ThreatModeler
Also known as: ThreatModeler Nexus, IriusRisk
Governed agentic threat modeling platform whose multi agent system builds, maintains, and reports on threat models grounded in a persistent Secure Design Graph, threat modeling applications, cloud, OT, and AI agents at enterprise scale with a deterministic framework, MCP integration, and Bring Your Own AI.
ThreatModeler, based in Jersey City, is a leader in agentic threat modeling and secure design, using AI to automate the practice of finding design flaws before software ships. Founded in 2010 and strengthened by the 2026 union of ThreatModeler and IriusRisk, the two companies that pioneered automated threat modeling for the enterprise, it draws on more than a decade of curated research and thirteen granted patents, with thousands of catalogued threats, security requirements, and modeled components behind every model. Its premise is that as AI writes a growing share of production code, finding flaws has become cheap, and the hard work has shifted to confirming what matters, catching what is missing, and proving it to auditors and the board.
Its flagship, ThreatModeler Nexus, is a governed agentic threat modeling platform that pairs a multi agent system with a deterministic framework, so AI accelerates the work while the platform governs the outcome. A System Mapping Agent builds a system map from architecture artifacts or infers one directly from code, a Graph Agent grounds and continuously updates that work in each customer's environment, and a Reporting Agent produces audit ready evidence, all operating on the Secure Design Graph, a living, governed representation of every system, threat, control, and compliance mapping that turns the platform into a system of record. The platform threat models applications, cloud infrastructure, operational technology, and AI agents, embeds into the IDE and continuous integration pipelines over the Model Context Protocol, and takes a Bring Your Own AI approach that avoids model lock in while keeping outputs consistent, so the same architecture in produces the same threats out regardless of the model. Every threat, control, and decision traces to architecture, and reports map to more than one hundred eighty compliance frameworks.
ThreatModeler is a mature, enterprise scale platform used in regulated industries like financial services and healthcare, where audit ready, defensible, repeatable results matter more than raw generation speed. Its strengths span deep knowledge grounding, model flexibility, MCP based extensibility, and continuous governance, and it acts through design and code artifacts rather than driving a browser. For a security organization that needs to scale threat modeling across a large portfolio of applications, cloud, and AI systems with governed, auditable outcomes, ThreatModeler is a strong and category defining fit; a small team wanting a quick, one off diagram or a purely generative brainstorm will find it built for enterprise rigor and scale.
Vendor details
Canonical URL
https://threatmodeler.com
Category
Security / SOC agent
Subcategory
Agentic threat modeling and secure design
Funding status
Independent and privately held, headquartered in Jersey City, New Jersey, founded in 2010. In 2026 ThreatModeler united with IriusRisk, the two companies that pioneered automated threat modeling for the enterprise, combining their threat libraries and technology. The company holds thirteen granted patents and more than a decade of curated research, with over three thousand five hundred security requirements, one thousand five hundred catalogued threats, three thousand modeled components, and one hundred eighty compliance frameworks behind its models, and serves regulated enterprises including Charles Schwab.
Company status
independent
Use cases & customers
Primary use cases
Target customers
Deployment options
Integrations
ThreatModeler embeds into the software delivery toolchain over the Model Context Protocol, including the IDE and AI coding agents, continuous integration pipelines, and Infrastructure as Code, and connects to live cloud infrastructure for continuous risk identification. It pushes security requirements directly into developer sprints as code comments and integrates with development and security tools across the software development lifecycle.
In practice
Your AI copilots ship code faster than your security team can review the designs behind it, so threat modeling becomes a stale, manual bottleneck. ThreatModeler's agents build and continuously update models from your architecture and code automatically.
You need to prove your security posture to auditors across many systems and frameworks, but evidence is scattered and inconsistent. ThreatModeler's Secure Design Graph is a system of record where every threat and control traces to architecture and maps to compliance.
You want to use AI for threat modeling without model lock in or inconsistent, unrepeatable results. ThreatModeler's Bring Your Own AI and deterministic framework ensure the same architecture in produces the same threats out, every time.
Sources & related URLs
Research sources
Research notes
Added via Crunchbase agentic discovery CSV, enriched full fidelity 2026-07-07. Categorized Security / SOC on agentic threat modeling and secure design. Formed from the 2026 union of ThreatModeler and IriusRisk. Batch high under straight scoring on Bring Your Own AI model flexibility (Model F), MCP extensibility (Ext F), and the Secure Design Graph (Know, Mem, Obs). Independent; privately held.
