ThreatModeler Platform Reviews

My use case for ThreatModeler Platform is building systems diagrams with a specific focus on the potential threats and security vulnerabilities that could arise should you make a certain change, such as if you connect one server to another server, what are the risks that you could see.

ThreatModeler Platform has positively impacted my organization by changing the approach from manual to a more efficient method. The big change was the amount of time that my team spends building the models. Before, it would take them a couple of hours to do it. Now they can do it in about 30 minutes, and then small changes are even shorter. It's difficult to say how much ThreatModeler Platform saves financially or resource-wise because it's mostly in team man-hours. The fact that a team of five usually would take 20 hours total, and now it takes them 30 minutes represents a significant reduction in what my team is doing. It gives them the ability to do other things that may be more important.

ThreatModeler Platform's ability to measure and mitigate risks across different attack surfaces has helped my organization. It provides us with a metrics platform to see what our common risks are and start to address them. If we have one particular type of risk or category of risk that's 60% of all our findings, then that's obviously something we want to focus on as an organization. It really helps us identify where we are worst and address that immediately.

ThreatModeler Platform helps my security team keep pace with DevOps sprints by allowing us to adjust and adapt quickly to any of their diagrams and feature changes that they give us late in their cycles. Being able to adjust and adapt quickly means we don't bottleneck them or fall behind. We can't always keep up because there are so many of them and so few of us, but we don't fall behind as much anymore.

It's easy to customize the threat framework components of ThreatModeler Platform to match our needs with the UI. In the catalog, you can pick specific threats that are unique to your company and add those in. It's basically click, fill it out, and apply it to which component. The same applies with customizable components - you just go in, give it a description, a name, and an icon. It's pretty easy, similar to creating a Jira ticket.

The customizability is very nice. Unlike a lot of other similar tools, you can build it exactly to your spec. I appreciate the fact that you can iterate on models, so you have the history if you make a change. I can look back on what this exact same model looked like in 2020. The fact that it integrates with our SSO for login is nice as well.

There are areas for improvement in ThreatModeler Platform, particularly in cloud integration. You can connect with your VPC and it'll build models for you. That is definitely an area that needs improvement. We've tested it a few times and it's somewhat buggy. It'll double add components, stack components on top of each other, and doesn't make a readable diagram. It's a really good idea in theory because it can build out your entire VPC, but it's unpredictable.

Aside from that major area for improvement, a minor issue with ThreatModeler Platform is being able to pin connections between components. Sometimes it won't connect to the right side of the left component. It'll circle all the way around, making an odd-looking connection. Where it could be a straight line, it does something unusual. It's a minor thing, but when you build a complex model, you want to make sure that your connection points are very concise and clear.

I have been using ThreatModeler Platform since approximately 2017, so eight years.

In regards to the stability of ThreatModeler Platform, I would rate it a ten as it has never gone down for us.

Regarding scalability, I would rate it as a nine out of ten.

In our company, about 10 users use ThreatModeler Platform, and at the other one that I worked at, it was closer to about 30.  The use of ThreatModeler Platform is global.

I would rate the support for ThreatModeler Platform as an eight out of ten.

Positive

ThreatModeler Platform is the best that I've used in the space. The other one that I've used is Microsoft Threat Modeler, and that is a terrible tool.

It is a SaaS product, so they host it. I have done it two ways: once on-premises and once when they hosted it.

It seems fairly reasonable. I don't have a comparison point to other products, but I've used it at two companies and it's always been a reasonably priced tool.

I'm not sure that it's significantly impacted our training costs. We use it, but not specifically for training purposes. 

We did not notice any changes in application coverage percentages since implementing ThreatModeler since we already had 100% coverage with our applications. We're just more efficient now.

I would recommend ThreatModeler Platform to other users, as it scales and it's the best one that I've seen out there. It just seems the tool that suits the needs of what people who are threat modeling want.

I would rate ThreatModeler Platform an eight out of ten.

We have applications in multiple clouds, and we use it to review our apps to ensure that they are going to be designed in a secure manner.

It helped us in multiple ways. It's easy to present to leadership where they can get the big picture, and they can ask their questions based on what they see in the drawings. Also, it's a good tool in that it drills down and gets down to the actual requirements. Sometimes we can get buried in the risks, but the risks all translate into requirements. The requirements are the meat and potatoes for our developers. To remediate what's needed, the sooner we get them involved and the sooner we are involved in the process, the sooner the results are designed into the solution. We are also able to reuse the work we put in. When we do something once and there is a revision to the same application, we can start with the previous version. It saves a huge amount of time.

It's a time saver. As we've gotten along, we've determined what we've already remediated. We're not going through a huge list that we used to go through in the beginning. We're going through things that only need to be gone through, and it helps maintain the sprints.

ThreatModeler Platform has enabled our company to meet tight delivery dates for the product teams. I've had several instances where things were brought to my attention late in the game. The tool has been excellent in getting in there and getting it done quickly and with less effort. It's a great time saver, so we can get in and get done, and get out. Sometimes we can do it at astounding speed if we have to. It's better to have enough time to get the job done, but when you're under a crunch, you still can get the job done.

We've customized quite a few components to suit our needs. When we have met the requirements, we put standards around a component. We then deploy it and mark it such that the component is remediated by control or by some standards. In that circumstance, the security requirements don't flow through. They're marked as already met, so it saves us a great deal of time. It's very customizable.

