Papers
Topics
Authors
Recent
Search
2000 character limit reached

AegisShield: AI Threat Modeling Tool

Updated 5 July 2026
  • AegisShield is a Python/Streamlit-based tool that automates cyber threat modeling by integrating generative AI with standard frameworks like STRIDE and DREAD.
  • It leverages real-time threat intelligence from NVD and OTX to generate detailed security artifacts, including attack trees and Gherkin test cases.
  • Designed for SMBs and under-resourced teams, it streamlines first-pass risk assessments while requiring expert review for final validation.

AegisShield is a Python/Streamlit-based, generative-AI–enhanced threat modeling tool introduced to make framework-driven cyber threat modeling feasible for organizations that lack senior security architects or dedicated threat modeling teams. It automates STRIDE-based threat identification, DREAD risk scoring, MITRE ATT&CK mapping, mitigation suggestions, attack trees, and Gherkin test cases, while integrating real-time threat intelligence from the National Vulnerability Database and AlienVault Open Threat Exchange. Its central thesis is that generative AI, combined with standardized security frameworks and public cyber threat intelligence, can democratize threat modeling by reducing the complexity, time, and expertise normally required, while maintaining alignment with industry practice (Grofsky, 29 Aug 2025).

1. Definition and problem setting

AegisShield addresses a longstanding operational asymmetry in secure design practice. Traditional threat modeling requires substantial expertise in STRIDE, ATT&CK, and DFD-oriented reasoning; it is slow and expensive to perform manually as systems become more complex; and it does not scale well for under-resourced teams, which therefore often skip it entirely. The system is explicitly positioned for small and mid-sized organizations, developers, and architects who need structured security analysis but cannot support dedicated threat-modeling staff (Grofsky, 29 Aug 2025).

The tool is designed around established security vocabularies rather than an unconstrained generative workflow. STRIDE provides the threat-generation scaffold, DREAD provides prioritization, and MITRE ATT&CK provides a TTP-oriented normalization layer. AegisShield supplements these with recent CVE and OTX context so that generated threats are biased toward realistic, currently relevant weaknesses rather than purely generic narratives. This design suggests an attempt to operationalize “secure by design” practices as a repeatable, low-friction pipeline rather than as an ad hoc expert exercise (Grofsky, 29 Aug 2025).

A recurring misconception is that AegisShield is a replacement for human threat modelers. The paper does not support that interpretation. It lowers the barrier to obtaining a structured first-pass model, but it still assumes downstream review by security professionals or senior engineers, especially for plausibility assessment, ATT&CK mapping review, DREAD interpretation, and mitigation planning (Grofsky, 29 Aug 2025).

2. System architecture and orchestration

AegisShield is implemented as a modular Python application deployed through Streamlit for interactive use and also as a batch script for large-scale experiments. The main controller, main.py, exposes a step-wise interface organized as description, technology, threat model, mitigations, DREAD, test cases, and PDF, while maintaining state through Streamlit session variables. The architecture is explicitly described as extensible and integration-friendly through JSON-structured outputs (Grofsky, 29 Aug 2025).

Threat-intelligence integration is split across dedicated modules. nvd_search.py uses NVDLib and the NVD API to query CVEs based on selected technologies and versions, filtering by recency and CVSS score so that only recent, high-severity items are injected into prompts. alienvault_search.py queries recent OTX pulses by industry sector and filters by recency and relevance. mitre_attack.py works over local STIX JSON from the mitre-attack/attack-stix-data repository and matches descriptive keywords from generated threats to ATT&CK attack-pattern objects. This separation of concerns is important because AegisShield does not treat CTI as a post hoc annotation layer; CTI is part of prompt construction and therefore part of generation itself (Grofsky, 29 Aug 2025).

The generative layer uses OpenAI’s GPT-4o via API, with rigid prompt engineering and enforced JSON output. Prompts instruct the model to simulate an expert, inject application context and CTI context, and return only schema-conformant JSON. The paper emphasizes that constrained generation through JSON schemas and role constraints substantially reduces hallucinated structure. A low/medium/high technical level is supported, and the experiments use medium as the default to balance readability and detail (Grofsky, 29 Aug 2025).

3. Threat-generation pipeline and produced artifacts

Threat generation is organized around a fixed STRIDE quota: for each of the six STRIDE categories—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege—the model generates exactly three threats, yielding 18 threats per run. Each threat includes a scenario, a single “Potential Impact” string covering CIA impact, an explicit list of assumptions with (Assumption, Role, Condition), and a free-text set of “MITRE ATT&CK keywords.” The explicit assumptions field is notable because the paper presents it as a response to the common absence of assumption documentation in STRIDE models (Grofsky, 29 Aug 2025).

