IriusRisk - Automated Threat Modeling and Risk Management


Threat Modeling platform

With embedded editor
delivers true best-in-class architectural diagramming.


Create a threat model and derive security requirements in minutes.


Integrated platform with application risk analysis and architectural security for developers.


Measureview and respond to application security risk throughout the SDLC.

Choose a basic architecture to start with

Iriusrisk is a threat modeling tool with best-in-class architectural diagramming and adaptive questionnaires driven by an expert system which guides the user about the technical architecture, the planned features and security context of the application.

Leveraging as well as other diagramming tools, you can import existing templates or create new ones. Coupled with questionnaires that modify in real-time based on the supplied answers, the more it learns about the architecture, it asks more specific questions in order to accurately identify the inherent risks.

Fully customizable drag and drop elements and thanks to our graphical rules editor, an editable questionnaire, you can customise everything to fit your environment and common architectures.

IriusRisk generates an initial threat model automatically

The model is categorized by the major components and presents a list of the potential security risks and weaknesses, along with specific recommended countermeasures. Weaknesses are regarded as potentially present, until their presence or absence has been verified through security testing. Confirmed weaknesses are highlighted as vulnerabilities.


Choose a risk response

Each threat is linked to potential Weaknesses and recommended Countermeasures from our extensive application risk database. The user can then make an informed decision about the appropriate risk response: Mitigate, Avoid or Accept. For example, a countermeasure can be applied to Mitigate the risk,

or a risk can be accepted, and the risk decision justified.

The system provides risk management advice and guidance by highlighting the important next steps and the countermeasures that provide the highest return on security investment.

Countermeasures become security requirements

Developers and the implementation team have a clear list of the security countermeasures that need to be implemented. Countermeasures can also be uploaded to a defect tracker like Jira, so that developers can keep using the tools they’re familiar with, while the security team has a real-time risk centric view of the countermeasure progress.

Countermeasure status can be managed in IriusRisk alone, or by synchronising with a defect tracker like Jira.

Test weakness and countermeasures

Security testing is supported both from a control and a vulnerability perspective. The test results from negative testing, such as vulnerability assessments and penetration tests can be recorded against the listed Weaknesses. Positive security control testing such as code reviews and audit that aim to validate the implementation of controls can be recorded against the listed Countermeasures.

Tests can be automatically imported from external test sources like JUnit, JBehave, Cucumber, OWASP ZAP and of course our BDD-Security framework.

Tests can also be updated through our REST API

Manage product risk across the enterprise

Compare risk ratings for products across the enterprise or within business units

Request Demo


Connect with us

Schedule a demo

Complete this form and a member of the team will schedule a demo shortly. We look forward to showing you the platform!