ThreatModeler introduces Nexus to automate threat modeling with AI governance

ThreatModeler has announced the general availability of ThreatModeler Nexus, an agentic threat modeling platform that brings governed, architecture-aware security to the way modern software is actually built. As AI writes a growing share of production code, the question is no longer whether to threat model, but where and when. ThreatModeler Nexus answers that with a platform built to threat model everything, starting wherever a team already is.

ThreatModeler Nexus pairs a multi-agent system with a deterministic framework, so AI accelerates the work while the platform governs the outcome. A System Mapping Agent builds a system map from architecture artifacts or infers one directly from code.

A Graph Agent grounds that work in each customer’s environment. A Reporting Agent produces audit-ready evidence. All three operate on the Secure Design Graph, the connected representation of components, threats, controls, and compliance mappings that makes the platform a system of record rather than a generator of one-time answers.

The Secure Design Graph is also the answer to what the ThreatModeler and IriusRisk merger created. Neither company alone held the full depth of curated threat, control, and compliance intelligence the Graph now consolidates. ThreatModeler Nexus is the platform built on that combined substrate, and it carries the discipline both companies are known for: invisible to developers in the IDE, native to architects as a secure design control plane, and summarized as enterprise risk for security leaders.

“This is the platform the merger was for,” said Kevin Gallagher, Chief Executive Officer at ThreatModeler. “Two companies brought together a decade of work each, and the result is a Secure Design Graph no one else can rebuild from the outside. Launching it alongside partners across delivery and the public sector is the clearest signal of where this company is headed.”

“Finding flaws in code is cheap now. A frontier model can do it in minutes,” said Ben Oster, Chief Product Officer at ThreatModeler. “The hard part moved to confirming what actually matters, catching what is missing, and proving it to the board. That takes a governed framework and a system of record, not another prompt. That is what ThreatModeler Nexus is built to be.”

ThreatModeler is also actively working with Knox Systems toward achieving FedRAMP authorization, bringing governed agentic threat modeling to federal agencies and the regulated organizations that hold themselves to the same standard.

“Federal teams are under real pressure to adopt AI in security without giving up audibility or control,” said Hemant Baidwan, Executive CISO at Knox. “Achieving FedRAMP authorization through working with Knox allows agencies to bring emerging security capabilities into environments where every decision has to be defensible.”

Enterprises already run ThreatModeler at scale. A global financial services firm reduced threat modeling effort by 50 percent. The platform draws on more than a decade of curated research and 13 granted patents, with 3,500+ security requirements, 1,500+ catalogued threats, 3,000+ modeled components, and 180+ compliance frameworks behind every model.

Recent industry research underscores the timing: for AI-generated code, threat modeling happens before the code is written 31 percent of the time, during 45 percent, and after 24 percent. (Source: Hanover Research, 2026, n=250.)