Architecture diagrams
PNG, JPG, draw.io, or PDF. Vision-capable model extracts components, boundaries, and flows.
architectural threat modeling, codified
Model the system.
Elicit the threats.
Ship the detection.
ArgusMap ingests your architecture diagrams, infrastructure-as-code, telemetry inventory, and red-team reports — then runs an expert-grade threat-modeling pass and generates Sigma rules to close every detection gap it finds.
STRIDEMITRE ATT&CKCWESigma
analysis · payments-api
12 findings · 9 gaps- CriticalUnauthenticated webhook ingress on /eventsT1190● missing
- HighOver-privileged IAM role on order-workerT1078● partial
- HighPII written to S3 without object-level auditT1530● missing
- MediumOutbound to 3rd-party PSP not TLS-pinnedT1557● covered
title: Unauthenticated webhook ingress on /events
logsource:
product: aws
service: apigateway
detection:
selection:
requestPath: "/events"
auth: "none"
condition: selection
level: critical
The four questions, answered with rigor.
Built around the canonical 4-question framework used by mature application-security programs.
01
What are we building?
Plug in diagrams, IaC, telemetry inventories, and prior reports. Every source becomes evidence the model can reason over.
02
What could go wrong?
STRIDE per component, mapped to MITRE ATT&CK techniques and CWE identifiers with explicit business-impact severity.
03
What will we do?
Concrete, architectural mitigations — not platitudes. Tied to the specific component and trust boundary at risk.
04
Did we do a good job?
Detection coverage evaluated for every finding. Gaps become first-class objects you can close one click at a time.
Evidence in. Threats out.
A single project aggregates everything the model needs to reason about your real system.
Infrastructure-as-Code
Paste Terraform, CloudFormation, Kubernetes manifests, or a written system description.
Log source inventory
Tell the model which telemetry exists so detection coverage is grounded in reality, not assumptions.
Pentest & red-team reports
Upload PDF or markdown findings to weight the elicitation toward known-broken control surfaces.
A pipeline, not a chatbot.
Three stages, deterministic where it matters, machine-readable where it counts.
- step 01
Aggregate
Drop every artifact about the system into one project — files, IaC, telemetry tables, reports.
- step 02
Reason
An expert-prompted model performs STRIDE per component, attaches ATT&CK / CWE, and grades severity.
- step 03
Detect
Each detection gap becomes an object you can close in one click — the engine writes the Sigma rule.
Detection engine
Click the gap. Get the rule.
Every finding ships with a detection evaluation: covered, partial, or missing. For the gaps, the detection engine generates a portable Sigma rule grounded in the data sources you have — ready to drop into your SIEM via sigmac.
title: Unauthenticated webhook ingress on /events
id: 6a1e8c34-...
status: experimental
description: Detects HTTP POSTs to /events with no auth header.
references:
- threat-model:proj-payments
- https://attack.mitre.org/techniques/T1190/
tags:
- attack.initial_access
- attack.t1190
logsource:
product: aws
service: apigateway
detection:
selection:
requestPath: "/events"
auth: "none"
condition: selection
level: criticalBring an architecture. Leave with a threat model.
Start a project, attach your evidence, and run the first analysis in under five minutes.