Manage Your Threat Models

Manage Your Threat Models

Use the toolbar to manage your threat models. 



Saving Your Model

To save your Threat Model, click the Save icon  on the toolbar.

A model can be saved to your library by choosing one of the available visibility groups.

You can save your model directly to Jira and Azure Boards by clicking the Summary icon  and selecting the Save to Jira or Save to Azure Boards button. Find further information here.

Update Your Model Name

After saving your model, its name will appear in the toolbar. You can click on it to rename or update the model's name as needed.
      


Sharing Your Model

To share a model, click the Share icon  on the toolbar. A model can be shared by a link which is scoped by the set visibility group.



Visibility Groups

  1. Private: The model is accessible only to its owner. When this level is selected, it’s not possible to share a model by link.
  2. Team: The model is accessible to members of your SecureFlag team.
  3. Organization: The model is accessible to all users within your SecureFlag organization.

You can control whether other users can make changes by toggling the Allow Editing switch. If the switch is set to Owner Only, other users can view the model but cannot modify it. However, they can save a copy and make independent edits while preserving the integrity of the original model.

Collaborators

You can add collaborators to your model by entering their email addresses in the designated text box and clicking Update Settings. Collaborators will have full read-and-write access to the model irrespective of the selected Visibility Group. 

NotesNote: Organization Admins and Team Managers have read and write access to all models created by users in their organizations and managed teams.

Save a Copy

If a model has been shared with you through a link and edits are not allowed by the owner, you can still save a personal copy of the model. Click the Save icon , then select Save Copy.



When the model owner sets editing permissions to Everyone in Visibility Group, all group members can make changes. In this case, you can choose to either save a personal copy or update the shared model directly.


Notes
Note: The above modal window does not apply to Organization Admins and Team Managers. They will be able to save changes directly to the original model.

Watchers

The model’s owner and all collaborators are automatically added as watchers and will receive email updates about changes. If you click on the List Watchers icon ,  it will open a modal window where the users watching the model are listed.



If a model has been shared with you and you are not a collaborator, you can subscribe to receive notifications about changes to the model made by other users. You can toggle the switch to Watching to receive email notifications for updates.

Notes
Note: Watchers will receive an email notification if there’s a change to the model, but only if they haven’t been notified in the past hour, ensuring they aren’t alerted for every minor edit. 



Model Revisions

Once a model is saved, you can view a history of revisions for a model by clicking the Revisions icon 
  1. To open a revision, click Open Revision.
  2. ThreatCanvas automatically generates a summary of changes from the previous version. Click View Changes to see a concise summary of updates.


Model Settings

You can edit the threat model’s configuration by clicking the Settings icon 
  1. Model Description: Enter a description for your model in the Description text box.
  2. Project Type: Select the appropriate project type—Application, System, or Feature.
  3. Risk Template:  Choose a Risk Template for your model from the Risk Template dropdown menu.
  4. Risk Modifiers: Adjust the overall risk level by toggling modifiers that represent properties of the system you are modeling: 
    1. Payment Data: the feature/system processes personal information (PII).
    2. Personal Data:  the feature/system processes payment information.
    3. Health Data: the feature/system processes health data.
    4. Mission Critical: the availability of the feature/system is considered mission critical.
    5. Internet-facing: the feature/system is exposed to the internet. 
Each selection will reflect on the model's overall risk score.



Model Summary and Sharing to Jira or Azure Boards

Click the Summary icon  to access the model’s report. The summary includes:
  1. The model’s diagram
  2. A list of all Open and Mitigated Risks
  3. A breakdown of risks by individual node
  4. A Reference with a description of each Threat and Control included in the model.

Residual Risk

This section summarises all unmitigated risks along with the affected node and risk rating.



Node Analysis

This section provides a detailed breakdown of each node, including:
  1. Component and Trust Boundary
  2. Risk Rating and Mitigation Status
  3. Applicable controls with implementation status



Display Options

Customize your view by toggling options to hide Scenarios, Open Risks, Closed Risks, or References. The Risk Threshold dropdown reports only on issues equal to or greater than a specified risk severity.



Save to Jira and Azure Boards

You can save your model directly to Jira and Azure DevOps Boards by clicking the Save to Jira or Save to Azure Boards button. 



Save to Jira

Clicking the Save to Jira button opens a modal window. In the window, select the Jira issue to which you want to save your model.



Save Threat Model Tab:
After selecting an issue, you'll be prompted to choose what to save to the Jira issue, such as:
  1. Link 
  2. PDF Report
  3. JSON File



Notes
Note: To include a link to the Jira issue, the Threat Model needs to be saved in the user’s library.

Create Child Issues Tab:
You can create child issues for identified threats to assign them to team members, enhance visibility, or improve tracking.
  1. Click the Create Child Issue tab to view a list of open threats.
  2. Use the checkboxes to select the threats you want to create as child issues under the main Jira issue.
  3. Optionally edit the Summary text to set the title of the child issue and the Description as needed. The description includes:
    1. Details about the threat
    2. Affected nodes within the model
    3. Risk rating
    4. Rationale and controls associated with each node



Save to Azure DevOps Boards

Clicking the Save to Azure Boards button opens a modal window where you can select the Azure project to save your model.

