Threat models that understand your system. Not just its diagram.
Generic threat modeling tools treat the work as a Lego-block exercise: pick the components, get a stock threat list. But the right threat model depends on what your system actually does, what your organisation already cares about, and what your team can realistically mitigate. Threatweave produces threat models specific to your system and your organisation — and governs them through to closure.
Book a walkthrough
Five consultants, five threat models
Hand the same architecture to five experienced security consultants and you'll get five different threat models. Not because four of them are wrong — because threat modeling is inherently contextual. The right model depends on what the system actually does, what controls already exist, what compliance regime the org operates under, and what the team can realistically mitigate this quarter.
Generic threat modeling tools — and generic LLM wrappers — flatten all of that. Threatweave doesn't.
How Threatweave works
-
Import your architecture
Upload a PNG or JPEG architecture diagram, or paste a written description of your system. Threatweave reads the diagram directly — no OCR step, no redrawing, no special format.
-
Ground it in your context
Attach your security policies, architecture documentation, and prior audit findings. Threatweave reads them and weaves what's relevant into every stage of its reasoning.
-
Multi-stage reasoning
Threatweave reasons through your system in stages: assets first, then flows, then threats, then a gap-analysis pass that catches missing coverage. Each stage builds on the last, so threats stay tied to the components it actually found — it can't invent ones that aren't there.
-
Govern outcomes through to closure
Every threat moves through a five-state lifecycle: proposed, under review, then mitigated, accepted, or waived. Each transition is permission-gated. Waivers require a future expiry date and Threatweave reopens them automatically when they lapse. Every change is recorded.
Why context matters
Threatweave's knowledge base is the strongest answer to "why won't this just be another generic list of threats." Attach the documents that actually describe your environment — your zero-trust runbook, your data classification policy, the architecture review from last quarter, the post-mortem from the incident that triggered this engagement — and Threatweave applies them throughout the threat model.
Supported formats: PDF, DOCX, Markdown, and plain text. Up to 20 documents per knowledge base, up to 50 MB per document. Org-scoped and shareable across projects.
Features
Multi-stage reasoning
Threatweave works through your system in stages — assets, flows, threats, mitigations — each step building on the last. Threats stay tied to the components it actually identified, never invented ones. A separate gap-analysis pass re-checks coverage before the model is done.
Grounded in your context
Attach your security policies, architecture docs, and audit history. Threatweave reads them and applies them throughout, so the model reflects your environment — not a generic checklist. Supported formats: PDF, DOCX, MD, TXT — up to 20 documents per knowledge base.
Per-threat attack trees
For any threat, see how an attacker could chain steps to reach it — mapped to MITRE ATT&CK phases. AI-generated, hand-editable, and exported with the model in PDF, DOCX, JSON, Markdown, HTML, or ZIP.
Mitigation library
Build a reusable library of mitigations, shared across projects or your whole org. Tag them by NIST 800-53 family, STRIDE category, control type, and effort.
Lifecycle governance
Every threat moves through a five-state lifecycle: proposed, under review, mitigated, accepted, or waived. Waived threats need a future expiry date; Threatweave reopens them automatically when it lapses. Every change is recorded in a queryable audit log.
Reads your real diagrams
Threatweave reads PNG and JPEG architecture diagrams directly — no OCR, no redrawing, no special format. Your team uploads the same diagrams they show in design reviews.
STRIDE-organised coverage
Threatweave threat-models your whole system, then organises every finding across the six STRIDE categories — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege.
Multi-tenant and enterprise-ready
Strict tenant isolation, SSO via WorkOS (OIDC and SAML), and role-based access control with fine-grained permissions at the org, project, and threat-model level.
Who Threatweave is for
- Security architects responsible for threat modeling at scale across multiple product teams.
- AppSec leads coordinating reviews and translating findings into engineering work.
- Platform teams in regulated industries preparing for SOC 2 or ISO 27001 audits and needing demonstrable governance over identified threats.
