A Dragon and Python walk into an OWASP card game...

(This post used ChatGPT for clarification of language and image generation)

September 17th, 2025

Threat modeling has a reputation for being heavy, academic, and sometimes intimidating. But the OWASP community has been working hard to change that, building tools that lower the entry barrier, welcome new players to the table, and give seasoned pros ways to adapt their practice to their culture and style. There’s something for everyone, of all levels of knowledge, all personas, and even levels of commitment.

Let’s talk about four of them: Threat Dragon, pyTM, Cornucopia, and Cumulus.

Threat Dragon

Threat Dragon is a visual, browser-based tool. Think drag-and-drop diagrams, flows, and assets. It’s approachable for developers, testers, and even product owners who “see” the system as they model it. Threat Dragon lowers the barrier to entry by making diagrams the starting point—and then layering threats on top. It makes life easier for distributed teams by allowing many members to work on the same model. Apart from the visualization, its power lies in recording threats and mitigations and supporting popular threat modeling methodologies like STRIDE, LINDDUN, and PLOT4ai, but does not force the users to adopt a particular one. With more than 1,200+ Github stars, frequent releases, two development branches and a stellar team developing it, it is a serious contender for introducing individuals and teams to the world of thret modeling tools.

pyTM

pyTM is a Python library that introduces Threat-Modeling-as-Code. Instead of drawing, you describe your system in Python objects: processes, data flows, boundaries. Then pyTM generates diagrams and threat reports for you. It’s perfect for teams already living in code and automation—CI/CD pipelines, testing frameworks, “shifting left”, or simply people who are more descriptive than visual in their approach to building systems. Its development tempo is a bit slower than Threat Dragon, but the team is committed to delivering powerful features over time.

Cornucopia and Cumulus

Cornucopia and Cumulus take a different direction: they are card games for eliciting threats. Each card describes a scenario or attack angle, sparking conversation and creativity. Teams play through the deck, identify risks, and come away with a shared understanding. It’s fun, collaborative, and perfect for pulling in people who don’t speak in sequence diagrams or Python objects. Cumulus focuses on cloud and DevOps threats, and Cornucopia on security requirements during the development process. They are similar in gameplay, and deliver similar value. These games keep the activity fresh and engaging, by disguising acquiring and using security knowledge as play.

Seriously playing games

It would be easy to think of these as competing tools, and spending some time wondering which one is right for you and your team. But the truth is slightly more complex than that. These tools can act together not only to offer immediate value in your threat modeling journey, but as ramp ups to more enterprise-oriented tooling and processes. If you ever thought “will my team follow process and work with an expensive tool” before writing the check, perhaps one or more of OWASP’s offerings is exactly what you need.

• Threat Dragon and pyTM are both participating in the CycloneDX TMBOM (Threat Model Bill of Materials) effort. The goal? A common format so models can move between tools, instead of getting locked into one.
• Cornucopia and Cumulus aren’t modeling tools by themselves, but they feed the others beautifully. As the team identifies threats in the game, those findings can be recorded in Threat Dragon or pyTM—turning brainstorming into a structured, living model, and following up the gameplay with “serious” play.

None of these tools dictate how you should threat model. Instead, they let you calibrate your practice to your team’s knowledge, culture, and preferences. Visual learners? Use Threat Dragon. Code-centric devs? pyTM is your friend. Looking for an energizing team session? Deal the Cornucopia or Cumulus cards.

And with the CycloneDX TMBOM effort, these tools stop being silos and start working together. As more tools join that effort, you will be able to carry your threat model easily from one to the other.

Threat modeling doesn’t have to be a heavy lift. With a dragon, a python, a cornucopia, and a cloud deck at the table, teams get free, approachable, flexible, and fun ways to think about threats.

So grab your deck, your IDE, or your browser. The important part isn’t which tool you start with. It’s that you start.