About OWASP Threat Dragon
What is Threat Dragon?
OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle.
Threat Dragon follows the values and principles of the threat modeling manifesto.
It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication
of the threat model components and threat surfaces.
Threat Dragon runs either as a web application or as a desktop application.
Threat Dragon supports STRIDE / LINDDUN / CIA / DIE / PLOT4ai,
provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations.
Resources
Use the version 1 or version 2 documentation to get started, along with the recording of Mike Goodwin giving a lightning demo during the OWASP Open Security Summit in June 2020. An introduction to Threat Dragon is provided by the OWASP Spotlight series, and the Threat Modeling Gamification seminar by Vlad Styran shows how using Threat Dragon can make threat modeling fun. There are a couple of OWASP community pages that give overviews on Threat Modeling and how to get started: Threat Modeling and Threat Modeling Process. The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack #project-threat-dragon project channel, you may need to subscribe first.
Related Projects
Threat Dragon: making threat modeling less threatening
Project Resources
Project Leaders
Project Information
GitHub Stars
0
OWASP is a nonprofit foundation improving software security through open-source projects, global communities, and education. All resources are free and open to everyone.
OWASP, the OWASP logo, and Global AppSec are registered trademarks and AppSec Days, AppSec California, AppSec Cali, SnowFROC, OWASP Boston Application Security Conference, and LASCON are trademarks of the OWASP Foundation, Inc.
© 2026, OWASP Foundation Inc. All rights reserved.