threatmodel-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@threatmodel-mcpCreate a threat model for my web app with user, web server, and database."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ThreatModel-MCP
Model Context Protocol server for AI-powered threat modeling.
Demo

Related MCP server: Mipiti MCP Server
Setup
Install dependenciespip install -r requirements.txtInstall Graphviz(optional, for PNG diagrams)Windows: Download from https://graphviz.org/download/
Mac: brew install graphviz
Linux: sudo apt-get install graphviz
Configure MCP client(Claude Desktop, etc.){ "mcpServers": { "threatmodel": { "command": "python", "args": ["/full/path/to/threatmodel_server.py"] } } }
Available Tools
create_threat_model
Creates comprehensive threat models with components, boundaries, and data flows.
Parameters:
system_name - Name of the system
components - Array of system components with types, boundaries, security controls
boundaries - Trust boundaries with security levels (0-10)
dataflows - Data flows between components with protocols and classifications
output_format - "diagram", "pytm_code", "threats", or "full_analysis"
auto_save - Auto-save files (default: true)
save_path - Directory to save files (default: current directory)
analyze_security_threats
Performs deep security analysis using multiple frameworks.
Parameters:
analysis_depth - "basic", "standard", "comprehensive", or "paranoid"
threat_frameworks - ["STRIDE", "MITRE_ATTACK", "OWASP", "NIST", "CIS"]
focus_areas - Authentication, data protection, network security, etc.
compliance_frameworks - ["SOC2", "ISO27001", "HIPAA", "PCI-DSS", "GDPR"]
generate_security_controls
Generates security control recommendations based on threats.
Parameters:
threats - Array of identified threats
risk_appetite - "low", "medium", or "high"
technology_stack - Current technologies (AWS, k8s, etc.)
prioritization_method - "risk_based", "quick_wins", "compliance_driven"
validate_architecture
Validates architecture against security best practices.
Parameters:
components - System components to validate
validation_rules - ["zero_trust", "encryption_in_transit", "api_gateway_pattern"]
architecture_patterns - ["microservices", "serverless", "hybrid_cloud"]
Component Types
Actors: user, admin, service_account Services: server, api_gateway, microservice, lambda, container Data: database, cache, message_queue, file_storage Infrastructure: load_balancer, firewall, external_service
Protocols & Classifications
Protocols: HTTPS, gRPC, WebSocket, SQL, Redis, S3 API Data Classifications: PUBLIC → INTERNAL → CONFIDENTIAL → RESTRICTED → TOP_SECRET
Auto-Save Features
Generated files (with timestamps):
SystemName_threatmodel_YYYYMMDD_HHMMSS.png - Diagram (when output_format="diagram")
SystemName_threatmodel_YYYYMMDD_HHMMSS.dot - DOT source (always)
SystemName_threatmodel_YYYYMMDD_HHMMSS.py - PyTM code (always)
SystemName_threatmodel_analysis_YYYYMMDD_HHMMSS.md - Analysis report (when output_format="full_analysis")
Example Usage
Example 1: Codebase Analysis
Prompt: "Create a high level threat diagram of current codebase"

Example threat model diagram generated from a cloned OpenAI Codex codebase, showing multi-layer security boundaries, component classifications, and encrypted data flows between services.
Example 2: Web Application Architecture
Prompt: "A web application where the user interacts with a web server, which in turn communicates with a database server. The web server and database server are outside the user's trust boundary. The user connects to the web application via a browser. The web server handles requests and responses, and the database server stores application data. The trust boundary is around the user only; both the web server and database server are outside this boundary"

Example threat model showing user trust boundary with web and database servers in untrusted zone.
Refer to threat analysis report in assets/Web_Application_System_Threat_Analysis_Report.md
Troubleshooting
Graphviz issues: Verify with dot -V DOT syntax errors: Component names automatically sanitized No Python: Ensure Python in PATH
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/boxed-dev/threatModelling-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server