An ecosystem of threat modeling tools to help humans reduce time-to-value when threat modeling.
Live Demo | Documentation | Getting Started
Threat Composer is a threat modeling ecosystem that helps you identify security issues and develop strategies to address them in the context of your system. The various tools has been designed to support the iterative and non-linear nature of real-world threat modeling.
- Helps you get started quickly - The AI-assisted CLI and MCP Server analyze your source code to generate a starter threat model, so you never face a blank page. Human expertise and participation remain essential to refine, validate, and evolve the threat model for your specific context
- Makes threat identification easier - Uses "Threat Grammar" to help you iteratively write useful threats, with full examples for inspiration
- Provides quality insights - Includes an insights dashboard to help identify areas for improvement
- Supports non-linear workflows - Designed for how threat modeling actually works in practice
- Enables iteration - Supports "living" threat models that evolve with your system
- Threat Statement Composition: Structured threat grammar with adaptive suggestions
- Visual Diagrams: Architecture and data flow diagram support
- Assumptions Tracking: Document and link assumptions to threats and mitigations
- Insights Dashboard: Quality metrics and improvement suggestions
- Threat & Mitigation Packs: Reusable threat and mitigation libraries (self-hosted)
- Multiple Export Formats: JSON, Markdown, DOCX, and PDF
- Workspace Management: Work on multiple threat models simultaneously
- Version Control Friendly: JSON format works seamlessly with Git
Threat Composer is available in multiple complementary tools to fit your workflow:
Hosted or Self-Hosted Static Website
- GitHub Pages: Try the live demo
- Self-Hosted: Deploy to your AWS account with full customization
- Features: Full threat modeling capabilities, browser-based storage, import/export
Automated Threat Modeling
- CLI: Analyze codebases and generate starter threat models automatically
- MCP Server: Workflow management and schema validation for AI assistants
- Uses AWS Bedrock with multi-agent architecture
- Note: Bedrock inference costs apply - see pricing
Native Threat Modeling in Your IDE
- Edit Threat Composer
.tc.jsonfiles directly in VS Code - Integrated with AWS Toolkit extension
- Full-featured editor with version control support
📖 VS Code Extension Documentation
View Threat Models on the Web
- One-click viewing of Threat Composer
.tc.jsonfiles on GitHub and Amazon CodeCatalyst - Available for Chrome and Firefox
📖 Browser Extension Documentation
Web Application: Visit the live demo to start threat modeling immediately in your browser.
VS Code: Install the AWS Toolkit extension to view and edit local .tc.json files.
Generate threat models automatically from your codebase with the CLI, or integrate with AI assistants using the MCP server:
# Install with uv (provides both CLI and MCP server)
uv tool install --from "git+https://github.com/awslabs/threat-composer.git#subdirectory=packages/threat-composer-ai" threat-composer-ai
# Use the CLI to analyze your codebase
threat-composer-ai-cli /path/to/your/codeMCP Server Configuration (for Kiro, Cline, Claude Desktop, etc.):
{
"mcpServers": {
"threat-composer-ai": {
"command": "threat-composer-ai-mcp",
"env": {
"AWS_PROFILE": "your-profile-name",
"AWS_REGION": "us-west-2"
}
}
}
}Or run directly with uvx (no installation required):
{
"mcpServers": {
"threat-composer-ai": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/awslabs/threat-composer.git#subdirectory=packages/threat-composer-ai",
"threat-composer-ai-mcp"
]
}
}
}The MCP server provides tools for starting workflows, monitoring progress, managing sessions, and validating threat models against the Threat Composer schema.
💡 Best Experience: For the best experience when using the CLI from VS Code/Kiro terminal or when using AI assistants via MCP, install the AWS Toolkit extension which includes the Threat Composer VS Code extension. This allows you to view and edit the generated .tc.json files directly in your IDE with full visual editing capabilities.
See AI/CLI/MCP Documentation for complete installation and usage instructions.
Deploy Threat Composer to your AWS account:
git clone https://github.com/awslabs/threat-composer.git
cd threat-composer
./scripts/deployDev.shSee Web App Documentation for detailed deployment options including CI/CD setup.
We've included an example threat model of the Threat Composer Web App itself. This provides a reference point for getting started.
To view it, switch to the Example workspace in the application. Note: Changes in the Example workspace are not saved.
- Web Application - Deployment, configuration, and customization
- VS Code Extension - Installation and usage in VS Code
- Browser Extension - View threat models on GitHub and CodeCatalyst
- AI/CLI/MCP - Automated threat modeling with AI
- Development Guide - Setup, architecture, and contribution guidelines
- Contributing Guidelines - How to contribute to the project
- Code of Conduct - Community guidelines
- Threat Modeling for Builders - AWS Skill Builder - Free eLearning course
- How to Approach Threat Modeling - AWS Security Blog - Best practices and tips
- Threat Modeling Workshop - Hands-on workshop materials
We value your input!
- Feedback Survey: Share your thoughts
- Bug Reports & Feature Requests: GitHub Issues
- Discussions: GitHub Discussions
This is a monorepo containing multiple packages:
| Package | Description | Documentation |
|---|---|---|
| threat-composer | Core UI components library | README |
| threat-composer-app | Web application (SPA) | README |
| threat-composer-app-browser-extension | Browser extension | README |
| threat-composer-infra | AWS CDK infrastructure | README |
| threat-composer-ai | AI CLI & MCP server (Experimental) | README |
Contributions are welcome! Please see our Contributing Guidelines for details on:
- Code of conduct
- Development setup
- Pull request process
- Coding standards
See CONTRIBUTING for information on reporting security issues.
This project is licensed under the Apache-2.0 License. See the LICENSE file for details.
Built with:
- React and CloudScape Design System
- AWS CDK and AWS Prototyping SDK
- Projen for project management
- Strands for AI agent orchestration