DREAD scoring is applied after threat generation. GPT-4o assigns integer scores from 1 to 10 for Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability, with 1–3 = low, 4–6 = medium, and 7–10 = high. The tool can then use the raw scores directly or compute a composite risk score:

DREAD_score=D+R+E+A+D5\text{DREAD\_score} = \frac{D + R + E + A + D'}{5}

This preserves DREAD’s familiar dimensional decomposition while making prioritization directly computable (Grofsky, 29 Aug 2025).

Mapping from STRIDE threats to MITRE ATT&CK is a two-stage process. First, GPT-4o emits ATT&CK keywords, and the tool searches local ATT&CK STIX data for up to 25 candidate attack-pattern objects, selecting the enterprise, mobile, ICS, or combined datasets according to application context. Second, a selection prompt presents the application context, the threat JSON, and the candidate ATT&CK patterns and instructs the model to choose exactly one valid ATT&CK ID or a canonical null pattern. A threat is counted as mapped only if the selected ATT&CK ID is neither null nor hallucinated (Grofsky, 29 Aug 2025).

The remainder of the workflow converts these normalized threats into downstream engineering artifacts. The mitigations stage aligns recommendations with the scenario, ATT&CK behavior, and NVD context. The test-case stage generates Gherkin BDD scenarios directly from threats. The attack-tree stage produces Mermaid graphs grouped by STRIDE. Finally, all outputs—description, threat list, ATT&CK mappings, mitigations, DREAD assessments, test cases, and attack trees—are consolidated into a single PDF artifact suitable for review, audit, or design documentation. The paper reports that a full model run, including CTI retrieval and PDF generation, completes in under 10 minutes (Grofsky, 29 Aug 2025).

4. Empirical evaluation and quantitative profile

The evaluation uses 15 case studies from the literature, all based on STRIDE or STRIDE-derived methods such as DIREST and STRIDE-AI, spanning domains including IoT smart manufacturing, ICS/oil and gas, vehicular fog computing, infotainment systems, healthcare contact tracing, AI/ML systems, social networks, ambient intelligence, and Drone-as-a-Service. From these studies, the authors extracted 243 expert-developed STRIDE threats. A batch script then produced 30 AegisShield runs per case, generating 540 threats per case and 8,100 threats overall (Grofsky, 29 Aug 2025).

The quantitative profile is summarized below.

Dimension Result Evaluation basis
Complexity reduction FKGL median 12.7 vs 13.5 Mann–Whitney p=0.001p = 0.001
Semantic alignment Mean cosine 0.5088; median 0.5147 21,870 SBERT pairs
High-similarity coverage 14 of 15 cases had 50%\ge 50\% successful batches threshold 0.7\ge 0.7
ATT&CK mapping 6,921 of 8,100 mapped 85.4%, p<0.001p < 0.001
End-to-end runtime under 10 minutes single interactive run

Complexity reduction is measured with Flesch–Kincaid Grade Level. Tool-generated threats have median FKGL 12.7, compared with 13.5 for expert-written threats. Because the tool FKGL distribution was highly non-normal and transformations did not normalize it, the authors used a Mann–Whitney U test, obtaining an estimated median difference of 0.7 with a 95% lower confidence bound of 0.4 and a rank-biserial correlation of approximately 0.143-0.143, which they interpret as small but real. The result is statistically significant at p=0.001p = 0.001 (Grofsky, 29 Aug 2025).

Semantic alignment is evaluated with cosine similarity between stsb-roberta-large sentence embeddings, restricted to tool–expert pairs within the same STRIDE category. Across 21,870 pairs, the mean similarity is 0.5088 and the median is 0.5147, with a maximum of 0.9420. The threshold for “high similarity” is set at 0.7\ge 0.7, and a batch is considered successful if at least one threat in that batch reaches that threshold with an expert threat of the same STRIDE class. Fourteen of the fifteen case studies exceed the target that at least 50% of batches be successful, with several cases reaching 100% (Grofsky, 29 Aug 2025).

ATT&CK mapping is evaluated as the proportion of threats mapped to non-null, valid ATT&CK attack-pattern IDs. Of 8,100 generated threats, 6,921 are mapped, giving a mapping rate of 85.4%. A one-proportion test against an 80% benchmark yields p<0.001p < 0.001, with a 95% lower confidence bound of 84.8%. By STRIDE category, spoofing and elevation of privilege map especially well at 94.0% and 91.6%, while repudiation is worst at approximately 73.5%, a result the paper attributes to the difficulty of expressing repudiation within ATT&CK’s action-centric ontology (Grofsky, 29 Aug 2025).

A further result concerns robustness to imperfect input quality. Correlations between similarity scores and the paper’s nine-criteria case-input rubric are weak to near zero. This suggests that semantic quality does not depend strongly on unusually polished inputs, beyond basic completeness, and that the system can tolerate the partial or inconsistent documentation typical of real engineering settings (Grofsky, 29 Aug 2025).

