OWASP ThreatAtlas is a platform for community-driven threat modeling. It enables companies to run threat modeling sessions in a collaborative platform by inviting Developers, DevOps, Architects, and Security Engineers to keep track of their services in a dynamic environment.
ThreatAtlas brings threat modeling value to the real world by providing a useful platform to create, track, and mitigate all application and service threats in one central place.
To bridge the gap between generic security frameworks and real-world infrastructure through an interactive, collaborative platform. We aim to democratize threat modeling by enabling teams to visually map architectures, leverage community-driven threat intelligence, and integrate actionable security mitigations directly into their development lifecycle.
This repository contains both the project documentation and the application source code:
- OWASP Project Page: Governance, roadmap, and organizational details.
- ThreatAtlas Tool (App): The source code for the web application.
- Knowledge Base: Integrated library of threats mapping to STRIDE, PASTA, MITRE ATT&CK, and CWE.
For detailed information on how to deploy and use ThreatAtlas, please refer to the following guides:
If you are looking to install and run the ThreatAtlas tool: 👉 Installation Guide
If you are a developer looking to contribute to the codebase: 👉 Development Guide
If you are an end-user looking to learn how to use the UI: 👉 User Guide
ThreatAtlas is an open-source, community-first project. We welcome contributions in many forms:
- Contributing to the Code: See our Development Guide.
- Expanding the Knowledge Base: Help us add more service-specific threat models.
- Join the Conversation: Connect with us on the OWASP Slack in the
#project-threatatlaschannel.
- The software is licensed under the Apache License 2.0.
- The documentation and content are licensed under Creative Commons Attribution-ShareAlike 4.0 International.