SECURE BY DESIGN · THREAT MODELLING

Threat modelling that starts at the design stage.

Most teams threat-model late, in a workshop, if at all. Cybereen does it while the solution is still on the drawing board: upload your design and the AI drafts the threats at each component, each tied to a control and an owner. You confirm; it flows into your platform.

WHAT IT IS

Find what could go wrong before it's built.

Threat modelling is the design-stage practice of asking, component by component, what could go wrong and what stops it. Done early it's cheap; done after build it's a finding.

In Cybereen a threat is a first-class object: it's attached to an architecture node (an app, a store, a portal), tied to the SCF control that answers it, and given an owner, a state and a target date. There's no separate diagram to keep in sync and no spreadsheet that goes stale the week after the workshop.

The co-pilot does the heavy lifting. Point it at your design document and it drafts the threats and the controls that mitigate them, mapped to the parts of your solution. You accept, edit or dismiss each one. Nothing is committed to a control or a risk until you say so.

The honest version: the value isn't a longer list of threats — it's that each one lands on a named component, points at a specific control, and has someone accountable. A threat with no owner and no control is just a worry.
AI DOES THE HEAVY LIFTING

From a design doc to a threat model in seconds.

Upload the design and the co-pilot reads it, identifies the moving parts, and drafts the threats and the controls that answer them.

  • Per component — threats are proposed against each node, not as a generic list.
  • Tied to a control — each threat is matched to the SCF control that mitigates it.
  • Owned and dated — accept a threat and it gets a state, an owner and a target date.
  • Human commits — the AI drafts; you decide what becomes real.
Cybereen Secure by Design — the AI Insights panel drafting threats and exemptions on the Assess stage, each suggestion with Accept or Dismiss
IN THE PRODUCT

Every threat on a node, tied to a control.

The Assess stage lists each threat with its node, the control that answers it, an owner and a state — the model as a working table, not a diagram that goes stale. Illustrative project shown.

app.cybereen.com / secure-by-design / assess
LIVE
Cybereen Secure by Design Assess stage — a table of threats, each with its architecture node, mapped control, owner and state
WHEN YOU CAN'T FIX IT YET

A control you skip is never silent.

Sometimes a control can't be applied in time. Cybereen makes that an explicit decision, not a verbal one.

Record an exemption against the control and it carries a reason, a compensating control, an owner and a review or expiry date — and it can raise a linked risk in your platform. The threat stays visible, the gap stays owned, and the exemption shows up in your Security Architecture Document and your risk register.

That's the whole point of modelling threats early: the ones you can't answer yet are captured, dated and accountable, instead of quietly dropping off a list.

THREAT MODELLING FAQ

Questions about design-stage threat modelling.

Do I need to know a threat modelling methodology?
No. You describe your solution and the co-pilot drafts the threats per component and the controls that answer them. You work in plain language and confirm what applies; the structure is handled for you.
Where do the controls come from?
From the SCF (Secure Controls Framework) catalogue already loaded in Cybereen. You pick the ones that apply rather than inventing your own, and the same controls flow into your Applied Controls and map to the standards you already report against.
What happens to the threats after the design stage?
They stay attached to the project through Build (implementation and independent assurance) and Go-live readiness, and they're written into the Security Architecture Document. Threats you exempt raise linked risks in your register. Nothing lives in a throwaway document.
Is this a separate tool?
No. Threat modelling is the Assess stage of the Secure by Design module on the Cybereen platform. The threats, controls and risks it produces live in the platform you already run.

Threat-model your next solution before you build it.

Bring a design that's still in progress. Upload it, let the AI draft the threats and controls, and walk out with a model that's already in your platform.

Explore Secure by Design →