Microsoft Threat Modeling Tool: New features and download

The first iteration of Microsoft Threat Modeling Tool was rolled out in 2011. Back then, the program known as Security Development Lifecycle or plainly SDL Threat Modelling Tool permitted non-security subject matter experts to create and analyze threat models by

  1. Communicating about the security design of their systems
  2. Analyzing those design for potential security issues using a proven methodology
  3. Suggesting and managing mitigations for security issues

The tool however suffered from some errors and had certain foreseen limitations. This realization prompted Microsoft to come up with an updated version of the tool based on customer feedback and suggestions for improvements.

Microsoft Threat Modeling Tool

Microsoft Threat Modeling Tool

Thus, the latest version of the free Security Development Lifecycle Threat Modeling Tool includes a new drawing surface that no longer requires Microsoft Visio to build data flow diagrams.

Secondly, the update also includes the ability to migrate earlier, existing threat models built with version 3.1.8 to the new format. Users of the threat modelling tool can simply upload existing custom-built threat definitions into the tool.

Apart from the features outlined above, the Microsoft Threat Modeling Tool includes enhancements made to its visualization capabilities, customization features older models and threat definitions, as well as a change to it generates threats.

New Drawing Surface

The new release provides a simplified workflow for building a threat model and help remove existing dependencies. Microsoft explains users will get intuitive user interface with easy navigation for creating threat models.

STRIDE per Interaction

One of the major improvements for this release is a change in approach of how people generate threats. Microsoft Threat Modelling Tool 2014 uses STRIDE per interaction for threat generation. Versions of the tool in the earlier past used STRIDE per element.

Migration for v3 Models

Microsoft Security Development Lifecycle or SDL Threat Modelling Tool makes it easier for users to update older threat models. How? You can migrate threat models built with Threat Modelling Tool v3.1.8 to the format in Microsoft Threat Modelling Tool 2014

Update Threat Definitions

Different customizing options are available to the users! Microsoft claims it offers the flexibility to customize the tool according to their specific domain. People can extend the included threat definitions with ones of their own after authoring the provided XML format. For details on adding your own threats, Microsoft suggests going through the Threat Modelling tool SDK.

Microsoft Threat Modelling Tool 2014 comes with a base set of threat definitions using STRIDE categories. This set includes only suggested threat definitions and mitigations which are automatically generated to show potential security vulnerabilities for your data flow diagram. You should analyze your threat model with your team to ensure you have addressed all potential security pitfalls, blogged Emil Karafezov, program manager on the Secure Development Tools and Policies team at Microsoft.

For more information, visit MSDN Blogs. You can download the Microsoft Threat Modeling Tool 2016 here.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.