Admin Guide to Managing ThreatCanvas

Admin Guide to Managing ThreatCanvas

As an administrator or content creator, you have access to two key sections in the platform's management portal related to ThreatCanvas:
  1. Threat Models
  2. TM Library

These sections allow you to manage saved models, approve new models, create risk templates, and define custom threats and controls.

You can find the Threat Models and TM Library tabs in the management interface. Each section provides specific tools to streamline your tasks:

  1. Threat Models
    1. Approve pending models for use within the platform.
    2. Review and manage saved threat models.
  2. TM Library
    1. Define and manage custom threats and controls to address unique security requirements.
    2. Create and customize risk templates tailored to your organization’s needs.



Approving Pending Models

To review and approve pending threat models, follow these steps:

Step 1 - Navigate to the Threat Models Tab

Open the Threat Models tab from the Management UI on the platform. You will see a list of submitted threat models awaiting approval.



Step 2 - Review Model Information

  1. The list provides key details for each model, including:
  2. Model ID
  3. Name of the Model
  4. Submitting User
  5. User’s Team
  6. Approval Status
  7. Model Visibility
  8. Risk score (on a scale of 1 to 5)



Step 3 - View Model Details

Click the Details button next to a model to access its details. This includes:
  1. Comprehensive risk assessment for the model
  2. Threat risk assessments
  3. An option to launch the diagram in ThreatCanvas for an in-depth visual review.


Step 4 - Workflow Actions

In the details section, navigate to the Review Workflow section to:
  1. Approve the Model: Finalize approval for use.
  2. Request Changes: Send feedback or change requests to the submitting user.
  3. View Review History: Check the model’s review and approval history.



Step 5 - Review Risks

At the end of the details section, you have the option to evaluate both Open Risks and Closed Risks:
  1. Open Risks are sorted by residual risk priority, from high to low. Click a risk to view:
    1. Detailed risk information
    2. Recommended controls
    3. Notes and rationale supporting the recommendations.
  2. Closed Risks display resolved issues for reference and tracking.



Reviewing Saved Models

Follow these steps to review saved threat models on the platform:

Step 1 - Navigate to the Threat Models Tab

Open the Threat Models tab in the Management UI. Below the Pending ThreatCanvas Models section, you’ll find Saved ThreatCanvas Models, which displays a table of saved threat models.



Step 2 - Search and Filter Models

Use the search options above the table to find specific models quickly. You can search by:
  1. Model ID
  2. Model Name
  3. Submitting User
  4. User’s Team
  5. Organization
  6. Project



Step 3 - Review Table Information

The table provides the following details for each saved model:
  1. Model ID
  2. Model Name
  3. Submitting User
  4. User’s Team
  5. Model Status
  6. Project in which the Model is Associated With
  7. Model Visibility
  8. Risk Score (on a scale of 1 to 5)



Step 4 - View Model Details

Click the Details button next to a model to access its full details, including:
  1. Comprehensive risk assessment for the model
  2. Threat risk assessments
  3. An option to launch the diagram in ThreatCanvas for a visual review



Step 5 - Review Risks

At the end of the details section, evaluate both Open Risks and Closed Risks:
  1. Open Risks: Sorted by residual risk priority (high to low). Click on a risk to view:
    1. Detailed risk information
    2. Recommended controls
    3. Notes and rationale supporting the recommendations
  2. Closed Risks: View resolved issues for tracking and reference.



Custom Threats & Controls

With ThreatCanvas, you can create custom threats and controls for your organization's Threat Model Library.

This feature allows you to:
  1. Tailor threats and controls to meet your organization’s specific needs.
  2. Use them as a reference across teams.

Step 1 - Navigate to the Threat Model Library

  1. Go to the TM Library tab in the Management Portal.
  2. Select Add Threat/Control to begin creating your custom entry.



Step 2 - Add Information to Your Custom Threat or Control

  1. Enter the required details, including:
    1. Threat/Control Name
    2. Type (Threat or Control)
    3. Risk Level
    4. Description for additional context.
  2. Click Add Entry to save your custom threat or control.



NotesNote: If you select Threat from the Type dropdown, you can choose the applicable controls for the threat, which enables you to effectively mitigate the threat.



Step 3 - View Your Custom Threat or Control

Once your entry is saved, it will be listed in the Threat Model Library for future reference and use.



Archiving Custom Threats & Controls

  1. To archive a custom Threat/Control, click the Archive button.
  2. Confirm the action in the modal window, then click Archive again to finalize.

