External Data (latest)

Security knowledge base for SecOpsTM (MITRE ATT&CK, CAPEC, CVE, D3FEND).

Install

secopstm download-data

Built from commit 5cc6763.

This release brings major analyst workflow features, AI pipeline improvements, a complete Docker/PyPI distribution, and dozens of bug fixes accumulated since 1.1.0

🆕 New Features

Analyst Workflow

• Threat ranking & volume control — New ThreatRanker module: composite score
  (severity 40% + confidence 30% + VOC risk signals 30%), configurable max threat
  count and minimum STRIDE category coverage. Guarantees at least one threat per
  STRIDE category is always preserved.
• Accepted risks management — accepted_risks.yaml auto-discovered next to the
  model file. Two matching modes: stable TK- content-hash key or pattern-based
  (STRIDE category + target + description wildcard). Expired entries automatically
  ignored. Accepted threats are dimmed in the HTML report with decision badge
  (ACCEPTED / FALSE POSITIVE / MITIGATED) and rationale inline.
• CI/CD gate mode — New --gate REPORT_JSON flag: exits 1 when unaccepted
  threats meet or exceed --fail-on severity (default: CRITICAL). --baseline
  mode restricts failures to new threats only — ideal for PR gates.
• ATT&CK ID validation — AttackIdValidator checks every MITRE technique ID
  in the threat list against the local STIX corpus; detects hallucinated, revoked,
  and deprecated IDs. Fully offline, silently disabled when the corpus is absent.

AI & Reporting

• CISO triage AI pass — After threat ranking, an optional LLM call generates
  an executive risk briefing: posture score, colour-coded label, top findings,
  quick-wins table, and narrative. Cached on threat_model._ciso_triage and
  included in JSON export.
• Interactive threat graph — Force-directed Canvas visualization in the HTML
  report: nodes (actors/servers) sized by threat count and coloured by severity,
  edges carrying protocol/encryption/auth flags, hover tooltips, severity filter.
  Zero JS dependencies, fully offline.
• SOC Analyst persona + context compression — Threat prompts now include a
  SOC analyst persona with context compression for more operationally relevant
  output. Terraform plugin extended: security group ingress/egress rules preserved,
  internet_facing, credentials_stored, and traversal_difficulty inferred
  from tfstate; BOM files generated automatically per resource.
• Batch LLM enrichment — Components grouped into configurable batches
  (batch_size=5, max_concurrent=3); batches run concurrently under
  asyncio.Semaphore. For 20 components: ~20 serial calls → ~4 concurrent
  round-trips. Redundant check_connection() calls eliminated; uses cached
  ai_online flag instead.

Editor & DSL

• Custom asset types (community YAML) — 22 asset types and 17 protocols
  migrated from hardcoded Python dicts to config/asset_types_community.yaml
  and config/protocols_community.yaml. Community-editable without code changes.
• Component Panel (DSL helper) — Schema-driven slide-in panel in the editor:
  Add/Edit modes, boundary/node dropdowns, dark-mode compatible.
• DSL autocomplete + autosave — Context-aware completion in the Monaco editor;
  draft autosaved to localStorage with restore banner on next open.
• Executive View + Copy-as-ticket — Toggle in HTML report for management
  presentations; one-click copy of top-5 threats as GitHub Issue markdown.
• Sub-model drill-down — Server nodes become hyperlinks to child model
  diagrams; child diagrams render ghost clusters for external connections.

Infrastructure & Distribution

• Docker image — Multi-stage build: secopstm:latest (core, ~slim) and
  secopstm:ai (full AI stack with vector store volume). Available on Docker Hub.
• PyPI packaging — pip install secopstm (TestPyPI → PyPI). pip install "secopstm[ai]" for full AI/RAG dependencies.
• secopstm init-rag — Downloads the pre-built RAG vector store (~1.3 GB)
  from GitHub Releases into ~/.secopstm/vector_store/. Override with
  SECOPSTM_VECTOR_STORE_DIR.
• secopstm download-data — Downloads and verifies external_data.tar.gz
  from GitHub Releases (SHA-256 checked).
  analysis in CI workflows.

New Threat Model Templates

• Kubernetes/Helm Cluster — 14 servers, 8 boundaries, 22 dataflows, 78 pytm
  threats, full GDAF context YAML.
• AWS Lambda Event-Driven — 21 servers, 8 boundaries, 23 dataflows, 106 pytm
  threats, full GDAF context YAML.

---

⚡ Performance

• RAG initialisation parallelised with AI connection check (run_in_executor) —
  saves ~26 s on cold start when RAG is enabled.
• LangChain removed from RAG pipeline — direct ChromaDB + LiteLLM calls reduce
  cold-import time by ~300 s.
• CVEService pre-warmed in a daemon thread at server startup.

