How our platform works
Define your architecture:
Draw a diagram using drag and drop components, powered by our embedded draw.io diagramming tool, or answer our embedded questionnaires to define your application architecture. Or use IaC to import code from Terraform, Visio or CloudFormation.
Generate your threat model in minutes:
Based on your diagram, code or questionnaire answers, IriusRisk uses its built-in security standards libraries to generate a list of the threats to the various components within your application. All of the threats are already linked to their appropriate countermeasures - so it can tell you instantly what you need to do to fix the problems.
Assess your threats and countermeasures:
Instantly see real-time threat scores on your applications' threat models, and quickly generate reports. Review this output and choose to accept or reject a countermeasure, based on the level of risk it presents to your business. The established countermeasures are then synced with your development team's issue tracker, such as Jira Cloud and Server, ServiceNow, Microsoft TFS, and Azure DevOps.
Your living, real-time threat model:
The two way sync between IriusRisk and your issue tracker will enable an always-on, real-time view of your progress and the risk ratings associated with your app. Developers get countermeasures inserted directly into their workflow without ever needing to leave the IriusRisk platform.
Contextualized Rules Engine
Our rules engine is based on JBoss Drools Inference Engine and has predefined automations that help users identify additional scope for the threat models. Rules are based on different actions that can be triggered from various conditions. These can help organizations identify what's most important or help minimize mitigation efforts.
Through preconfigured questionnaires, threat models can be assigned attributes to help associate applicable threats, weaknesses and countermeasures. Does your application deal with payments? We can help identify specific controls that are applicable to PCI-DSS.The rules engine can be customized further to help refine what is actually at risk by marking countermeasures as implemented through rules based logic. Does your application utilize specific internal standards? We can help mark those controls as completed to help minimize scope.
The 4 fundamental questions of Threat Modeling
Watch the video below to see how the IriusRisk Threat Modeling platform implements the 4 questions.