How it works
From architecture to threat model in three steps
No specialist training. No diagrams to draw. Describe your system and get professional security analysis powered by our agentic AI platform.
01
Upload your architecture
Paste a markdown document, connect a GitHub repository, or upload interview notes. Describe your system in plain language — no special notation, no diagrams to draw, no DSL to learn.
02
AI analyzes your design
Our agentic AI platform analyzes your architecture using STRIDE, MITRE ATT&CK, and NIST SP800-53 frameworks. Every finding is independently verified before it reaches your report.
03
Get your threat model
Receive a comprehensive report with actionable findings: identified threats ranked by severity, specific remediation controls, architecture diagrams, and a security assumptions register. Download as Markdown or PDF.
How it works
Our agentic AI platform combines multiple specialized AI models to analyze your architecture systematically. Each capability feeds into the next, building a complete understanding of your security posture.
Architectural understanding
Our platform extracts the components, data flows, trust boundaries, and security assumptions that define your system.
Systematic threat identification
We apply STRIDE methodology to identify potential threats across all six threat categories relevant to your architecture.
Real-world attack mapping
Each threat is mapped to specific MITRE ATT&CK techniques, showing you which adversary tactics are most relevant to your design.
Targeted remediation
We recommend specific NIST SP800-53 controls matched to your threats, with clear implementation guidance.
Independent verification
Every finding is independently reviewed and verified before inclusion in your report, catching mistakes and false positives.
What you get
A complete, actionable threat model with findings ranked by severity and specific implementation steps for each control.
Architecture graph
Components, data flows, trust boundaries with security scoring
Security assumptions
Implicit design assumptions identified and independently verified
STRIDE threats
Identified threats with severity ratings and detailed descriptions
MITRE ATT&CK mapping
Threats mapped to real-world adversary techniques
NIST SP800-53 controls
Specific remediation controls with implementation guidance
Architecture diagrams
Generated visualizations of your system architecture and data flows
Full report
Comprehensive report available in Markdown and PDF
Quality assurance
We don't just generate output and hope for the best.
Independent verification
Every threat, assumption, and remediation recommendation is verified independently before reaching your report, catching inconsistencies and false positives.
Structured validation
All findings are validated for completeness and coherence. Incomplete or malformed results are caught immediately and corrected.
Error correction
When the platform detects quality issues, it corrects them before delivery. You get findings you can act on, not findings you have to debug.
What to expect
While we verify and validate every finding, AI-generated analysis has inherent limitations — including the possibility of false positives, missed threats, or inaccurate mappings. ThreatKrew output should be reviewed by qualified professionals and used to augment, not replace, your security program. Read our full AI Disclaimer.
See it for yourself
Join the Founders Program and get professional threat modeling for your architecture.