A complete threat modelling platform, free and in your browser
Grepsi Security Threat Modelling guides you through the full OWASP process — from scoping your system to scoring risks and generating audit-ready reports. No account. No server. No lock-in.
Why we built this
Threat modelling shouldn't require a vendor
Most organisations skip threat modelling because the tooling is expensive, complex, or requires uploading sensitive system designs to third-party platforms. This tool changes that.
Runs entirely in your browser
No data is ever sent to a server. Your threat models stay on your device.
Manage multiple projects
Maintain a full portfolio of threat models, each auto-saved locally.
No account required
Open the page and start modelling immediately — zero friction.
Export anywhere
Download your model as JSON or generate a full PDF report entirely in-browser.
Open source
Fully transparent, free to use, and available for self-hosting.
The process
An 8-step structured workflow
Aligned to the OWASP Threat Modeling Process — from blank canvas to audit-ready report.
Application Info
Capture project metadata — name, version, owner, participants, and reviewers.
Scope & Decomposition
Define trust levels, threat agents, external dependencies, data classification, and business criticality.
System & DFD
Map components, data flows, and trust boundaries with an interactive L0/L1 Data Flow Diagram.
Threat Identification
Identify threats per component using STRIDE or LINDDUN, with pre-built templates by component type.
Risk Assessment
Score Likelihood × Impact on a 5×5 matrix. Threats are automatically ranked Critical, High, Medium, or Low.
Countermeasures
Document preventive, detective, corrective, and deterrent controls. Track status and calculate residual risk.
Security Requirements
Capture formal requirements linked to threats, with auto-suggestion based on identified threat categories.
Report
Review the full threat register and statistics, then export as a PDF or JSON file.
Threat frameworks
STRIDE and LINDDUN — both fully supported
Cover both security and privacy threats in a single model. Select per-threat or use both frameworks together.
Built-in intelligence
Don't start from a blank page
Pre-built catalogues and auto-suggestions accelerate every stage of the modelling process.
Threat Templates
Pre-built threat suggestions based on your component types — API, datastore, web app, mobile, and more.
Asset & Entry Point Templates
Common starting points for web, API, mobile, and cloud architectures to get you modelling faster.
OWASP Countermeasure Catalogue
Mitigations mapped to STRIDE categories so you always know what controls to consider.
Auto-Suggested Requirements
Security requirements automatically derived from the threats you identify — no manual cross-referencing needed.
Who it's for
Built for everyone in the security conversation
No prior security expertise required. Guided prompts and methodology documentation support you at every step.
Development Teams
Build security in from the design stage, before a line of code is written.
Security Champions
Run structured threat modelling workshops with your colleagues.
Architects
Conduct security design reviews against a consistent, auditable framework.
Consultants
Document and communicate security risk clearly to clients.
Students & Learners
Get hands-on with threat modelling using real frameworks and guided prompts.
Your data, your device
Nothing leaves your browser. Ever.
Everything you enter stays in your browser's local storage. Nothing is transmitted or stored externally. Data persists until you choose to clear it.
Use Export JSON to back up your work or move it between devices. Use Load JSON to restore it. PDF reports are generated entirely in-browser — no upload, no third party involved.
Ready to model your first threat?
No sign-up. No installation. Open the tool and start in seconds.