Skip to content

Threat Model Library

The Threat Model Library is a collection of threat models that have been donated to the public domain and which provide examples of best practice. This is an OWASP Incubator project with several models available already and more to come.

What is the Threat Model Library?

The Threat Model library is just that; a collection of models donated to the public domain by various organizations and individuals. The intention is that these threat models that will stimulate discussion and can be used as the starting point for other similar systems.

Sharing threat models into the public domain was promoted in a talk by Adam Shostack at the OWASP 2025 AppSec Barcelona conference: Publish Your Threat Models!.

The threat models are categorized as:

  1. Web applications
  2. Infrastructure
  3. AI-ML systems

with more categories to be added.

The threat models are in a standard file format, Threat Model Bill of Materials (TMBOM), and the format of these TM-BOM files is defined by the Threat Model library schema. The TM-BOM is (as of January 2026) in the process of being defined by a CycloneDX working group to be part of the existing ECMA-424 standard published by ECMA international.

How to view the models

As of January 2026 Threat Dragon is the only tool that provides an easy-to-read rendering of the TM-BOM files along with a PDF report. More tools are expected to handle TM-BOM file format as the ECMA standard comes into place and demand for the format increases.

At present Threat Dragon can import the TM-BOM file to display the model and create a report, but it can not export TM-BOMs. There are plans to provide the TM-BOM export from Threat Dragon during the course of 2026 which will allow creation and updates to the TM-BOM files.

How to create new models

No matter what method or tool is used to create a threat model in TM-BOM format, the activities are roughly the same. As an example they can be based on Shostack's Four Question Framework :

  1. Describe the system (What are we working on?)
    1. Provide the Scope of the diagram
    2. Create a Diagram that describes the system using
      1. Actor nodes
      2. Component nodes
      3. Data Store nodes containing Data Sets
      4. Trust Zones
      5. Trust Boundaries
      6. Data Flows from one node to another
    3. List the Assumptions made when creating the model
  2. Identify threats and risks (What can go wrong?)
    1. List the Threat Personas - malicious or otherwise
    2. Identify the Threats to the system
    3. Identify the Risks for the Threats
  3. Identify remediations and controls (What are we going to do about it?)
    1. List the existing Controls or new ones that need to be put in place
    2. Create the Mitigation Plans that contain controls for the identified risks
  4. Report what threats are unremediated (Did we do a good job?) Threat Dragon can highlight threats that remain unremediated and also provide reporting; more tools will follow as they become TM-BOM aware

The details of creating these TM-BOM files are described in a Threat Model Library wiki page.

References

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.