Step 4 - Add Your Custom Threats and Controls to Models

After creating your custom entries, you can incorporate them into your threat models. This ensures synchronization and alignment across your organization’s modeling efforts.



Custom Risk Templates

Risk Templates are pre-defined collections of threats and corresponding controls. Each template is tailored to specific compliance standards, application environments, or organizational priorities. ThreatCanvas includes many default Risk Templates, and organizations can create custom risk templates  to prioritize specific threats and controls tailored to unique requirements or compliance needs of your organization. Use these templates to standardize threat modeling across your organization with consistent threats and controls.

Step 1 - Navigate to Your Threat Model Library

Go to the TM Library in the management portal and select Risk Templates.



Step 2 - Add or Review Risk Templates

On this screen, you’ll see templates that you have previously created and saved. You can also edit existing custom risk templates or delete them if they are no longer needed.

To create a new template, select Add Risk Template.



Step 3 - Select Threats & Controls

Enter a name for your new template. Choose a name relevant to its context of use.

Select multiple threats and controls to include in the template.

Once finalized, click Add Risk Template to confirm.



Step 4 - Use your Newly Created Template

After saving, navigate to ThreatCanvas to see the template in action.

For example, the new template My Custom Risk Template will appear alongside other custom and default templates in ThreatCanvas.



Custom Components

Custom components in ThreatCanvas allow organizations to efficiently reuse and maintain consistency across threat models. Admins can save a node as a custom component, enabling users within their organization to reuse it when building models.

For example, if a microservice is used across multiple teams and projects, it does not need to be modeled repeatedly. Instead, it can be saved as a custom component and incorporated into models as needed.

Accessing the Components Library

To view the list of custom components:
  1. Navigate to the TM Library tab in the management interface.
  2. Locate the Components Library, which appears as the second section on the page.

The Components Library includes search functionality to quickly find specific components. You can search by:
  1. Component ID
  2. Component Name
  3. Component Status
  4. Component Owner



Adding a Custom Component

Step 1 - Select a Node

Select the node you wish to save as a custom component from an existing threat model or manually add a new node from the toolbar, choosing between Entity, Process, Data Store, and Business Logic.

Step 2 - Configure the Node as a Custom Component

After selecting the node type:
  1. Change the Label, which will become the name of the custom component.
  2. Add Notes for clarity and to assist users when reusing the component.
  3. Build a risk profile that includes the relevant Threats, their Risk Rating, Mitigation status, and corresponding Controls with their implementation status.



Step 3 - Save the Component

  1. Click the Save button in the Components section of the Node settings to save the node as a custom component.
  2. The component will be accessible to all users in the organization.



  1. ThreatCanvas will automatically recognize the custom component when referenced in the scenario. Users can also manually apply the saved component by selecting a node in their model, navigating to the Components section in the node settings, clicking the Change button, and choosing the desired custom component.



Components Library

Viewing Usages:

  1. Click the Usages button to open a modal window with the list of Threat Models where the component is being used.
  2. Open any of the listed Threat Models by clicking the Launch in ThreatCanvas button.

Modifying a Component:

To modify a component, navigate to the Components Library, where you can view and update components in ThreatCanvas. Save any changes back to the library.
  1. Click Launch in ThreatCanvas to open the component in ThreatCanvas.



  1. Make changes to the Component, Label, Notes, and Threats from the Node’s Settings in ThreatCanvas.
  2. Save the updates from the Component Section of the Node Settings.

Archiving a Custom Component:

  1. To archive a custom component, click the Archive button.
  2. Confirm the action in the modal window, then click Archive again to finalize.


    • Related Articles

    • ThreatCanvas Guide

      Access ThreatCanvas To access the tool, head to the user dashboard and click on ThreatCanvas in the left navigation menu. ThreatCanvas can also be accessed through Jira and Azure DevOps integrations. Generate a Threat Model 1. Describe a Scenario or ...

    • Manage Your Threat Models

      Use the toolbar to manage your threat models. Saving Your Model To save your Threat Model, click the Save icon on the toolbar. A model can be saved to your library by choosing one of the available visibility groups. You can save your model directly ...

    • Frequently Asked Questions

      Data Security ThreatCanvas does not store any user prompts or attachments. No customer data is used to train the LLM model. SecureFlag uses an LLM provided by Anthropic. Threat models can be stored on SecureFlag. Data is stored in a relational ...