Choose the project name from the dropdown menu and click the Select Azure Boards Project button.



After selecting the Azure Boards project:
  1. A list of Work Items will be displayed.
  2. Toggle the Work Items w/o Parent switch to Show All to view all issues and tasks.
  3. From the list, click the Select button to save your model to the desired Work Item.



Save Threat Model Tab:
After selecting an issue, you'll be prompted to choose what to save in the Azure Boards Work Item, such as:
  1. Link 
  2. PDF Report
  3. JSON File



Notes
Note: to include a Link in the Azure Boards Work Item, the Threat Model needs to be saved in the user’s library.

Create Child Issues Tab:
You can create child issues for identified threats to assign them to team members, enhance visibility, or improve tracking.
  1. Click the Create Child Issue tab to view a list of open threats.
  2. Use the checkboxes to select the threats you want to create as child issues under the main Azure Work Item.
  3. Edit the Summary text to set the title of the child issue.
  4. Modify the Description as needed. The description includes:
    1. Details about the threat
    2. Affected nodes within the model
    3. Risk rating
    4. Rationale and controls associated with each node



Generate a PDF Report

You can generate a PDF report of the model from the summary window by clicking the Download button.



In the bottom-left corner of the Summary modal, you will find:
  1. Four toggle switches for different sections of the report: Scenarios, Open Risks, Closed Risks, and References.
  2. A Risk Threshold dropdown to filter threats based on their risk level, with options for High, Moderate, Low, and Unspecified.
These options allow you to customize the report:
  1. Toggle on to include their respective sections in the report.
  2. Toggle off to exclude those sections from the PDF report.
  3. Optionally, use the Risk Threshold dropdown to filter risks, ensuring the report only includes risks matching the selected level. 
Alternatively, you can save the report directly to Jira or Azure Boards by selecting the respective buttons in the bottom-right corner. 

Accessing ThreatCanvas Through Jira and Azure DevOps

ThreatCanvas can be accessed through Jira and Azure DevOps Boards via plugin integrations.
Pre-requisite: Your organization must have the ThreatCanvas plugin installed in your Jira or Azure Boards instance.
  1. Install ThreatCanvas for Jira Cloud.
  2. Install ThreatCanvas for Jira Data Center.
  3. Install ThreatCanvas for Azure DevOps Boards.

Accessing through Jira

You can launch ThreatCanvas directly from Jira:
  1. Navigate to your Jira dashboard.
  2. Head over to a project with tasks/issues.
  3. Click on a task/issue, and the ThreatCanvas plugin will pop up on the right.
  4. Select the Launch button to open ThreatCanvas, and use the description of the task/issue as your first prompt to create the model.



Accessing through Azure DevOps Boards

You can launch ThreatCanvas directly from Azure:
  1. Navigate to the Azure DevOps dashboard.
  2. Select Boards from the left-hand menu.
  3. Click Work Items and locate the desired task in the Work Items column.
  4. Select the task, go to the ThreatCanvas tab, and click the Launch button to open ThreatCanvas.



Review and Comments

After generating a threat model and performing your analysis of threats and controls, you can request a review from threat modeling experts in your organization by clicking the Review icon 
  1. Draft your request in the provided text box.
  2. Submit your request by clicking the Request Review button.
  3. Feedback and comments from your organization will appear below.



Navigating the Toolbar

  1. New Model  : Create a new model.
  2. My Models  : See a list of models created by you or shared with you as a collaborator. 
  3. Import JSON Model  : load a model importing a JSON file.
  4. Export JSON Model  : export a model as a JSON file.
  5. Delete  Deletes the current model.
  6. Undo  : Undo the last change made.
  7. Redo  : Redo the last change made. 

Help

Click the Help icon  if you need assistance while using ThreatCanvas.

The help page provides support for challenges you may encounter while creating a model.
  1. Click the Start Tour button to begin a guided tour that walks you through ThreatCanvas.



    • Related Articles

    • Admin Guide to Managing ThreatCanvas

      As an administrator or content creator, you have access to two key sections in the platform's management portal related to ThreatCanvas: Threat Models TM Library These sections allow you to manage saved models, approve new models, create risk ...

    • ThreatCanvas Guide

      Access ThreatCanvas To access the tool, head to the user dashboard and click on ThreatCanvas in the left navigation menu. ThreatCanvas can also be accessed through Jira and Azure DevOps integrations. Generate a Threat Model 1. Describe a Scenario or ...

    • Frequently Asked Questions

      Data Security ThreatCanvas does not store any user prompts or attachments. No customer data is used to train the LLM model. SecureFlag uses an LLM provided by Anthropic. Threat models can be stored on SecureFlag. Data is stored in a relational ...

    • Intro & Use Cases

      <br> Key Features and Benefits Rapid Threat Modeling for New Features: Developers can model new features, identifying risks before coding begins. Learning with SecureFlag Training: Encounter a new threat? Learn how to fix it ...