SIA New Member Profile: ThreatModeler

ThreatModeler logo

New Security Industry Association (SIA) member ThreatModeler is an automated threat modeling solution that fortifies an enterprise’s software development life cycle by identifying, predicting and defining threats, empowering security and DevOps teams to make proactive security decisions. The company is headquartered in Jersey City, New Jersey, with additional employees and consultants across the United States.

SIA spoke with Archie Agarwal, founder and CEO of ThreatModeler, about the company, the security industry and working with SIA.

Tell us the story of your company.

Archie Agarwal headshot
Archie Agarwal, founder and CEO, ThreatModeler

Archie Agarwal: I founded ThreatModeler on Aug. 1, 2010, in response to the industry need I saw in protecting IT infrastructures. At the time, threat modeling was seen as a secondary practice to encourage brainstorming and flag architecture related issues, but it was mostly a manual and lengthy process. However, only few companies had the resources and money to do this exercise. To address this shortcoming, ThreatModeler launched its first intelligence-based threat engine in 2011 aimed at helping developers incorporate threat modeling into the software development life cycle.

In 2015, ThreatModeler launched a new version of its software that was web-based and aimed at enterprises. This product was primarily focused on providing a more powerful version of threat modeling software than what was being offered for free by the likes of Microsoft. ThreatModeler addressed the shortcomings of these data flow diagrams by focusing on the architecture and enabling enterprises to bring threat modeling capabilities in house and make it scalable.

The ongoing vision for ThreatModeler is to be able to model ALL the threats, automatically, with no security expertise required.

What solutions/services does your business offer in the security industry? And what makes your offerings/company unique?

AA: ThreatModeler is a pioneer in threat modeling for cloud, with automation capabilities delivering instant threat model building functionality, optimizing security-first approaches to DevOps by saving organizations vast amounts of time and facilitating collaboration.

Traditionally, threat modeling was a resource-demanding and tedious process – manual, noncollaborative and primarily only for applications and their data flow. ThreatModeler is a collaborative platform where security experts or nonsecurity professionals alike can build threat models within a few hours or minutes instead of weeks through a completely automated process.

The latest evolution of ThreatModeler’s technology delivers real-time threat modeling capabilities, enabling developers to understand the full scope of their intended IT infrastructure. For the first time ever, DevSecOps teams have full transparency surrounding changes introduced to the threat model on the fly. This simultaneously minimizes risk and ensures sufficient compliance and governance protocols post-infrastruture as code (IaC) deployment.

What is something we might not know about your company – or something new you are doing in security?

AA: ThreatModeler’s collaborative platform enables teams to visualize design flaws in hours or minutes instead of weeks, making threat modeling less resource-intensive and more secure. ThreatModeler has in the past year released two new solutions to support threat modeling – CloudModeler and IaC-Assist. CloudModeler is designed to assist organizations in managing cloud migration, enabling teams to secure cloud infrastructure from design to deployment. IaC-Assist, the latest ThreatModeler plug-in, enables organizations to continuously evaluate their IaC on the fly.

ThreatModeler customers often realize time and resource savings, including:

  • Threat modeling time reduced by 90%+. One of its customers went from building 250 threat models (with reliance on security architects) in a year to 1,000 (implemented as a self-service model).
  • Less resource intensive and requires no meetings or white boarding.
  • Increased threat coverage vs. manual threat modeling by 60%.

Being empowered to more quickly develop a holistic understanding of design flaws facing their system empowers organizations to respond faster to potential threats and bring their solutions to market more quickly and securely.

What is your company’s vision, and what are your goals for the security industry?

AA: ThreatModeler is driven by innovation. The ThreatModeler team has filed an average of one patent a year over the past five years. ThreatModeler has gone through dramatic pivots several times since its founding: beginning in 2010 as a free desktop tool, ThreatModeler has served as a longstanding leader while keeping up with the pace of innovation, now flourishing as a collaborative software as a service web-based enterprise tool.

In response to the pandemic, the ThreatModeler team took time to reassess and advance research and development, utilizing the widespread business disruption as a time to further develop its solutions. This strategic restructuring led to the development of one new innovative solution: a marketplace for threat models, to give any organization a powerful template to understanding their IT environment. Organizations will be able to implement threat models much more rapidly to ensure security from the start of development.

What are the biggest opportunities in the security industry right now?

AA: Now more than ever, companies need the ability to visualize their attack surface in order to mitigate threat and vulnerabilties. ThreatModeler’s suite of products empowers DevOps to measure, design and validate threat drift from development to deployment in a fraction of the time and cost of other tools.  Chief information security officers can make critical security-driven business decisions to scale their infrastructure for growth.

Once the attack surface is visualized, leaders need to be able to manage their infrastructures in a way that maintains stability and meets regulatory and compliance requirements. With tailored reporting, businesses can understand how to best secure critical architecture by uncovering data asset threats and understand the actionable outputs needed for mitigation. Ensuring compliance and security, ThreatModeler provides organizations with a method to ensure security-first principles, saving time and resources by reducing manual labor while also providing unique insights into the holistic security posture of a firm. Seeing time reductions of up to 90%, these insights can help drive innovative changes as firms look to reduce their attack surface while continuing to grow or scale operations.

What are your predictions for the security industry in the short and long term?

AA: In the short term, I predict the majority of companies are going to focus on endpoint (zero trust environments) and building security into cloud migration initiatives.

As for the long term, I believe as more and more companies move to the cloud, they will shift their focus to identifying all entry points of their cloud infrastructure, identifying different paths an attacker can navigate to get to their assets and assess the strengths of their controls to ensure data confidentiality, integrity and availability.

What are the biggest challenges facing your company and/or others in the security industry?

AA: The move to the cloud poses unique challenges as organizations adapt to securing infrastructure as code for all applications. Enterprises also need to be prepared to secure brave new features such as containers, microservices and automatic scaling. Threat modeling, traditionally a manual process, would take weeks to enumerate potential threats with diagramming tools or whiteboarding to gain an understanding of ones attack surface.

At a high level, DevOps journeying to the cloud involves applying the typical shared responsibility model, then implementing suitable structures with extremely strict policies to protect customers, data and workloads in the cloud. Cloud customers are responsible for protecting their workloads while they’re in the cloud.

Using ThreatModeler’s extensive knowledge base, users can build on learnings, recommended best practices and design patterns needed to accelerate enterprise cloud journeys. ThreatModeler efforts will drive the accurate, consistent, repeatable delivery of security requirements, accelerating cloud delivery overall and getting cloud customers to a better place for building out security capabilities themselves.

What does SIA offer that is most important to you/your company? And what do you most hope to get out of your membership with SIA?

AA: We look forward to connecting with other SIA members and attending the various member exclusive events, like SIA GovSummit, as sponsors. SIA provides us with a unique opportunity to show the market a more effective way to threat model.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.