Skip to content

kriskimmerle/threat-model-canvas

Repository files navigation

Threat Model Canvas

Interactive threat modeling canvas for AI systems using STRIDE/DREAD methodology.

Features

  • 🎯 STRIDE Framework - Organize threats by Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege
  • 📊 DREAD Scoring - Rate threats on Damage, Reproducibility, Exploitability, Affected Users, and Discoverability
  • 🎨 Interactive Canvas - Visual board layout for easy threat identification and tracking
  • 💾 Export/Import - Save threat models as JSON or export as Markdown documentation
  • Real-time Updates - Changes reflected immediately across the canvas
  • 🏷️ Status Tracking - Mark threats as Identified, Mitigated, or Accepted

Use Cases

AI Security Threat Modeling

This tool is purpose-built for security leaders modeling threats in AI systems:

  • LLM Applications - Model prompt injection, data poisoning, model extraction
  • AI Pipelines - Identify supply chain risks, training data tampering
  • Agent Systems - Map privilege escalation, resource exhaustion, jailbreaking vectors
  • ML Infrastructure - Document DoS risks, information disclosure paths

Example Workflow

  1. Create a new model (e.g., "RAG Chatbot Security Review")
  2. Add threats across STRIDE categories
  3. Score critical threats with DREAD
  4. Define mitigations
  5. Export as Markdown for stakeholder review
  6. Track mitigation status over time

Installation

# Clone the repo
git clone https://github.com/kriskimmerle/threat-model-canvas
cd threat-model-canvas

# Install dependencies
pnpm install

# Run development server
pnpm dev

Usage

Adding Threats

Click the + New Threat button or the + in any STRIDE category column.

Fill in:

  • Category - Which STRIDE category
  • Title - Brief threat name
  • Description - Detailed threat scenario
  • Status - Identified, Mitigated, or Accepted
  • Mitigation - Proposed or implemented countermeasures
  • DREAD Rating (optional) - Quantify risk on 1-5 scale

DREAD Scoring Guide

  • Damage: How bad would an attack be? (1=minimal, 5=catastrophic)
  • Reproducibility: How easy to replicate? (1=very difficult, 5=trivial)
  • Exploitability: How easy to execute? (1=expert, 5=script kiddie)
  • Affected Users: How many users impacted? (1=single user, 5=all users)
  • Discoverability: How easy to discover? (1=very difficult, 5=obvious)

Average DREAD score helps prioritize remediation.

Export Formats

JSON - Full threat model data, re-importable

{
  "name": "AI Chatbot v2",
  "system": "Production RAG System",
  "threats": [...]
}

Markdown - Formatted documentation for sharing

# AI Chatbot v2

## Spoofing (2)

### User Impersonation via Prompt Injection
**Status:** mitigated
**DREAD:** 4.2/5

Attacker crafts prompt to assume identity...

Development

# Run tests
pnpm test

# Run tests with UI
pnpm test:ui

# Build for production
pnpm build

# Preview production build
pnpm preview

Architecture

  • React 19 with TypeScript (strict mode)
  • Zustand for state management
  • Vite for build tooling
  • Vitest for testing
  • @dnd-kit for future drag-and-drop (coming soon)

Clean, dependency-minimal design. No heavy frameworks, no backend required. Runs entirely client-side.

Why This Tool?

Existing threat modeling tools are built for traditional software. AI systems have unique threat vectors:

  • Prompt injection doesn't fit traditional categories cleanly
  • Training data poisoning is a supply chain risk unlike package compromises
  • Model extraction is IP theft + security vulnerability
  • Agentic systems introduce novel privilege escalation paths

This tool provides a focused canvas for security leaders who understand these nuances and need a lightweight tool to document them.

Complements

Pairs well with agent-security-patterns and other AI security tooling from this profile.

Screenshots

Threat Model Canvas STRIDE-organized canvas with threat cards, DREAD scoring, and status tracking

License

MIT © Kris Kimmerle

About

Interactive threat modeling canvas for AI systems using STRIDE/DREAD

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors