[Threat Thinker] Trying LLM-Based Threat Modeling
Source: Dev.to
Introduction
Hi, I’m JJ (yuasa), a security engineer.
In this post, I’ll try out Threat Thinker, an automated threat modeling tool that uses LLMs, on several different systems. From an AWS‑based system to a smart home, we’ll see how an LLM surfaces threats from architecture diagrams. My goal is to give you a feel for what LLM‑based threat modeling looks like, with real outputs included.
What is Threat Thinker?
Threat Thinker is a tool that performs automatic threat modeling from system architecture diagrams using an LLM. It can parse various diagram formats such as Mermaid, draw.io, screenshots of architecture diagrams, and OWASP Threat Dragon. From the relationships between components, it infers potential threats.
In traditional threat modeling, once you have an architecture diagram, developers and security engineers have to manually go through and identify threats one by one. In my experience, there are broadly two types of threats:
- Basic threats that can appear in almost any system
- System‑specific threats that you only notice if you deeply understand the specs and implementation details
By using Threat Thinker, you can automate the initial identification of those “basic threats.” Humans can then focus on deeper analysis of “system‑specific threats” and on designing countermeasures. It supports both a CLI and a web UI, so even non‑security specialists can use it without much friction.
Trying Out Threat Thinker
Let’s use Threat Thinker to identify threats for three cases: an AWS‑based system, a corporate network, and a smart home. For each one, we’ll feed the architecture diagram into Threat Thinker and see which threats it extracts.
AWS‑Based System
System Architecture
graph LR
%% Trust boundaries
subgraph Internet
user[User]
end
subgraph AWS_Edge[Edge]
cf[CloudFront]
end
subgraph VPC[VPC]
subgraph PublicSubnet[Public subnet]
alb[ALB]
end
subgraph PrivateSubnet[Private subnet]
ecs[ECS Service]
rds[(Customer RDS
PII)]
s3[(S3 Bucket
Logs/Uploads)]
end
end
%% Data flows
user -- sends HTTPS request --> cf
cf -- forwards HTTPS request --> alb
alb -- routes HTTP request --> ecs
ecs -- reads/writes data (SQL/TLS) --> rds
ecs -- stores/reads objects (S3 API) --> s3Running Threat Thinker (CLI)
threat-thinker think \
--diagram path/to/diagram/system.mmd \
--infer-hints \
--topn 5 \
--llm-api openai \
--llm-model gpt-4.1 \
--out-dir path/to/report/dirExtracted Threats
| ID | Threat | Severity | STRIDE | Affected Components | Score |
|---|---|---|---|---|---|
| T001 | Potential Lack of Authentication/Authorization on ALB to ECS Path | High | Spoofing / EoP | ALB → ECS | 8.0 |
| T002 | Unencrypted Traffic Between ALB and ECS Allows Tampering & Disclosure | High | Tampering / Info Disc. | ALB → ECS | 8.0 |
| T003 | Exposure of PII in RDS Without Explicit Encryption at Rest | High | Info Disclosure | ECS ↔ RDS | 7.0 |
| T004 | Insufficient Logging and Monitoring for Sensitive Operations | Medium | Repudiation | ECS / RDS / S3 | 6.0 |
| T005 | Potential S3 Bucket Misconfiguration Exposing Internal Data | Medium | Info Disclosure | S3 | 6.0 |
Corporate Network
System Architecture
Running Threat Thinker (Web UI)
$ threat-thinker webui
ℹ️ Starting Threat Thinker Web UI
* Running on local URL: http://127.0.0.1:7860
* To create a public link, set `share=True` in `launch()`.- Open the web UI in a browser.
- Copy and paste the draw.io (XML) diagram source, set Diagram Format to
drawio. - Configure options as needed and click Generate Report.
(Screenshots of the UI steps are omitted for brevity.)