SecOpsTM 1.1.1a17

A STRIDE threat analysis framework with MITRE ATT&CK integration.

STRIDE Threat Analysis Framework with MITRE ATT&CK Integration

Overview

This is an OWASP project : SecOpsTM
This project is a Python-based, end-to-end STRIDE threat modeling and analysis framework with MITRE ATT&CK mapping. It enables you to:

• Model your system architecture in Markdown (threatModel_Template/threat_model.md), including boundaries, actors, servers, data, and dataflows.
• Automatically identify STRIDE threats for each component and dataflow.
• Map threats to MITRE ATT&CK techniques for actionable, real-world context.
• Calculate severity using customizable base scores, target multipliers, protocol adjustments, and VOC risk signals (CVE, CWE, network exposure, D3FEND mitigations).
• Generate detailed reports (HTML, JSON) and visual diagrams (DOT, SVG, HTML) with threat highlights.
• ⛓️ Attack Chain Analysis: Automatically identifies multi-step attack paths that chain threats across dataflows; shown in a dedicated section of the HTML report.
• Trust Boundary Visualization: Trusted zones rendered green solid, untrusted zones red dashed — baked into the DOT/SVG output, with an interactive severity heat map overlay in HTML diagrams.
• Generate MITRE ATT&CK Navigator layers for visualizing identified techniques.
• Generate optimized Attack Flow diagrams for key objectives (Tampering, Spoofing, Information Disclosure, Repudiation).
• Extend and customize all mappings, calculations, and reporting logic.
• Run as a web-based editor for live, interactive threat modeling.
• AI-Enhanced Threat Analysis (Hybrid Mode): Threats from three independent engines — pytm rule engine, component-level LLM, and a cross-model RAG pipeline (ChromaDB + HuggingFace) — are automatically deduplicated and unified before reporting. Boundary objects are also analysed as AI targets. Supports Ollama (offline), Gemini, OpenAI, Mistral, and any LiteLLM-compatible provider. Configured in config/ai_config.yaml.
• Pure CLI & CI integration: A secopstm command ships after pip install -e .. Use --output-format json --stdout to pipe structured output to dashboards or SIEM without starting a server.
• Versioned JSON output: Every JSON export is stamped schema_version: "1.0" and validated against threat_analysis/schemas/v1/threat_model_report.schema.json.

Based on PyTM: This framework leverages PyTM's modeling primitives and extends them with advanced reporting, MITRE mapping, and diagram generation.

---

✨ New Interactive Features

The framework's web interface has been significantly updated to provide a more powerful and seamless threat modeling experience.

Interactive Diagrams

The generated diagrams (both in the live editor and in exported HTML reports) are not static images. They are fully interactive SVGs that allow you to:

• Click to Highlight: Click on any element (node or connection) to highlight it and its direct relationships. The rest of the diagram fades out, allowing you to focus on the selected components.
• Toggle Selection: Click the same element again or the diagram background to clear the selection.
• Sub-model Navigation: In generated project reports, elements that represent sub-models have a distinct hover effect and are clickable, allowing for easy navigation between different parts of a complex architecture.

Interactive Legend

• Filter Connections: The diagram legend is now interactive. Click on a protocol (e.g., HTTPS, TCP) to instantly show or hide all dataflows using that protocol, making it easy to analyze specific parts of your data flow.

Robust Project Generation

• The "Generate All" feature is designed to handle complex projects with nested sub-models.
• If you have a project with multiple threat model files, it intelligently detects if any referenced sub-models are not currently open in the editor and prompts you to select your project's root directory. This ensures that all necessary files are found and included for a complete and accurate generation of all reports and diagrams.

Simple Server Mode

• The integrated web server can be started with a path to a project directory (--project path/to/your/project). It will automatically find all *.md threat model files within that project and open them in tabs, ready for editing.

---

📚 Full Documentation

For detailed information on features, usage, and advanced customization, please refer to our full documentation in the docs directory.

---

Quick Start / Installation

Docker (no setup required)

docker pull ghcr.io/ellipse2v/secopstm:latest
docker run -p 5000:5000 -v $(pwd)/output:/app/output ghcr.io/ellipse2v/secopstm:latest

Open http://localhost:5000. Graphviz included, external_data/ bundled.

For AI features (LiteLLM + RAG):

docker pull ghcr.io/ellipse2v/secopstm:ai
docker run -p 5000:5000 -e GEMINI_API_KEY=your_key \
  -v $(pwd)/output:/app/output ghcr.io/ellipse2v/secopstm:ai

pip

pip install SecOpsTM
secopstm download-data   # download offline knowledge base (~140 MB, one-time)
secopstm --server

From source

git clone https://github.com/ellipse2v/SecOpsTM.git
cd SecOpsTM
pip install -e .
# Install Graphviz: https://graphviz.org/download/

Basic CLI usage

# Full analysis — HTML + JSON + SVG in output/
secopstm --model-file threatModel_Template/threat_model.md

# JSON only, printed to stdout — ideal for CI pipelines
secopstm --model-file model.md --stdout

# JSON to a specific file
secopstm --model-file model.md --output-format json --output-file report.json

# Launch the web editor
secopstm --server

---

Roadmap

roadmap link

License

Apache License 2.0. See LICENSE.

Author

ellipse2v