AI Disclaimer

Last updated: February 2026

How ThreatKrew Works

ThreatKrew uses large language models (via Amazon Bedrock) across a multi-stage pipeline to analyze your architecture documents and generate threat models. Each assessment runs through independent stages — architectural analysis, threat identification, and remediation planning — with structured validation and error correction between stages.

We’ve built verification, deduplication, and quality scoring into the pipeline. But at its core, every finding is generated by AI. And AI has inherent limitations that you need to understand.

What AI Can Get Wrong

AI-generated threat models can contain errors. Specifically:

  • False positives. The system may flag threats that don’t apply to your specific context, configuration, or deployment model.
  • False negatives. The system may miss threats — especially novel attack vectors, zero-day vulnerabilities, or risks specific to bespoke or proprietary systems it hasn’t encountered.
  • Hallucinated mappings. MITRE ATT&CK technique IDs, NIST SP 800-53 control references, or STRIDE categorisations may occasionally be inaccurate or misattributed.
  • Input dependency. The quality of the analysis depends heavily on the quality and detail of your input architecture document. Vague or incomplete descriptions produce vague or incomplete threat models.
  • Context limitations. The system doesn’t have visibility into your runtime environment, actual configurations, network topology, or operational practices. It analyzes what you describe, not what you’ve deployed.

What ThreatKrew Is

ThreatKrew is a tool to accelerate and augment threat modeling. It’s designed to:

  • Give you a structured starting point for security analysis
  • Surface threats you might not have considered
  • Map findings to established frameworks (STRIDE, MITRE ATT&CK, NIST SP 800-53)
  • Get you 80% of the way there fast, so your team can focus on the hard 20%

What ThreatKrew Is Not

  • Not a replacement for security professionals. AI can identify patterns. It can’t replace the judgement of an experienced security architect who understands your business context, threat landscape, and risk appetite.
  • Not a compliance certification. A ThreatKrew report does not certify compliance with any standard, regulation, or framework — including the ones we reference (NIST, MITRE, etc.).
  • Not a guarantee against breaches. No tool, methodology, or team can guarantee you won’t be breached. ThreatKrew reduces risk. It doesn’t eliminate it.
  • Not a substitute for penetration testing, code review, or security architecture review. These are complementary activities. ThreatKrew works alongside them, not instead of them.

Your Responsibility

  • Review and validate all findings. Treat ThreatKrew output as a starting point, not a final answer. Every finding should be reviewed by someone who understands your system.
  • Engage qualified professionals for critical systems. If you’re building something where security failures have serious consequences, work with experienced security professionals.
  • Don’t rely on any single tool. ThreatKrew should be one part of your security program — not the whole thing. Combine it with manual review, testing, and ongoing monitoring.

Our Commitment

We continuously improve our analysis pipeline, add verification stages, and are transparent about what our system can and can’t do. We’d rather under-promise and over-deliver than the reverse.

If you find an issue with our analysis — a false positive, a missed threat, or an incorrect mapping — we want to hear about it. Reach out at feedback@threatkrew.io.

For the full legal terms, see our Terms of Service.