Features
STRIDE Detection IaC Support Rego Policy Engine AI Analysis Discovery & DFDs CI/CD Integration Output Formats Plugin System Threat Tracking Performance
Security Documentation
Documentation Get Started

AI-Powered Threat Modeling for Infrastructure as Code

Scan your Terraform, CloudFormation, Docker, and Helm configurations to identify security threats before they reach production. STRIDE-based analysis with 90+ built-in policies and optional AI-powered remediation.

Get Started View Documentation
Hero Image

Why ThreatMitigator?

Comprehensive threat detection from infrastructure to application code

Blazing Fast

Parallel Rego evaluation with near-linear scaling. 1,000 resources in under 1.5 seconds.

90+ Policies

Built-in STRIDE detection rules across all six categories. Write your own with Rego.

Privacy-First

Your code never leaves your machine. AI features only send redacted threat metadata.

Multi-Format

Terraform, CloudFormation, Docker, Helm. AWS, Azure, GCP, OCI, Alibaba Cloud.

Enterprise-Grade Threat Detection

Comprehensive security analysis powered by STRIDE, Rego, and optional AI

Core Feature

STRIDE-Based Detection

Automatically analyze infrastructure code against the STRIDE threat modeling framework. 90+ built-in policies covering Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Also supports PASTA, LINDDUN, and VAST frameworks.

  • 6 STRIDE categories
  • 90+ built-in policies
  • Multi-framework support
  • Custom Rego policies
Learn More
STRIDE-Based Detection
Rego Policy Engine
Core Engine

Rego Policy Engine

Industry-standard Rego policy language from Open Policy Agent, powered by Microsoft's Regorus runtime in Rust. 4x faster than legacy YAML engine with parallel evaluation. Write custom policies without recompiling.

  • OPA Rego language
  • Parallel evaluation
  • Custom policies
  • Built-in helpers
Learn More
Compatibility

IaC Support

Full support for Terraform (HCL 2 parsing, module resolution, variable interpolation), CloudFormation, Docker/Compose, and Helm charts. Multi-cloud coverage across AWS, Azure, GCP, OCI, and Alibaba Cloud.

  • Terraform & CloudFormation
  • Docker & Helm
  • Multi-cloud
  • Module resolution
Learn More
IaC Support
AI-Powered Remediation
Intelligence

AI-Powered Remediation

Optionally connect your own LLM for context-aware remediation guidance. Supports OpenAI, Anthropic Claude, and local Ollama models. Your code never reaches AI providers—only redacted threat metadata.

  • GPT-4o & Claude
  • Local Ollama support
  • Privacy-first design
  • Interactive queries
Learn More
Code Analysis

Discovery & Data Flow Diagrams

Scan application source code to automatically detect network connections and generate Data Flow Diagrams. Identifies connections across HTTP, databases, gRPC, message queues, cloud SDKs, and more.

  • 10 connection categories
  • Security annotations
  • DFD generation
  • Python Go & Rust
Learn More
Discovery & Data Flow Diagrams
CI/CD Integration
DevSecOps

CI/CD Integration

Severity-based exit codes for pipeline gating, CI-optimized check-drift command, and SARIF output for GitHub Advanced Security. Works with GitHub Actions, GitLab CI, Jenkins, and more.

  • Severity exit codes
  • SARIF output
  • Drift detection
  • Any CI system
Learn More

How It Works

From initialization to continuous monitoring in five simple steps

1

Initialize

Set up threat tracking in your repository

threatmitigator init
2

Scan

Analyze IaC and source code for threats

threatmitigator scan terraform ./infra
3

Review

Examine threats with severity ratings

4

Remediate

Get AI-powered fix guidance (optional)

threatmitigator query
5

Track

Monitor drift and track threat lifecycle

threatmitigator check-drift

Flexible Output Formats

Export results in the format that fits your workflow

JSON & YAML

Machine-readable for CI/CD pipelines and automation. YAML with git-friendly diffs.

SARIF

GitHub Advanced Security integration, IDE support, and tool interoperability.

PDF Reports

Executive summaries with charts, custom branding, and AI-enhanced remediation.

Markdown

Documentation-ready reports for pull request comments and wikis.

Table

Terminal summary for quick review during development.

View All Formats →

Delta reports, compliance documentation, and custom branding options.

Extend with Plugins

Custom threat detection, organization-specific policies, and external tool integration

Any Language

Write plugins in any language using JSON-RPC 2.0 over stdin/stdout.

Auto-Discovery

Plugins auto-detected from PATH as threatmitigator-plugin-* executables.

Sandboxed

Memory limits, timeouts, and OS-level sandboxing (seccompiler/win32job).

Failure Isolation

One plugin crash doesn't affect others. Core scanning always continues.

Learn More About Plugins

Security & Privacy First

Your infrastructure data stays under your control

Local-First Architecture

All analysis runs locally. Zero external network calls in default mode. Your code never leaves your machine.

Bring Your Own LLM

AI features use your API keys with your chosen provider. Only redacted threat metadata is sent—never source code, resource names, or IP addresses.

Built-in Hardening

DoS protection limits, input validation, path traversal protection, secret redaction, and secure file permissions (0600) by default.

Security Presets

Pre-configured profiles for default, testing, and CI/CD environments. All limits configurable to match your requirements.

Learn More About Security

Ready to Secure Your Infrastructure?

Join teams already using ThreatMitigator to identify security threats in their Terraform, CloudFormation, Docker, and Helm configurations.

Get Started Free View Documentation