Risky Business: Choosing the Best Threat Analysis Tool

      In today’s cybersecurity landscape, threat modeling tools play a crucial role in identifying and mitigating cybersecurity threats early in the software development lifecycle (SDLC). Whether you’re working on medical device cybersecurity (FDA, AAMI TIR57), automotive cybersecurity (ISO/SAE 21434), or industrial security (IEC 62443), choosing the right tool can streamline cybersecurity risk management and ensure compliance with industry standards.

      In this line of work, it is important that manufacturers carry out regular threat analysis to determine which threats exist for their products. It goes without saying that such a threat analysis is time-consuming and requires experienced resources. And even the best threat analysis is of no use if you cannot find solutions to mitigate possible cybersecurity threats.

      Nowadays, several tools exist to assist organizations in identifying potential threats, mitigating risks, and ensuring automotive systems’ and medical devices’ compliance with industry standards. In this blog, we compare IriusRisk vs Microsoft Threat Modeling Tool (TMT) vs OWASP Threat Dragon, three popular threat modeling software solutions. We’ll explore their features, strengths, and how they align with your team’s objectives and skills, helping you select the best option for your organization’s cybersecurity threat modeling needs.

      IriusRisk: Compliance-Driven & Automated Threat Modeling

      IriusRisk is an enterprise-level threat modeling tool that automates security-by-design principles. IriusRisk incorporates rule-based threat libraries and comes with an extensive threat and control database. The user has also the possibility to customize their own threat library. IriusRisk is compliance-driven and supports various cybersecurity frameworks like ISO 27001, NIST, OWASP, ASVS and IEC 62443. Also, the STRIDE framework, which is described in the FDA’s Playbook for Threat Modeling, is supported.

      The big advantage of IriusRisk is that it can be used by non-cybersecurity experts as it assigns risk scores to threats and also suggests mitigations. Of course, the assigned risk scores need to be reviewed and compared to the company’s risk policy, but the initial scoring can help prioritize the threats effectively. IriusRisk automatically generates diagrams and reports, making it easier for teams to communicate risks to stakeholders.

      IriusRisk can be integrated in DevSecOps pipelines and tools like Jira, Jenkins and GitHub. Therefore, the cybersecurity analysis starts at an early point in development without causing too much overhead.

      IriusRisk is a commercial tool with enterprise pricing. However, there is a free version of IriusRisk available that already provides a lot of the useful functionality.

      Verena Wieser, Medical device consultant at Lorit

      Verena Wieser, Medical Device Consultant

      Take a closer look at cybersecurity measures and strategies in our Automotive Cybersecurity or Medical Device Cybersecurity course. Schedule your next training with us or contact us via contact form to discuss expert support.

      Learn more

      Microsoft Threat Modeling Tool: A Structured STRIDE-Based Approach for Developers

      Microsoft Threat Modeling Tool (TMT) is a free and STRIDE-based tool designed to help developers and security teams identify, analyze, and mitigate cybersecurity threats during the software design phase. It uses predefined threat libraries to identify common vulnerabilities.

      The cybersecurity threats analysis (as with IriusRisk) is based on data flow diagrams (DFD). The diagrams can be easily created as Microsoft Threat Modeling Tool provides drag- and-drop elements. Based on the DFDs, threat modeling tool generates threats based on the STRIDE model:

      • Spoofing (e.g., impersonating a user)
      • Tampering (e.g., modifying data in transit)
      • Repudiation (e.g., no audit logs to track actions)
      • Information Disclosure (e.g., data leaks)
      • Denial of Service (e.g., system overload)
      • Elevation of Privilege (e.g., unauthorized admin access)

      Each cybersecurity threat is mapped to affected system components and assigned mitigation recommendations. This helps the security risk team to prioritize the threats.

      One limitation of the Microsoft TMT is that it only takes the STRIDE method in consideration. It also does not provide a risk scoring and therefore does not give the team an indication how risky the threat is.

      Microsoft Threat Modeling Tool cannot be integrated in the CI/CD pipelines as there is no DevSecOps integration available.

      OWASP Threat Dragon: Open-Source & Community-Driven

      Another open-source threat modeling tool, that supports the identification, analysis and mitigation of threats, is OWASP Threat Dragon. Similar to TMT, OWASP Threat Dragon analyses data flow diagrams against the STRIDE methodology. It provides the user with a threat description consisting of the affected component, the STRIDE category and a suggested mitigation strategy.

      OWASP Threat Dragon is not intended to take the responsibility of threat analysis from its user. It needs to be understood as supporting tool and is not intended to provide you with a complete threat analysis including mitigations.

      OWASP Threat Dragon is available as a web application or as desktop application.

      Finding the right threat analysis tool

      Regardless of all the advantages and disadvantages of the threat modeling tools the aim is to find the right tool that supports the team’s knowledge and preferences. The selected tool needs to be validated prior to its use as it has critical influence on product quality and safety (see our blog article ISO 13485: Software Tool Validation).

      By Verena Wieser, Medical Device Consultant

      Learn
      more

      If you would like to join one of our cybersecurity training courses, take a look at our training courses for safety-relevant standards or if you are looking for consultancy support, please do not hesitate to contact us at info@lorit-consultancy.com or via contact form.

      CONTACT

      Form

      We look forward to hearing from you.

        Show privacy policy

        Contact

        Address Austria:
        Lorit Consultancy GmbH
        Siezenheimer Straße 35
        5020 Salzburg / Austria

        Tel: +43 676 338 8884
        info@lorit-consultancy.com

        Address UK:
        Lorit Consultancy Ltd
        1 Craigathie Road
        Roslin Midlothian / Scotland EH25 9BG

        Tel: +44 7708 360023
        info@lorit-consultancy.com

        Partner of
        • Copyright © 2025
        • To top