp/threat-dragon:latest
Before creating diagrams, document the scope:
In Threat Dragon, create a new threat model and add diagrams using the following DFD elements:
Processes: Applications, microservices, API endpoints that transform data. Represented as circles/rounded rectangles.
Data Stores: Databases, file systems, caches, message queues that persist data. Represented as parallel lines.
External Entities: Users, external systems, third-party services outside the trust boundary. Represented as rectangles.
Data Flows: Communication channels between elements showing data direction. Represented as arrows with labels describing the data.
Trust Boundaries: Dashed lines separating zones of different trust levels (internet/DMZ/internal network, user/admin).
For each DFD element, apply the STRIDE methodology:
| Element Type | Applicable STRIDE Categories |
|---|---|
| External Entity | Spoofing, Repudiation |
| Process | Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege |
| Data Store | Tampering, Information Disclosure, DoS |
| Data Flow | Tampering, Information Disclosure, DoS |
Threat Dragon's rule engine automatically suggests threats based on element types. Review each suggestion and mark as:
For each open threat, document:
Threat Dragon produces PDF reports containing:
Threat Dragon uses JSON format for threat models, enabling version control and programmatic manipulation:
{
"version": "2.2.0",
"summary": {
"title": "E-Commerce Application",
"owner": "Security Team",
"description": "Threat model for the checkout flow"
},
"detail": {
"contributors": [
{"name": "Security Architect"}
],
"diagrams": [
{
"id": 0,
"title": "Checkout Flow",
"diagramType": "STRIDE",
"cells": []
}
]
}
}
Threat Dragon participates in the CycloneDX Threat Model Bill of Materials (TMBOM) effort, enabling export to a common format that can be consumed by other threat modeling tools and GRC platforms, preventing vendor lock-in.