I found that not all of our security architects are fluent in each and every cloud. We're supporting all the major clouds and some SaaS environments. We're finding ways to use the tool and expanding it beyond just the typical clouds that we have today. It has allowed an AWS expert to work on a Google Cloud platform and apply their knowledge quickly and faster, and learn those platforms without necessarily having to be certified in every platform.

ThreatModeler has reduced the hours needed to complete threat modeling projects or secure an app in our organization. It takes about a third of the time doing it through ThreatModeler than it would otherwise. It would greatly vary depending on the actual individual person and how developed our standards are. The company I worked at prior did not have ThreatModeler, and I knew what it took to get the same functionality or similar functionality. It took much longer, and it would be much less uniform across.

Initially, we had ten people working on threat models. Today, within our organization, we probably have four. Fewer folks are working on ThreatModeler, and other security architects are being dedicated to specific environments and specific domains. It has allowed us to be more specialized because we need fewer people to do threat modeling.

ThreatModeler Platform is a big timesaver, helping to provide consistent output. Without it, interpretations would vary. Everything would be developed from scratch, and consistency would be lacking. By having this as our tool, we've developed a more consistent output. It didn't start out that way because everybody has their own ideas, but it is a great tool for making things consistent and making them faster. It allows for drawing solutions to get most of what is needed for threat models, aiding the design team in remediating security requirements. 

It measures and mitigates risks across attack surfaces, presents big pictures to leadership, and translates risks into requirements for developers, resulting in security design solutions that save time. Through customization, they can adapt the platform components to match specific needs, significantly streamlining processes.

We meet with our customer rep on a regular basis and go over new features we request. The team has been quite responsive in fulfilling most of the things we've requested in the revisions as we go along. They implemented changes related to colors. That was one of the things we asked for. 

One feature that I would like to see is related to comments. Comments need to be layered so that they are always on top. When you click on the comment feature, a dialogue box pops up, and you start entering a comment and put it into a VPC or a group of some sort. When you click on that group, the comment shouldn’t disappear behind the group. That's a problem that I would like to see fixed. The comment should always stay on top. It should be at the top layer above everything else because I can't see a reason why the comments should be under the things that you're commenting on. ThreatModeler Platform needs an enhancement so that comments always remain on top layers in diagrams, preventing them from disappearing when interacting with other components.

I have been using ThreatModeler Platform for about three years.

ThreatModeler Platform's AI-driven component suggestions assist with scalability, especially when undertaking new tasks. However, since this feature was implemented after a few years of using the solution, it is sometimes less impactful as we are already accustomed to our existing methods. We move it out of the way just because we're already set in our ways, and we already know what we want to put next. If we didn't know that, it would be a good time saver.

We get a very quick initial response. Traditionally, they have been quite fast in resolving issues. We've had a few issues that took a little longer to resolve, and they were resolved in a few days. As a whole, we've had multiple issues because we use the tool all the time and run into problems. They're quick to fix them. Sometimes, we could get a better explanation of what was done to fix it, but all in all, we're happy with the results in the sense that things get resolved quickly. We have somebody who takes our requests and resolves them quickly. Of all the time, all the years that we've had it, we've only had a couple of issues that took a little while longer to resolve.

Positive

Prior to ThreatModeler Platform, threat models were done manually, but this approach was less efficient.

I joined after it was selected, so I wasn't a part of the selection process, but I have evaluated it a couple of times since then and compared it to current products. It seems to be head and shoulders above the rest as far as multi-cloud support. A big thing about it is that we've now integrated it into our work environment such that we can go into and run a report on the security requirements and export them into Jira, and then they can be assigned to a particular team to go through each one of those requirements. They can go through the open ones and fix them. It can automatically, or nearly automatically, be tied into our work environment. It's pretty slick. It's a big time saver. We've integrated it into our platforms. We're doing more and more integration as we go along. A lot of these things didn't exist earlier, at least not to the extent they do now. They've been a result of us working with the ThreatModeling team and them being responsive to our needs.

We initially attempted to port diagrams from draw.io or Visio to ThreatModeler Platform, expecting integration with threat tools. It might have improved now, but at the time, the results were unsatisfactory, leading to manual interpretation and entry processes. 

We now get drawings in multiple formats. I'd love to say that we are standardized in the way we should be, but we have multiple teams, and we get multiple formats. We take that drawing and interpret that, and enter it into the tool manually. However, when we are grabbing things, clicking, and dragging them over and making boxes and just sliding things over, as long as the component selection is fairly robust, it's fine. It's a very fast process.

ThreatModeler Platform has reduced training and education costs by enabling security architects to extend their knowledge across various cloud platforms without needing specific certification, leveraging AWS expertise in other environments efficiently.

It's like everything. If you look at the pricing, it sounds like a lot. If you look at the time it saves you and the fact that it repeatedly saves you that time, it pays for itself. That's what you want out of your tools. If they pay for themselves, you can easily justify them, even if they are expensive. Security architects are very expensive, and we're already doing more with less. Our team is smaller than it was a few years ago, and we have had fewer people doing threat modeling because we're getting more done with the tool.

We aren't using the governance part yet. I need to look at that more and incorporate that. We aren't using it yet, but it's a good feature. I'd like to find a way to use it. Right now, we're doing governance outside of the tool using other platforms. Maybe we can do it more inside the tool.

I would rate ThreatModeler Platform an eight out of ten.