threat-modeling

The Threat Modeling MCP Server helps you systematically perform threat modeling using a STRIDE-based methodology, business context analysis, architecture reviews, and data validation. It orchestrates prompts and state management to guide you through threat identification, mitigation planning, and final reporting, while validating the model against the actual codebase when present. It can generate both Markdown and JSON representations of the threat model, making it suitable for developer reviews and security documentation. You can interact with the server by structuring prompts that set the business context, add architectural components, identify threats, propose mitigations, and export the complete threat model for sharing or auditing. Tools within the server support adding threats, toggling mitigation strategies, and updating assumptions, all while tracking changes in a local .threatmodel directory if you choose to scope the modeling to a specific project area.

Prerequisites:

• uvx (part of the uv package manager) must be installed. Verify with: uvx --version
• Access to a capable LLM client (e.g., Cline, Amazon-Q, or Kiro) configured to run locally.

Installation steps:

1. Install uvx following the official instructions at the Astral uvx docs or the repository README.
2. Ensure your environment can reach the local threat modeling MCP server via your MCP client configuration.
3. Add the MCP configuration to your mcp.json (as shown in the example) to point your client to this threat-modeling-mcp-server.
4. Restart/refresh your MCP client so it picks up the new server configuration. The server will be installed directly from this GitHub repository when you initialize it through uvx.

Configuration example (to paste into your MCP client config):

{
  "mcpServers": {
    "threat-modeling-mcp-server": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/awslabs/threat-modeling-mcp-server.git",
        "threat-modeling-mcp-server"
      ],
      "env": {
        "FASTMCP_LOG_LEVEL": "ERROR"
      },
      "disabled": false
    }
  }
}

Notes:

• After adding the configuration, restart your MCP client to trigger installation from the GitHub repo via uvx.
• The repository’s tools are configured to be internal to the MCP server, with no external API calls beyond using your client’s LLM.
• You can adjust autoApprove behavior in your config if you want per-tool prompts instead of automatic approvals.

Tips and common considerations:

• Ensure uvx is properly installed and accessible in your PATH.
• The threat model is stored in a local .threatmodel directory when you scope to a subfolder; otherwise, it remains within the project context as configured.
• Use the export options to generate Markdown and JSON reports for distribution and audit purposes.
• Review and adjust the autoApprove setting to balance ease of use with control over tool invocations.
• When using prompts, be explicit about the scope (whole project vs subfolder) to ensure reproducible results.
• If you encounter issues with model validation, verify that the local codebase is accessible and that the LLM client is properly configured.