Home
TMI (Threat Modeling Improved) is an agent-enabled platform to drive security review processes. If you have a security review process- usually implemented as an application security (appsec) or product security (prodsec) team, then TMI could help you make that process faster, less toilsome, more thorough, and AI-enabled.
Security reviews are organized as threat models. TMI's internal workflow and structure enables capturing information and using it during the entire life cycle of the software, not just during the security review. Collaborative diagramming and threat recording tools enshrine discipline around constructing actual models to systemically identify threats. TMI's integration capabilities make it easy to easily and quickly build tools to perform security analysis or to reduce security engineer toil.
Try it now (online instance) at https://www.tmi.dev
Releases - Release history and upcoming versions
Go to: Getting Started
Learn how to:
- Access TMI at tmi.dev
- Create threat models
- Build data flow diagrams
- Manage threats
- Collaborate with your team
Go to: Deployment
Learn how to:
- Plan your deployment architecture
- Deploy TMI Server
- Deploy TMI Web Application
- Set up authentication
- Configure databases
- Integrate components
Go to: Operation
Learn how to:
- Monitor system health
- Manage databases
- Ensure security
- Scale your deployment
- Perform maintenance
Go to: Development
Learn how to:
- Set up development environment
- Understand architecture
- Integrate with APIs
- Write tests
- Contribute code
- Build extensions
Go to: Troubleshooting
Find solutions for:
- Authentication problems
- Connection issues
- WebSocket problems
- Database issues
- Performance problems
TMI consists of 3 core sets of functionality:
- A REST API server. Written in Go, the API server implements a REST API that is fully documented in an OpenAPI schema, and integrates with a database to store information persistently. All functionality of TMI is implemented in the REST API; the TMI-UX front-end web application simply wraps this API. All business logic and security authorization occur on the server.
- A front-end web application, TMI-UX. Written in TypeScript and using Angular and Material Design, the web application is how users interact with the API in a natural way.
-
Extensions. Written in the language of your choice, extensions can receive change notifications from the server and interact with the server via REST API. Extensions can:
- perform any kind of analysis (like agentic AI)
- integrate with your internal systems such as issue tracking, source control, release management, and so forth.
Intake: TMI provides a customizable intake model - admins can construct and publish intake surveys to collect information from teams & individuals requesting security review, and publish multiple surveys to support different workflows. The intake functionality is completely optional and not necessary to performing security reviews; it's provided for teams that want a simple and flexible intake model.
Collaborative DFD editing: Data flow diagrams may be edited by multiple users at the same time, with every user able to see every other user's changes. This enables whiteboard-like diagram interaction, and security engineers and product team engineers collaborating on a diagram can quickly and easily ensure that the diagram is correct, resulting in accurate, shared understanding of the software being reviewed.
Integration: TMI is easy to integrate with your organization, supporting OAuth and SAML authentication, multiple database platforms and customizable branding. TMI is easy to integrate with automation such as AI agents, supporting a REST API and automation triggering via webhooks, either automatically on changes or manually via user action in the UI. Client credential functionality makes it easy to provision automation with access to TMI.
Extensibility: Every object in TMI is extensible via key-value ("tag-shaped") metadata. This means you don't have to modify any code if your organization captures additional information as part of your workflow, and you don't have to define custom fields in the UI, etc. Metadata can be added or modified by the user in the UI, or by automation, to add additional information to the threat model or to specific objects. Metadata can be used to allow the threat model to start earlier in the engineering process ("shifting left"), when not all technology and implementation decisions have been made. As the project develops, the diagrams and other artifacts in TMI can be updated. As concrete engineering decisions are made, the objects in the threat model can be associated with real-world objects by adding metadata to the objects in the threat model.
-
TMI Server - Go-based backend API server
- REST API specified in OpenAPI 3.0.3, with clients published for Python (via PyPi), TypeScript (via npm) and Go.
- WebSocket support for change notification and automation triggering.
- Multiple databases supported: PostgreSQL & Oracle ADB, with experimental support for MSSQL and MySQL.
- OAuth 2.0 & SAML authentication
- Role-based access control with configurable ACLs on threat models
- Optional support for confidential threat models
-
TMI-UX - Angular/TypeScript web application
- Modern, responsive user interface
- Threat model organizer - organizes documents, links, source code repositories and other threat modeling artifacts
- Data flow diagram creation & editing, with real-time collaboration support (shared whiteboarding)
- Markdown notes with Mermaid support
- Supports UI workflows for:
- Product/engineering teams: request security review/threat model by filling out configurable intake surveys
- Security engineers: triage incoming requests, assign threat models to reviewers, perform threat modeling exercises
- Administrators: configure the system, access control, and user and group management
-
TMI Terraform Analyzer - Infrastructure analysis tool
- Automated analysis of the infrastructure deployed in a terraform environment
- AI-powered security insights
- Fully integrated with TMI threat models
-
TMI Clients - Client libraries for TMI API
- Multiple language support
- Simple API integration
┌─────────────────┐
│ TMI Web App │ (Angular/TypeScript)
│ (tmi-ux) │
└────────┬────────┘
│ HTTPS/WSS
▼
┌─────────────────┐
│ TMI Server │ (Go)
│ (tmi) │
└────────┬────────┘
│
┌────┴────┐
▼ ▼
┌──────┐ ┌───────┐
│ PgSQL│ │ Redis │
└──────┘ └───────┘
This wiki is organized by task area, aligned with different audiences:
- Getting Started - For end users learning to use TMI
- Deployment - For operators deploying TMI
- Operation - For SREs/DevOps running TMI
- Troubleshooting - For everyone solving problems
- Development - For contributors and integrators
- Integrations - For power users and developers
- Tools - For using TMI utilities
- API Reference - For API integration
- Reference - For quick lookup
- Visit tmi.dev to use the hosted version
- Read Creating Your First Threat Model
- Explore Working with Data Flow Diagrams
- Review Planning Your Deployment
- Follow Deploying TMI Server
- Configure Setting Up Authentication
- Set up your Development Environment
- Understand the Architecture and Design
- Review API Integration guide
- GitHub Issues: Report bugs or request features in component repositories
- Discussions: Join conversations about TMI development and usage
- OpenAPI Specification: tmi-openapi.json
TMI is licensed under the Apache License 2.0, allowing for customization and commercial use.
See license.txt for details.