Microsofts New Threat Modeling Tool

A week ago I had the pleasure of giving a speach at OWASP AppSec EU in Rome on the new Microsoft Threat Modeling Tool 2016 that came out last November and is still available for free.

The Threat Modeling Tool implements one way to derive threats (potential security problems) from a system specification and this is via Data flow Analysis (DFD). As shown in the screenshot above, we can specify our system via DFD logic within the tool, when we are ready we switch in the analysis mode and see a couple of identified threats based on our DfD diagram.

Microsoft Threat Modeling Tool 2016

New Functionality

The functionality described above is basically how all versions of this tool had worked for the last 10 years it exists. The 2016 version, published last November, has one new great feature that distinguishes it from all the others though: It now allows you to completely change the XML based templates an thereby implement own stencils, properties and, most importantly, threat logic. That works actually really great, since Microsoft also included a quite usable threat template editor into its tool.

Customizing Threat Logic

Before we start implementing our own threat logic we must understand how DfD based threat logic is expressed. In general, rules can be formulated as followed: dfd threat logic

Basically everything that you can put in this logic you can have checked by Threat Modeling Tool 2016, both as include and exclude statements. Especially the use of custom attributes works really great for putting all kind of logic into that tool (e.g. “Uses PHP” for a stencil “Web Application”. As you can see it from the logic above, stencil always have a parent.

This logic can be used to identify the threat of data sniffing. Template Editor of Microsoft Threat Modeling Tool

In case of the stencil “Web Application” this is “Generic Process”. All rules that matches the parent automatically matches child stencils such as the web application. This allows you to define own custom stencils that will automatically derive all threat logic that matches its parent. Unfortunately there is only one level available, so a child stencil cannot have another child that restricts the threat logic a bit.


The tool itself can be downloaded here. All you need to be able to work with it is a Windows system.

In addtion, I’ve created a couple of sample models and a reduced template for web applications that you can all download from my github page.

Please be aware that if you want to replace an existing template you have to change the template id within the model file (both XML). Unfortunately the tool does not allow this within the GUI. I’ve describe the detailed steps for this on the github page referenced above.


Although it still has some limitations, Microsofts new Threat Modeling Tool is a good anf free tool for creating simple DfD based security diagram and threat models. It becomes a great tool when you are using its new customization capability that allows you to create your own custom threat templates, include all kind of stencil and threat logic that are specific to your organization. I highly recommend to make this effort because the existing logic is rather limited.

If you feel that some threats identified by this tool make no sense, just look at the threat logic within the template and perhaps change it if not suitable for your organization.

Besides automatically identifying threats from a DFD diagram, this tool has one great additional implicit use: Talking about interactions and data flows a system has with developers and architects often results in a lot of “aha” moments and the identification of security problems that were not aware to anyone.

About Matthias Rohr

Matthias Rohr, CISSP, CCSLP, CISM, CCSK, is Founder and CEO of Secodis GmbH. Matthias began working in this field in 2004 and is since a frequent speaker on international conferences, book author and an active OWASP constributor and recently published his first book. He lives and works in Hamburg / Germany.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *