AI Security Threat Model Generator

Generate a STRIDE threat model for your LLM application

Describe your LLM application architecture and receive a structured STRIDE threat model covering AI-specific threats — prompt injection, training data poisoning, model inversion, membership inference, and adversarial examples. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is STRIDE?

STRIDE is a threat-modelling framework covering six categories — Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. This tool maps AI-specific threats onto each category.

LLM applications introduce threats that traditional threat models miss — a model can be manipulated by the very data it processes, leak its training data, or be tricked into taking privileged actions. The AI Security Threat Model Generator maps your architecture onto the six STRIDE categories with AI-specific threats and mitigations.

How it works

You describe your application and select the capabilities and data flows it has: whether it ingests untrusted external content, calls tools or plugins, retains conversation history, exposes a fine-tuned model, or can take actions on a user’s behalf. The tool then generates a STRIDE table — Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege — populated with the threats relevant to your selections and a recommended control for each.

The threats are drawn from the OWASP Top 10 for LLM Applications and AI security literature: prompt injection (direct and indirect), training-data poisoning, model inversion and membership inference, sensitive-data leakage, adversarial inputs, insecure tool use, and excessive agent agency.

Why traditional STRIDE needs AI-specific extensions

A traditional STRIDE analysis for a web application would cover authentication spoofing, SQL injection, logging gaps, and access control failures. Those threats still apply when an LLM is involved, but there are AI-specific attack surfaces the standard framework doesn’t naturally surface:

Tampering now includes prompt injection. In a traditional system, tampering means modifying data in transit or at rest. In an LLM application, it also means injecting instructions into content the model processes — the model itself becomes part of the trust boundary that can be subverted. Direct prompt injection (from the user) is usually caught by rate limiting and content policies; indirect prompt injection (from external documents or web pages the model retrieves) is much harder to defend against and much easier to miss in a threat model.

Information disclosure now includes model inversion and membership inference. A fine-tuned model may memorise specific training examples. An attacker who can query the model repeatedly may be able to reconstruct personal data that appeared in the training set. This threat is unique to LLMs and doesn’t map naturally onto traditional data-leakage controls.

Elevation of privilege now includes excessive agency. An agentic LLM that can send emails, write files, or execute code on a user’s behalf has a privilege boundary just like a service account does. If the model acts beyond its intended scope — because it was prompted to, or because its instructions were ambiguous — the resulting actions can be irreversible. This doesn’t appear in traditional software STRIDE because traditional software doesn’t have the same flexible instruction-following behaviour.

What you get

A structured threat model you can paste into a security design document: each STRIDE category lists the applicable AI-specific threats and a concrete mitigation — for example, treating all retrieved content as untrusted to counter indirect prompt injection, or enforcing least-privilege scopes on any tools the model can call.

Tips and notes

The two threats teams most underestimate are indirect prompt injection — malicious instructions hidden in content the model retrieves, such as a web page or document — and excessive agency, where an over-trusted agent takes actions it should have escalated. Both live at the boundary where untrusted input or model output crosses into a privileged operation, so map those boundaries first. This is a starting model, not a full security review; have a security engineer review it before production. Everything is generated in your browser and nothing is uploaded.