Threat Model Spec¶
Security threat modeling diagrams as code with D2 and STIX 2.1 export.
Threat Model Spec is an open-source Go library and CLI for creating security threat modeling diagrams programmatically. Define your threat models in JSON, render them to D2 diagrams, and export to STIX 2.1 for threat intelligence sharing.
Features¶
- π» Diagrams-as-Code β Define threat models in JSON, render to D2/SVG
- π Multiple Diagram Types β DFD, Attack Chain, Sequence diagrams
- πΊοΈ Framework Mappings β MITRE ATT&CK, MITRE ATLAS, OWASP Top 10, STRIDE, CWE, CVSS
- π€ STIX 2.1 Export β Share threat intelligence in standard format
- π¨ D2 Styles β Color-coded STRIDE annotations, trust boundaries, attack flows
- β Validation β Type-specific field validation
Quick Example¶
Define a threat model in JSON using the ThreatModel format (the canonical multi-diagram representation):
{
"id": "websocket-localhost-takeover",
"title": "WebSocket Localhost Takeover",
"description": "Attack exploiting missing origin validation",
"mappings": {
"mitreAttack": [
{"tacticId": "TA0001", "techniqueId": "T1189", "techniqueName": "Drive-by Compromise"}
],
"owasp": [
{"category": "api", "id": "API2:2023", "name": "Broken Authentication"}
]
},
"diagrams": [
{
"type": "attack-chain",
"title": "Attack Chain",
"elements": [
{"id": "attacker", "label": "Attacker", "type": "external-entity"},
{"id": "victim", "label": "Victim", "type": "process"}
],
"attacks": [
{"step": 1, "from": "attacker", "to": "victim", "label": "WebSocket to localhost"}
]
}
]
}
Generate diagrams:
# Generate D2 diagram from ThreatModel
tms generate threat-model.json -o diagram.d2
# Also render to SVG
tms generate threat-model.json -o diagram.d2 --svg
# Export to STIX 2.1
tms generate threat-model.json --stix -o threat-model.stix.json
Getting Started¶
-
:material-download:{ .lg .middle } Installation
Install the Go library or CLI tool
-
:material-rocket-launch:{ .lg .middle } Quick Start
Create your first threat model diagram
-
:material-book-open-variant:{ .lg .middle } Concepts
Learn about diagram types and security frameworks
-
:material-code-json:{ .lg .middle } Specification
JSON IR schema reference
Supported Frameworks¶
| Framework | Description |
|---|---|
| STRIDE | Microsoft threat categorization model |
| MITRE ATT&CK | Adversary tactics and techniques |
| MITRE ATLAS | AI/ML threat matrix |
| OWASP Top 10 | Web, API, and LLM security risks |
| CWE | Common Weakness Enumeration |
| CVSS | Common Vulnerability Scoring System |
Example: OpenClaw Vulnerability¶
See the complete OpenClaw case study demonstrating a WebSocket localhost takeover vulnerability with:
- Data Flow Diagram (DFD)
- Attack Chain with MITRE ATT&CK mapping
- Sequence Diagram
- STRIDE threat analysis
License¶
MIT License - see LICENSE