Threat modeling

The OWASP Threat Modeling Project is an over-arching project that seeks to inform and guide on the very large domain that is Threat Modeling.

What is the Threat Model project?

The Threat Model project is not intended to be a primary source on the threat modeling domain; there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.

Instead the Threat Model project seeks to provide direction on threat modeling techniques for applications and systems of all types, with a focus on current and emerging techniques. To provide this the project intends to collate threat modeling techniques, methodologies, tools and examples.

There is also the aim to foster a threat modeling community and support it through initiatives and forums.

Note that much of this are intentions for the future; as of January 2026 the project is going through a change process that will better provide this information and guidance. At present it is at OWASP Incubator status with promotion to Laboratory status expected later in 2026.

Why refer to this project?

The Threat Modeling project is an over-arching project for the other threat modeling projects and resources.

It can be used as a landing page for all things threat modeling; the starting point for finding resources and tools as well as the core concepts. For example there is an introduction to Shostack's Four Question Framework that references the primary source if the user needs to know more.

OWASP threat modeling projects

Threat modeling is a wide domain and OWASP provides many projects alongside the Threat Modeling project :

Production:

Lab:

Automated Threats to Web Applications (OATs)
Cumulus
Threat Dragon

Incubator:

These projects have been categorized by OWASP according to their importance and maturity.

Threat modeling

What is the Threat Model project?

Why refer to this project?

OWASP threat modeling projects

Further reading