How Threatweave compares
vs. spreadsheets
Spreadsheets capture decisions but cannot reason about your architecture, retrieve from your policies, generate attack trees, or auto-expire waivers. Threatweave does all four.
vs. traditional threat modeling tools (ThreatModeler, IriusRisk, SD Elements)
Traditional tools rely on a component library: select components, get the stock threat list attached to those components. Threatweave grounds threat generation in your actual organisation context, not a generic component-to-threat mapping.
vs. pure-LLM threat modeling tools
Pure-LLM tools accept whatever the model produces in one pass. Threatweave works through your system in stages and checks its own coverage — so the threats are grounded in your real architecture, not improvised.
Frequently asked questions
What is Threatweave?
Threatweave is a context-grounded threat modeling platform. A multi-stage AI agent reads your architecture diagram, retrieves relevant excerpts from your organisation's policies and prior audits, and produces a STRIDE-aligned threat model that you govern through to closure across a five-state lifecycle with automatic waiver expiry and a full audit log.
Who is Threatweave for?
Security architects, AppSec leads, and platform teams in regulated industries. Designed for teams that have outgrown spreadsheets but found generic threat modeling tools too one-size-fits-all.
How is Threatweave different from ThreatModeler, IriusRisk, and SD Elements?
Traditional tools treat threat modeling as a Lego-block exercise — pick components, get a stock list. Threatweave grounds threats in your organisation's actual context — security policies, architecture docs, prior audits — and a multi-stage agent that keeps every finding tied to your real system.
How is Threatweave different from pure-LLM threat modeling tools?
Pure-LLM tools generate a threat list in one pass and trust whatever the model returns. Threatweave works through your system step by step and checks its own coverage as it goes — so you get a threat model grounded in your real architecture, not an improvised list.
How does Threatweave prevent LLM hallucinations?
Threatweave only raises threats against components it has actually identified in your system — it can't invent a service or data store that isn't there. A second pass re-checks the model for gaps, so real threats aren't missed either.
How does Threatweave use organisational context to generate threat models?
Attach your security policies, architecture docs, and past audit findings to a threat model. Threatweave reads them and applies them throughout — so the threats and mitigations reflect how your organisation actually operates, not a generic checklist.
What threat frameworks does Threatweave use?
Threatweave threat-models your whole system rather than working through a fixed framework checklist, then organises every finding by STRIDE category. That keeps the model comprehensive and easy to review, without limiting it to one framework's catalogue.
What architecture diagrams can I import into Threatweave?
Threatweave accepts PNG and JPEG architecture diagrams up to 5 MB. It reads the diagram directly — no OCR step, no redrawing. You can also paste a free-text description of your system. Draw.io, Lucidchart, OpenAPI, and Terraform parsing are on the roadmap.
Does Threatweave generate attack trees?
Yes. For any threat, Threatweave builds an attack tree showing the steps an attacker would chain to reach it, mapped to MITRE ATT&CK phases. You can refine the tree by hand, and it exports with the rest of the model.
How does threat governance work in Threatweave?
Every threat moves through a five-state lifecycle: proposed, under review, mitigated, accepted, or waived. Each transition is permission-gated. Waivers require a future expiry date, and Threatweave automatically reopens them when they lapse. Every change is recorded in the audit log.
Does Threatweave support SSO and SCIM?
Threatweave supports SSO via WorkOS AuthKit — managed OIDC, with SAML available to the customer's identity provider via WorkOS. SCIM 2.0 user provisioning is on the enterprise roadmap; it is not shipping today.
How does Threatweave pricing work?
Pricing is tailored to your team's size and needs. Book a walkthrough and we'll put together the right plan for your organisation.
Ship threat models you can defend
Stop guessing which threats apply to your system. Start with a model grounded in your organisation's actual context — and a governed lifecycle that records every threat decision from raised to resolved.
Book a walkthrough