Threat modeling has long been recognized as one of the most effective security practices, yet it remains one of the least consistently adopted. The barriers are well known: it requires cross-functional collaboration, it doesn’t fit neatly into a sprint, and the tooling has historically been either too heavyweight or too disconnected from the development workflow.
As the OWASP Berlin Chapter leader and project leader for the OWASP DevSecOps Guideline, I hear this frustration regularly — from practitioners at meetups, from contributors, from teams trying to do the right thing and finding the process gets in the way. I started the OWASP ThreatAtlas project to address exactly these challenges.
What is OWASP ThreatAtlas?
OWASP ThreatAtlas is a collaborative, open-source platform that enables teams to run threat modeling sessions together — bringing Developers, DevOps engineers, Architects, and Security Engineers into a single, dynamic environment where they can map, track, and mitigate threats across their services and applications.
The core idea is simple: threat modeling should not be a one-time exercise owned solely by the security team. It should be a living, collaborative practice embedded into how teams think about and build their systems.
Why I Started This Project
Working across different organizations and teams, I kept running into the same pattern. Threat modeling was either done in isolation by security engineers in a spreadsheet, or it wasn’t done at all. When it was done, the outputs were rarely accessible or actionable for the engineers who needed them most.
The existing OWASP tooling — including OWASP Threat Dragon, which I’ve written about before — solves part of the problem. But there was a clear gap: a platform designed from the ground up for collaborative, organization-wide threat modeling, with community-driven threat intelligence built in.
That’s what ThreatAtlas is designed to be.
Key Features
Collaborative Threat Modeling Sessions
Teams can invite members across roles to participate in threat modeling. Security knowledge is no longer siloed — Developers and Architects contribute directly to identifying threats in systems they understand best.
Visual Architecture Mapping
ThreatAtlas provides visual mapping of application and service architectures, making it easier to reason about trust boundaries, data flows, and attack surfaces without requiring specialized diagramming expertise.
Service and Threat Tracking
Organizations can maintain a living inventory of their services and the associated threats, mitigations, and residual risks — tracked dynamically as systems evolve.
Community-Driven Threat Intelligence
One of the distinguishing aspects of ThreatAtlas is the community layer. Shared threat knowledge benefits all users of the platform, accelerating threat identification and reducing the need to start from scratch for every new service.
Actionable Mitigations
Threats are linked directly to mitigations, keeping security recommendations connected to the development context where they need to be acted on.
Technical Stack
ThreatAtlas is built on a modern, approachable stack to encourage community contribution:
- Backend: FastAPI (Python) with PostgreSQL
- Frontend: React + TypeScript + Tailwind CSS
- Visualization: ReactFlow for threat diagram rendering
- Deployment: Docker and Docker Compose for straightforward setup
The backend exposes interactive Swagger documentation, making it easy for contributors and integrators to explore the API.
Getting Started
The quickest way to run ThreatAtlas locally is with Docker:
git clone https://github.com/OWASP/www-project-threatatlas.git
cd www-project-threatatlas/threatatlas-app
docker compose upFull installation, development, and user guides are available in the repository.
Where the Project is Headed
ThreatAtlas is still growing, and community contributions are a central part of that growth. The areas I’m most focused on evolving include:
- Deeper integration with CI/CD pipelines so threat models stay in sync with architecture changes
- Richer threat libraries mapped to common frameworks (STRIDE, MITRE ATT&CK, OWASP Top 10)
- Reporting and risk aggregation across services for security program visibility
- Integrations with ticketing and issue tracking tools to close the loop on mitigations
Get Involved
ThreatAtlas is an OWASP project and welcomes contributions of all kinds — code, documentation, threat libraries, feedback, and real-world usage. If you’re working on threat modeling at your organization and want tooling that actually fits collaborative workflows, I’d love for you to try it and share what you find.