---

🐛 Bug Fixes

• GDAF not triggered in --model-file CLI mode (fixed path resolution).
• GDAF context not loaded when using server-managed projects.
• Sub-model tab navigation matched by filename instead of full path.
• Custom MITRE DSL parsing: [\s=:]+ regex fix (value no longer included =).
• credentialsLife integer crash: hardened to fallback Lifetime.NONE + warning.
• CONFIDENTIAL/INTERNAL classification aliases added to classification map.
• RAG crash on non-dict items in LLM response (guard + per-item try/except).
• AI threats absent from global project report (cached in
  _report_all_detailed_threats, preferred by global report generator).
• config.js permissions in Docker image (chown to appuser).
• lxml bumped 6.0.0 → 6.1.0.

---

📦 Installation

# Core (offline threat modeling, no AI)
pip install secopstm

# Full AI stack (RAG, LLM enrichment)
pip install "secopstm[ai]"
secopstm init-rag          # download pre-built vector store (~1.3 GB)

# Docker
docker pull ellipse2v/secopstm:latest   # core
docker pull ellipse2v/secopstm:ai       # full AI stack

⬆️  Upgrading from 1.1.0

No breaking DSL changes. Run secopstm init-rag --force to refresh the vector
store if you use RAG features.

Vector Store (latest)

Pre-built RAG vector store. Install: secopstm --init-rag

This version introduces several major features to enhance threat analysis and integration capabilities.

✨ New Features

• STIX 2.1 Export: You can now export threat analysis results into the STIX 2.1 format, allowing for greater interoperability with
  other cybersecurity tools and platforms.
• MITRE ATT&CK Navigator Integration: Added the ability to generate JSON layer files for the MITRE ATT&CK Navigator. This provides a
  powerful and intuitive way to visualize the MITRE ATT&CK techniques identified in your threat models.
• STRIDE to CAPEC Mapping: The threat analysis engine now includes a mapping from STRIDE threat categories to CAPEC (Common Attack
  Pattern Enumeration and Classification), based on the methodology from ostering.com
  (https://ostering.com/capec-stride-mapping/index.html). This enriches the analysis by linking threats to common real-world attack
  patterns.

Version 1.0.0 - First Stable Release

 We are thrilled to announce the first stable release of **ThreatModelByPyTM**, a powerful Threat Modeling
  as Code tool designed for developers, architects, and security professionals.

 This `v1.0.0` release marks a major milestone, transitioning from an alpha phase to a robust, tested, and
  production-ready version.

 ## ✨ Key Features

 *   **Threat Modeling as Code**: Define your systems and threats using a simple and intuitive
  Markdown-based syntax.
*   **Diagram Generation**: Automatically visualize your architecture and data flows from your models,
  creating clear and navigable diagrams.
*   **Automated Threat Analysis**: Identify potential threats based on a set of customizable rules and
  industry standards.
*   **MITRE ATT&CK® Integration** : Map identified threats to MITRE ATT&CK tactics and techniques for
  better contextual understanding.
*   **Mitigation Suggestions**: Get suggestions for security controls and mitigation measures for
  identified threats.
*   **IaC Plugin (Ansible)**: Analyze your Ansible playbooks to automatically generate a threat model of
  your infrastructure.
*   **Interactive Web Interface**: Explore your threat models, visualize diagrams, and view reports via a
  user-friendly web interface.
*   **Comprehensive Reports**: Generate detailed HTML reports, perfect for security audits and sharing
  with teams.

This is a major step for the project, and we look forward to your feedback. Feel free to open an issue to
  report bugs or suggest new features!

Test, Documentation, and IaC Integration Improvements

• increase coverage with unit test
• Updated the README.md file to reflect implemented features (GUI, advanced threat model validation, predefined templates) and removed an incorrect limitation.
• Enhanced Infrastructure as Code (IaC) Integration: Added the capability to generate threat models and identify threats directly from Ansible playbooks.
• Created a new wiki page roadmap.md to detail future tasks and moved the detailed roadmap from README.md to this new file.
• Expanded descriptions for containerization, advanced threat model validation, and integration with vulnerability databases in roadmap.md.

Release v0.2.0-alpha: Real-time Markdown Model Viewer with In-editor Editing

This alpha release introduces a powerful real-time viewer for your Markdown-based models. Now, you can edit and visualize your models simultaneously within the same interface, providing immediate feedback on your changes. This significantly streamlines the model creation and refinement process, allowing for a more fluid and efficient workflow.

first release

This is the first release of the STRIDE Threat Analysis Framework with MITRE ATT&CK Integration.

This framework is a Python-based, end-to-end STRIDE threat modeling and analysis framework with MITRE ATT&CK mapping. It enables you to:

• Model your system architecture in Markdown (threat_model.md), including boundaries, actors, servers, data, and dataflows.
• Automatically identify STRIDE threats for each component and dataflow.
• Map threats to MITRE ATT&CK techniques for actionable, real-world context.
• Calculate severity using customizable base scores, target multipliers, and protocol adjustments.
• Generate detailed reports (HTML, JSON) and visual diagrams (DOT, SVG, HTML) with threat highlights.
• Extend and customize all mappings, calculations, and reporting logic.

This release is based on PyTM and extends it with advanced reporting, MITRE mapping, and diagram generation.