Threat modeling

The Threat Model Project is an over-arching project provided by OWASP that seeks to inform and guide on the very large domain that is Threat Modeling.

What is the Threat Model project?

The Threat Model project is not intended to be a primary source on the threat modeling domain; there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.

Instead the Threat Model project seeks to provide information on threat modeling techniques for applications and systems of all types, with a focus on current and emerging techniques.

To do this project intends to gather techniques, methodologies, tools and examples. There is also the intention to foster a threat modeling community and support it through initiatives and forums.

Note that much of this is what the project intends to provide in the future. As of January 2026 the project is going through a change process that will better provide this information and guidance.

Why refer to this project?

The Threat Modeling project is an over-arching project for the other threat modeling projects and resources.

It can be used as a landing page for all things threat modeling; the starting point for finding resources and tools as well as the core concepts. For example there is an introduction to Shostack's Four Question Framework, that then references the primary source if the user needs to know more.

OWASP threat modeling projects

Threat modeling is a wide domain and OWASP provides many projects alongside the Threat Modeling project :

Production:

Lab:

Automated Threats to Web Applications (OATs)
Cumulus
Threat Dragon

Incubator:

These projects have been categorized by OWASP according to their importance and maturity.

Threat modeling

What is the Threat Model project?

Why refer to this project?

OWASP threat modeling projects

Further reading