ThreatForest
April 20, 2026 · View on GitHub
AI-powered threat modeling and attack tree generation with MITRE ATT&CK integration
ThreatForest is an agentic threat modeling platform built on the Strands agent framework. Point it at a repository and it autonomously generates attack trees, maps attack steps to MITRE ATT&CK techniques, and produces actionable mitigation recommendations.
Built for security teams, architects, and DevSecOps engineers who want to bring threat modeling into the development loop without turning it into a second full-time job.
- 🤖 Autonomous agent pipeline — scanner, threat identifier, attack tree generator, TTP mapper, and mitigation advisor run in sequence, analyzing threats in parallel
- 🛡️ MITRE ATT&CK mapping — attack steps are mapped to TTPs using ATTACK-BERT semantic embeddings
- 📊 Interactive dashboard — explore threats visually with a searchable graph, filters, and expandable mitigations
Privacy: ThreatForest sends project context to your configured LLM provider. AWS Bedrock is recommended for production workloads.
Quick Start
# Clone and run with uv (recommended)
git clone https://github.com/aws-samples/sample-agentic-attack-tree-generator.git
cd sample-agentic-attack-tree-generator
uv run threatforest
See the Getting Started guide for full installation options and configuration.
See it in action
From a repository path to a fully mapped attack tree in a single run. For a deeper tour — including the dashboard, filtering, and mitigation details — see the full walkthrough in the docs.
Next steps
- 📚 Read the documentation — full guides, architecture, and FAQ
- 🏗️ How it works — the agent pipeline, phase by phase
- 🐛 Report an issue — bug reports and feature requests welcome
- 🤝 Contribute — see the contributing guide to get involved
Star history
License
MIT — see LICENSE.