We have applications in multiple clouds, and we use it to review our apps to ensure that they are going to be designed in a secure manner.

It helped us in multiple ways. It's easy to present to leadership where they can get the big picture, and they can ask their questions based on what they see in the drawings. Also, it's a good tool in that it drills down and gets down to the actual requirements. Sometimes we can get buried in the risks, but the risks all translate into requirements. The requirements are the meat and potatoes for our developers. To remediate what's needed, the sooner we get them involved and the sooner we are involved in the process, the sooner the results are designed into the solution. We are also able to reuse the work we put in. When we do something once and there is a revision to the same application, we can start with the previous version. It saves a huge amount of time.

It's a time saver. As we've gotten along, we've determined what we've already remediated. We're not going through a huge list that we used to go through in the beginning. We're going through things that only need to be gone through, and it helps maintain the sprints.

ThreatModeler Platform has enabled our company to meet tight delivery dates for the product teams. I've had several instances where things were brought to my attention late in the game. The tool has been excellent in getting in there and getting it done quickly and with less effort. It's a great time saver, so we can get in and get done, and get out. Sometimes we can do it at astounding speed if we have to. It's better to have enough time to get the job done, but when you're under a crunch, you still can get the job done.

We've customized quite a few components to suit our needs. When we have met the requirements, we put standards around a component. We then deploy it and mark it such that the component is remediated by control or by some standards. In that circumstance, the security requirements don't flow through. They're marked as already met, so it saves us a great deal of time. It's very customizable.

I found that not all of our security architects are fluent in each and every cloud. We're supporting all the major clouds and some SaaS environments. We're finding ways to use the tool and expanding it beyond just the typical clouds that we have today. It has allowed an AWS expert to work on a Google Cloud platform and apply their knowledge quickly and faster, and learn those platforms without necessarily having to be certified in every platform.

ThreatModeler has reduced the hours needed to complete threat modeling projects or secure an app in our organization. It takes about a third of the time doing it through ThreatModeler than it would otherwise. It would greatly vary depending on the actual individual person and how developed our standards are. The company I worked at prior did not have ThreatModeler, and I knew what it took to get the same functionality or similar functionality. It took much longer, and it would be much less uniform across.

Initially, we had ten people working on threat models. Today, within our organization, we probably have four. Fewer folks are working on ThreatModeler, and other security architects are being dedicated to specific environments and specific domains. It has allowed us to be more specialized because we need fewer people to do threat modeling.

ThreatModeler Platform is a big timesaver, helping to provide consistent output. Without it, interpretations would vary. Everything would be developed from scratch, and consistency would be lacking. By having this as our tool, we've developed a more consistent output. It didn't start out that way because everybody has their own ideas, but it is a great tool for making things consistent and making them faster. It allows for drawing solutions to get most of what is needed for threat models, aiding the design team in remediating security requirements. 

It measures and mitigates risks across attack surfaces, presents big pictures to leadership, and translates risks into requirements for developers, resulting in security design solutions that save time. Through customization, they can adapt the platform components to match specific needs, significantly streamlining processes.

We meet with our customer rep on a regular basis and go over new features we request. The team has been quite responsive in fulfilling most of the things we've requested in the revisions as we go along. They implemented changes related to colors. That was one of the things we asked for. 

One feature that I would like to see is related to comments. Comments need to be layered so that they are always on top. When you click on the comment feature, a dialogue box pops up, and you start entering a comment and put it into a VPC or a group of some sort. When you click on that group, the comment shouldn’t disappear behind the group. That's a problem that I would like to see fixed. The comment should always stay on top. It should be at the top layer above everything else because I can't see a reason why the comments should be under the things that you're commenting on. ThreatModeler Platform needs an enhancement so that comments always remain on top layers in diagrams, preventing them from disappearing when interacting with other components.

I have been using ThreatModeler Platform for about three years.

ThreatModeler Platform's AI-driven component suggestions assist with scalability, especially when undertaking new tasks. However, since this feature was implemented after a few years of using the solution, it is sometimes less impactful as we are already accustomed to our existing methods. We move it out of the way just because we're already set in our ways, and we already know what we want to put next. If we didn't know that, it would be a good time saver.

We get a very quick initial response. Traditionally, they have been quite fast in resolving issues. We've had a few issues that took a little longer to resolve, and they were resolved in a few days. As a whole, we've had multiple issues because we use the tool all the time and run into problems. They're quick to fix them. Sometimes, we could get a better explanation of what was done to fix it, but all in all, we're happy with the results in the sense that things get resolved quickly. We have somebody who takes our requests and resolves them quickly. Of all the time, all the years that we've had it, we've only had a couple of issues that took a little while longer to resolve.

Positive

Prior to ThreatModeler Platform, threat models were done manually, but this approach was less efficient.

I joined after it was selected, so I wasn't a part of the selection process, but I have evaluated it a couple of times since then and compared it to current products. It seems to be head and shoulders above the rest as far as multi-cloud support. A big thing about it is that we've now integrated it into our work environment such that we can go into and run a report on the security requirements and export them into Jira, and then they can be assigned to a particular team to go through each one of those requirements. They can go through the open ones and fix them. It can automatically, or nearly automatically, be tied into our work environment. It's pretty slick. It's a big time saver. We've integrated it into our platforms. We're doing more and more integration as we go along. A lot of these things didn't exist earlier, at least not to the extent they do now. They've been a result of us working with the ThreatModeling team and them being responsive to our needs.

We initially attempted to port diagrams from draw.io or Visio to ThreatModeler Platform, expecting integration with threat tools. It might have improved now, but at the time, the results were unsatisfactory, leading to manual interpretation and entry processes. 

We now get drawings in multiple formats. I'd love to say that we are standardized in the way we should be, but we have multiple teams, and we get multiple formats. We take that drawing and interpret that, and enter it into the tool manually. However, when we are grabbing things, clicking, and dragging them over and making boxes and just sliding things over, as long as the component selection is fairly robust, it's fine. It's a very fast process.

ThreatModeler Platform has reduced training and education costs by enabling security architects to extend their knowledge across various cloud platforms without needing specific certification, leveraging AWS expertise in other environments efficiently.

It's like everything. If you look at the pricing, it sounds like a lot. If you look at the time it saves you and the fact that it repeatedly saves you that time, it pays for itself. That's what you want out of your tools. If they pay for themselves, you can easily justify them, even if they are expensive. Security architects are very expensive, and we're already doing more with less. Our team is smaller than it was a few years ago, and we have had fewer people doing threat modeling because we're getting more done with the tool.

We aren't using the governance part yet. I need to look at that more and incorporate that. We aren't using it yet, but it's a good feature. I'd like to find a way to use it. Right now, we're doing governance outside of the tool using other platforms. Maybe we can do it more inside the tool.

I would rate ThreatModeler Platform an eight out of ten.