5. Operational role, limitations, and future directions

Operationally, AegisShield is positioned as a first-pass accelerator for secure design reviews. The paper describes it as suitable for SMBs and startups without dedicated security architects, for development teams integrating threat modeling early in the SDLC, and for regulated settings such as healthcare, automotive, and FAA-governed Drone-as-a-Service deployments. In the Drone-as-a-Service example, the tool generated spoofing threats such as operator impersonation and GPS spoofing, mapped them to ATT&CK techniques including Adversary-in-the-Middle (T1557) and phishing techniques, identified firmware tampering mapped to System Firmware (T1542.001), and produced corresponding DREAD scores, Gherkin tests, and a Mermaid attack tree (Grofsky, 29 Aug 2025).

The limitations are equally explicit. Some ATT&CK IDs were hallucinated and required manual filtering, amounting to approximately 1.15% of threats. ATT&CK itself contains coverage gaps for some IoT, firmware, and 5G-adjacent scenarios. The CTI layer is intentionally truncated to the top 10 CVEs per technology and the top 5 OTX pulses per sector to stay within token limits. GPT-4o is a closed general-purpose model trained on unknown data, so bias and opacity remain unresolved. The evaluation is grounded in published case studies rather than live organizational deployments, and mitigations and test cases were not deeply evaluated for effectiveness (Grofsky, 29 Aug 2025).

These constraints delimit the system’s status. AegisShield is not a complete replacement for expert analysis, not a guarantee of correct ATT&CK normalization, and not a full retrieval-augmented generation stack with a large local corpus. The paper instead recommends a human-in-the-loop workflow in which outputs are treated as a first draft, reviewed and edited before operational use. Privacy safeguards are also limited but concrete: the tool does not store data server-side and keeps state in session memory, while users are instructed not to include PII or privileged internal identifiers (Grofsky, 29 Aug 2025).

Future work is framed in terms of richer CTI and RAG, model comparison across Google, Anthropic, and Azure OpenAI variants, longitudinal studies in actual organizations, explicit integration of AI risk taxonomies such as the MIT AI Risk Repository, and better CI/CD integration. A plausible implication is that the paper is less an endpoint than a reference architecture for LLM-assisted threat modeling: one whose value lies as much in its evaluation protocol as in the current implementation (Grofsky, 29 Aug 2025).

6. Broader “AegisShield” usage in later research

Although AegisShield is introduced as a concrete threat-modeling system, later research also uses “AegisShield” as a descriptive label for protective mediation layers in adjacent domains. In 3D biometric privacy, “AEGIS: Preserving privacy of 3D Facial Avatars with Adversarial Perturbations” explicitly describes its method as an “AegisShield” for identity in 3D Gaussian facial avatars: a perturbation layer over Gaussian color coefficients that preserves geometry and animation while driving face retrieval and verification accuracy to 0%, with reported perceptual quality of SSIM =0.9555= 0.9555 and PSNR p=0.001p = 0.0010 dB in its flagship AdaFace configuration (Wolkiewicz et al., 21 Nov 2025).

In agent security, “AEGIS: No Tool Call Left Unchecked — A Pre-Execution Firewall and Audit Layer for AI Agents” presents what its details call an AegisShield system around agent tools: a pre-execution chokepoint performing deep string extraction, content-first risk scanning, composable policy validation, human approval, and tamper-evident auditing. The reported implementation supports 14 agent frameworks, blocks all 48 attacks in a curated suite before execution, incurs a 1.2% false positive rate on 500 benign tool calls, and adds 8.3 ms median latency over 1,000 interceptions (Yuan et al., 13 Mar 2026).

The same shielding motif appears in “The Aegis Protocol: A Foundational Security Framework for Autonomous AI Agents,” whose details describe an AegisShield built from W3C DIDs, NIST-standardized post-quantum cryptography, and Halo2 zero-knowledge proofs. In simulation with 1,000 agents and 20,000 attack trials, the paper reports a 0 percent success rate and a median proof-generation latency of 2.79 seconds (Adapala et al., 22 Aug 2025). Related uses also appear in work on formalized memory-safe execution of C via MSWASM and Checked C, graph-guided vulnerability reasoning with dialectical verification and meta-auditing, and governance-oriented red-teaming of AI voice agents, each using “AegisShield” or “AegisShield-style” to denote a layer that constrains action through explicit interfaces, policy, evidence, or runtime mediation rather than through unconstrained model behavior (Esmaeilsabzali et al., 5 Mar 2025, Fang et al., 21 Mar 2026, Li et al., 7 Feb 2026).

In that wider literature, “AegisShield” is therefore both a specific 2025 threat-modeling tool and a more general protective motif: a system that interposes structured checks, bounded evidence, or constrained representations between potentially unsafe generation and consequential action. The primary historical referent, however, remains the framework-driven cyber threat-modeling platform introduced in 2025 (Grofsky, 29 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to AegisShield.