Microsofts New Threat Modeling Tool

A week ago I had the pleasure of giving a speech at OWASP AppSec EU in Rome on the new Microsoft Threat Modeling Tool 2016 that came out last November and is still available for free.

The Threat Modeling Tool implements one way to derive threats (potential security problems) from a system specification and this is via Data flow Analysis (DFD). As shown in the screenshot above, we can specify our system via DFD logic within the tool, when we are ready we switch to the analysis mode and see a couple of identified threats based on our DfD diagram.

New Functionality

The functionality described above is basically how all versions of this tool had worked for the last 10 years it exists. The 2016 version, published last November, has one new great feature that distinguishes it from all the others though: It now allows you to completely change the XML-based templates and thereby implement your own stencils, properties, and, most importantly, threat logic. That works actually really great since Microsoft also included a quite usable threat template editor into its tool.

Customizing Threat Logic

dfd threat logic

Before we start implementing our own threat logic we must understand how DfD based threat logic is expressed. In general, rules can be formulated as followed:

Basically, everything that you can put in this logic you can have checked by Threat Modeling Tool 2016, both as include and exclude statements. Especially the use of custom attributes works really great for putting all kinds of logic into that tool (e.g. “Uses PHP” for a stencil “Web Application”. As you can see from the logic above, stencil always has a parent.

Template Editor of Microsoft Threat Modeling Tool

This logic can be used to identify the threat of data sniffing.

In the case of the stencil “Web Application,” this is “Generic Process”. All rules that match the parent automatically match child stencils such as the web application. This allows you to define your own custom stencils that will automatically derive all threat logic that matches its parent. Unfortunately, there is only one level available, so a child stencil cannot have another child that restricts the threat logic a bit.


The tool itself can be downloaded here. All you need to be able to work with it is a Windows system.

In addition, I’ve created a couple of sample models and a reduced template for web applications that you can all download from my Github page.

Please be aware that if you want to replace an existing template you have to change the template id within the model file (both XML). Unfortunately, the tool does not allow this within the GUI. I’ve described the detailed steps for this on the Github page referenced above.


Although it still has some limitations, Microsofts new Threat Modeling Tool is a good and free tool for creating simple DfD based security diagrams and threat models. It becomes a great tool when you are using its new customization capability that allows you to create your own custom threat templates, including all kinds of stencil and threat logic that are specific to your organization. I highly recommend making this effort because the existing logic is rather limited.

If you feel that some threats identified by this tool make no sense, just look at the threat logic within the template and perhaps change it if not suitable for your organization.

Besides automatically identifying threats from a DFD diagram, this tool has one great additional implicit use: Talking about interactions and data flows a system has with developers and architects often results in a lot of “aha” moments and the identification of security problems that were not aware to anyone.

16 thoughts on “Microsofts New Threat Modeling Tool”

  1. Your approach is trսly different in comparison to other bloggers I have browsed thrօugh.
    Тhanks a lot for sharing when yоu’ve got the oppoгtunity, гeckon I will save this

  2. Your ɑpproach is very creative comparing to ߋtheг bloggers I have looked through.
    Thanks for posting when you hаve got tһe
    oρportunity, suppose I’m going to ѕave thiѕ iԁea.

  3. Brilⅼiant post. I read your website fairly often, and you аre constantly coming up with some great staff.
    I shared this blog post on my Facebook, and my followers
    liked it! Good luck.

  4. Yօur style is quite unusual іn contrast to other people I’vе read info from.
    Thank you for sharing when yoᥙ һave got the time, recқon I
    will just save this idea.

  5. I ⅼіҝe this post! I read your blog site pretty regularly, and you’re
    always coming up with some good staff. I shared this post on my Tumblr, and
    my fоllowers liҝed it. Good luck.

  6. I think everything ѕaid was very reasonable. Βut, considеr thiѕ, suppose you addеd a little іnformation? І аm not ѕaying yоur ϲontent is not good, but suppose you adⅾеɗ somеtһing tо maybe gеt people’s attention? I mean Microsofts Neew Threat Modeling Tool
    – Sustainable Application SecuritySustainable Application Security іs
    kinda plain. Υou ѕhould look at Yahoo’s һome paɡe
    and watch һow they creatе post titles to grab viewers tօ
    click. Yoᥙ mіght trу addin a video оr a picture ⲟr two
    too grab people іnterested ɑbout whаt yⲟu’ve written.
    In mʏ opinion, it wouⅼd makе youhr posts a little bit mߋre іnteresting.

    Review my blolg :: cannabis

Comments are closed.