Threat Modeling Tools
Threat modeling tools, compared
A practical, honest guide to the leading threat modeling tools — how they differ on automation, AI and data control, and deployment — with head-to-head comparisons so you can choose the right fit for your team.
The landscape at a glance
Based on publicly available information as of June 2026. Follow each link for the full, sourced head-to-head comparison.
| Tool | Approach | AI & data control | |
|---|---|---|---|
| Threatlas | Automated, continuous, code-connected. Agentic AI over a structured security knowledge graph. | Frontier or self-hosted open models (on-prem / air-gapped). EU-built, zero data retention. | How it works → |
| ThreatModeler Nexus | Agentic platform on a secure-design graph. Enterprise incumbent (ThreatModeler + IriusRisk, 2026). | Cloud “approved models” via bring-your-own-AI; vendor-managed SaaS. | vs Threatlas → |
| IriusRisk | Automated: diagram modeling plus a rules engine and a “Jeff” AI assistant. EU-built; now part of ThreatModeler. | “Jeff” powered by OpenAI (cloud). SaaS, plus on-premise for Enterprise; free Community Edition. | vs Threatlas → |
| Microsoft Threat Modeling Tool | Manual data-flow-diagram drawing with STRIDE. A free, point-in-time design-review tool. | No AI documented. Windows-only desktop app; single-user; minimally updated. | vs Threatlas → |
| SD Elements | Survey-driven security requirements & compliance automation (Security Compass). “Balanced Development Automation.” | “Navigator” AI assistant (beta). SaaS, plus on-site / self-hosted; ISO 27001 + SOC 2. | vs Threatlas → |
How to choose a threat modeling tool
Four questions cut through most of the noise.
Automated vs manual
Manual tools (like the Microsoft Threat Modeling Tool) rely on you drawing diagrams by hand for a point-in-time review. Automated tools build and maintain the model from your code, docs, and architecture as the system changes — essential if you ship continuously.
AI grounding & data control
AI features range from cloud-only assistants to fully self-hosted models. If you can’t send source code or architecture to a third-party cloud, look for bring-your-own-model and on-premises / air-gapped deployment. Ask where the AI runs and whether data is retained.
Architecture modeling vs requirements
Some tools model your architecture (components, data flows, trust boundaries) and reason about threats; others (like SD Elements) start from a questionnaire and generate security requirements and compliance tasks. They solve overlapping but different problems — be clear which you need.
Content breadth & extensibility
Established platforms ship broad pre-built libraries (dozens of frameworks, thousands of threats). Newer platforms compete on grounding, data sovereignty, and how easily you can extend the model with your own frameworks, controls, and policies.
Head-to-head comparisons
Each comparison is sourced from public documentation, with “not publicly documented” used wherever a vendor hasn’t published a detail.
Threat modeling tools — FAQ
What are the main threat modeling tools?
Widely-used threat modeling tools include ThreatModeler Nexus (the combined ThreatModeler + IriusRisk platform), IriusRisk, the Microsoft Threat Modeling Tool, SD Elements by Security Compass, and Threatlas. They differ mainly in whether they automate modeling from code, how their AI is grounded and where it runs, and whether they focus on architecture modeling or security requirements.
What is the difference between automated and manual threat modeling?
Manual threat modeling means a person draws a data-flow diagram and reasons through threats at a point in time — accurate the day it’s done, stale soon after. Automated threat modeling uses software to generate and maintain the model from your code, documents, and architecture, keeping it current as the system changes. Manual is fine for learning or occasional reviews; automated is needed when engineering ships continuously.
Which threat modeling tool is best for regulated or air-gapped environments?
For regulated, air-gapped, or data-sovereign environments, the key is whether the tool can run self-hosted AI models on your own infrastructure rather than calling a third-party cloud. Threatlas supports self-hosted open models (such as Qwen and Llama) running fully on-premises with zero data retention, which is designed for exactly these constraints.
How do I choose a threat modeling tool?
Decide along four axes: automated vs manual (do you need the model to stay current as code changes?), AI grounding and data control (cloud-only or self-hosted?), architecture modeling vs requirements automation (which problem are you solving?), and content breadth vs extensibility. Then compare shortlisted tools head-to-head against those needs.
See where Threatlas fits.
Threatlas is in private beta with a select group of security teams. Request a demo to see automated, data-sovereign threat modeling on your own stack.
Request a demoAll product names, logos, and brands are property of their respective owners. Threatlas is not affiliated with, endorsed by, or sponsored by any other vendor named here. This guide is based on publicly available information as of June 2026 and is provided for general information.