The Threat Model Visualizer is a single-file AI-assisted security analysis tool built on the STRIDE threat modeling framework — the same methodology used by security teams at Microsoft, Google, and throughout the enterprise security industry.
Describe your application's architecture in plain language. The tool generates a structured threat model covering all six STRIDE categories with an overall risk assessment. The user supplies their own Gemini API key, held in memory only — never stored, never transmitted anywhere except the Gemini API endpoint.
Threats involving impersonation of users, services, or systems. Authentication failures, credential theft, identity forgery.
Unauthorized modification of data in transit or at rest. Data integrity violations, man-in-the-middle attacks, log manipulation.
Actions that cannot be attributed to a specific actor. Insufficient logging, audit trail gaps, non-repudiation failures.
Exposure of sensitive data to unauthorized parties. Data leakage, insecure storage, overly verbose error messages.
Availability attacks that prevent legitimate users from accessing a system. Resource exhaustion, amplification attacks, infrastructure targeting.
Gaining access or capabilities beyond what was authorized. Privilege escalation, container escapes, permission misconfigurations.
Formal threat modeling is a core security engineering practice that is routinely skipped in smaller organizations and early-stage projects — not because it's unimportant, but because the tooling is expensive, the methodology requires expertise, and the process is time-consuming.
This tool makes STRIDE threat modeling accessible to any developer who can describe their system in plain language. The output is a structured, actionable threat model — not a generic security checklist, but an analysis specific to the described architecture.
Privacy is preserved by design: the API key is held in browser memory only, and no data is retained after the session ends.
Single HTML file. No server. No backend. No data collection. Gemini API called directly from the browser using the user-supplied key. The tool is self-hostable by copying the HTML file — the GitHub link in the footer uses YOUR_USERNAME as a placeholder for forkers to replace with their own repository.
STRIDE analysis is structured via prompt engineering that guides the model to evaluate each threat category systematically against the described architecture, producing both category-specific findings and an overall risk assessment.