Why We Built Automated Threat Modeling
How years of manual threat modeling led us to build ThreatKrew's automated threat modeling platform. Making professional security analysis accessible to every team.
Dave Barton
Co-founder
The pattern we couldn’t ignore
For years, we performed threat modeling the traditional way: sitting in rooms with architects and developers, whiteboarding systems, tracing data flows, identifying trust boundaries, and manually working through every threat category. The manual threat modeling process was thorough and rigorous. It was also painfully slow.
A single engagement would take four to eight weeks. The deliverable was a detailed PDF — sometimes fifty, sixty pages — that represented a genuine effort from experienced security professionals. It was good work. We were proud of it. But we also knew, deep down, that something was wrong with the model.
By the time that PDF landed in someone’s inbox, the architecture had already changed. New features had shipped. The threat model was becoming a historical document before anyone had finished reading it.
The real problem isn’t expertise — it’s process
We spent years assuming the bottleneck was talent. There just weren’t enough experienced threat modelers to go around. And that’s partly true. But the deeper realization was that the expertise wasn’t rare — it was trapped in a process that didn’t scale.
Think about it: the methodology behind threat modeling is well-understood. STRIDE has been around for decades. MITRE ATT&CK catalogs real-world adversary techniques. NIST SP800-53 provides comprehensive security controls. The frameworks exist. The knowledge is documented. What’s missing is a way to apply it without spending weeks and tens of thousands of dollars.
We kept seeing the same pattern: teams that wanted to do the right thing but couldn’t justify the investment. Startups that knew they should threat model but were stretched too thin. Enterprises that could afford it but only for their most critical systems, leaving everything else unexamined. The frameworks exist — STRIDE, PASTA, Attack Trees — but the traditional process for applying them was prohibitively slow.
The question that started everything
One evening, after wrapping up yet another engagement that had taken six weeks to deliver, we asked ourselves a question that wouldn’t let go: What if the methodology could be encoded?
Not a chatbot that guesses at threats. Not a template that generates generic output. A proper, multi-stage system that does what we do — extract architecture, identify assumptions, apply frameworks, map remediations — with the rigor that security work demands.
We knew what “good” looked like because we’d been doing it for years. The question was whether we could build a system that consistently met that standard.
Building with rigour
The answer wasn’t simple. It took months of experimentation. We tried single-model approaches and found they couldn’t maintain quality across the full scope of analysis. We tried chaining prompts and found the output degraded as the chain grew longer.
What eventually worked was a multi-stage AI platform that applies the same methodology with the same rigour. Built-in verification at every step ensures findings are grounded in the architecture and defensible under scrutiny. We challenge our own conclusions before they make it into the report — the same way we did manually, but systematized and reliable.
We built the system we wished we’d had for all those years — something that applies the same methodology, with the same rigour, but in minutes instead of months.
The democratization mission
Here’s what excites us most about ThreatKrew: it’s not just about speed. It’s about access.
When threat modeling typically costs $15,000 or more per engagement, only well-funded organizations can afford it. That means the teams that need it most — early-stage startups, small engineering teams, organizations without dedicated security staff — are the ones least likely to get it.
We believe that’s wrong. Professional security analysis should be accessible to every team. Every team building software deserves to understand the security risks in their architecture, whether they have two developers or two thousand.
That’s the mission: make what enterprises invest heavily in accessible to every team. Not a watered-down version. Not a checklist or a scan. Real architecture analysis. Real threats. Real remediations. The same quality of work we’ve been delivering for years, now available to anyone who needs it.
What’s next
We’re currently running our Founders Program — an early access group of teams who are helping us shape the product. Their feedback has been invaluable. Every conversation makes ThreatKrew better.
If you’re building something and want to understand its security posture, we’d love to hear from you. Not because we have a perfect product — we don’t, and we’d never claim to — but because we’re building something we genuinely believe the industry needs, and we want to build it with the people who need it most.
This is just the beginning. We have a long road ahead, and we’re taking it one step at a time. But every team that gets access to professional threat modeling for the first time makes the effort worthwhile.
Ready to experience the benefits of automated threat modeling? Learn more about what we learned building ThreatKrew, understand why threat modeling matters for your security strategy, or see how ThreatKrew works.
Interested in trying it out? Explore the product or join the Founders Program and be among the first to shape the product roadmap.
Dave Barton
Co-founder
Co-founder of ThreatKrew. Former AWS security specialist with years of experience securing enterprise infrastructure. Passionate about making professional security analysis accessible to every team.