Capability coverage
12.0 / 14 capabilities · 86%
| Integrations & Tool CallingIntegrates into the IDE, AI coding agents, continuous integration pipelines, and Infrastructure as Code over the Model Context Protocol, and connects to live cloud infrastructure, ThreatModeler docs 2026-07-07 | Full |
|---|---|
| Workflow OrchestrationPairs a multi agent system of System Mapping, Graph, and Reporting agents with a deterministic framework to orchestrate continuous, governed threat modeling, ThreatModeler docs 2026-07-07 | Full |
| Knowledge Grounding & RAGGrounds every model in the Secure Design Graph and the industry's largest curated library of thousands of threats, requirements, components, and compliance mappings, ThreatModeler docs 2026-07-07 | Full |
| Human Oversight & GuardrailsUses AI to accelerate while the platform governs the outcome, keeping humans on the hard decisions of confirming what matters and enforcing governance policies, ThreatModeler docs 2026-07-07 | Full |
| Security, Identity & GovernanceIs a security platform for secure by design, delivering governed, deterministic, audit ready outputs mapped to more than one hundred eighty compliance frameworks, ThreatModeler docs 2026-07-07 | Full |
| Observability & AuditabilityProvides an always current, enterprise wide view of risk with audit ready evidence where every threat, control, and decision traces to architecture, ThreatModeler docs 2026-07-07 | Full |
| Memory & State PersistenceThe Secure Design Graph is a living, continuously updated system of record for every system, threat, control, and decision, so models never go stale, ThreatModeler docs 2026-07-07 | Full |
| Deployment & Data ResidencyAvailable across cloud, on premises, and hybrid environments, though the newer agentic platform is delivered cloud first, ThreatModeler docs 2026-07-07 | Partial |
| Prebuilt Agents, Templates & PacksShips the industry's largest library of curated threats, mitigations, modeled components, templates, and nested models for rapid, consistent model creation, ThreatModeler docs 2026-07-07 | Full |
| Triggers & Channel CoverageRuns continuous threat modeling triggered by changes to systems, artifact imports, and code commits across the IDE and CI pipelines, keeping models current, ThreatModeler docs 2026-07-07 | Full |
| Model Flexibility & RoutingTakes a Bring Your Own AI approach that removes model lock in and lets enterprises use their chosen AI while the framework governs the outcome, ThreatModeler docs 2026-07-07 | Full |
| APIs, SDKs & MCP ExtensibilityBuilt on an MCP architecture with IDE plugins, CI/CD and IaC integrations, and APIs to embed threat modeling across the software delivery toolchain, ThreatModeler docs 2026-07-07 | Full |
| Testing, Debugging & OptimizationValidates designs on artifact import and delivers deterministic, repeatable results so the same architecture yields the same threats, though a customer facing agent testing surface is not documented, ThreatModeler docs 2026-07-07 | Partial |
| Browser & Computer UseWorks from design, code, and infrastructure artifacts rather than driving a browser or operating a computer interface, ThreatModeler docs 2026-07-07 | Unable to verify |
Recent platform changes
No recent material changes tracked yet.
Pricing
Not public; quoted through enterprise engagement after a solutions engineering session, scaled to applications, users, and modules
enterprise subscription scaled to applications, users, and modules
What is public
No list pricing. ThreatModeler sells to enterprises through direct engagement and a solutions engineering session, but rates are not public.
Billing mechanics
Presumed enterprise subscription scaled to the number of applications, users, and modules deployed across applications, cloud, OT, and AI coverage, though rates are not disclosed.
Cost watchouts
Cost scales with the number of applications and systems modeled, users, and modules across applications, cloud, OT, and AI coverage, so broad enterprise rollouts grow the total.
Variable cost rationale
Priced against applications modeled, users, and modules, so cost grows as threat modeling scales across a larger portfolio of applications, cloud, and AI systems.
Additional watchouts
Confirm whether pricing is per application, per user, or a platform subscription, and how coverage across cloud, OT, and AI agents affects the quote.
Sales call required
Yes — required for paid access
Free / trial
Book a session with a solutions engineer; no public free tier
Key ambiguities
No public rate is disclosed, and whether pricing is per application, per user, or a platform subscription with modules is not clear.
Related vendors
- 7AI — Swarming agentic SOC from the Cybereason founders: sixty plus domain…
- Airrived — Agentic OS that unifies SOC, GRC, IAM, vulnerability management, IT,…
- CrowdStrike — Cybersecurity platform whose Charlotte AI delivers agentic…
- depthfirst — AI security platform that detects, triages, and remediates software…
- Dropzone AI — Production proven AI SOC analyst that investigates every alert in…
- Exaforce — AI SOC platform unifying Exabots agents with an integrated knowledge…