<P> Once the ATM or OTM is constructed, the methodology specifies how potential threats are identified, enumerated, prioritized, and associated with their relevant risks and mitigating security controls . </P> <P> There are currently five tools available for organizational threat modeling: </P> <Ul> <Li> Microsoft's free threat modeling tool--the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD - based, and identifies threats based on the STRIDE threat classification scheme . It is intended primarily for general use . </Li> <Li> MyAppSecurity offers the first commercially available threat modeling tool - ThreatModeler It utilizes the VAST methodology, is PFD - based, and identifies threats based on a customizable comprehensive threat library . It is intended for collaborative use across all organizational stakeholders . </Li> <Li> IriusRisk offers both a community and a commercial version of the tool . This tool focus on the creation and maintenance of a live Threat Model through the entire SDLC . It drives the process by using fully customizable questionnaires and Risk Pattern Libraries, and connects with other several different tools (OWASP ZAP, BDD - Security, Threadfix ...) to empower automation . </Li> <Li> foreseeti offers a commercial threat modeling tool--securiCAD . This tool focuses on threat modeling of IT infrastructures using a CAD - based approach where assets are automatically or manually placed on a drawing pane . By encapsulating complex attack trees within generalizable assets (like hosts, dataflows, firewalls, and IDS), securiCAD makes threat modeling accessible also for non-experts . By attaching an Attacker to different attack steps on available Assets, different scenarios can be simulated and analyzed . It is intended for company cyber security management, from CISO to security engineer to IT technician . The further development of securiCAD is currently a part of the EU - funded project CyberWiz . An article (in German) about CyberWiz containing some insights in the functionality of securiCAD has been published in the expert portal "Informatik aktuell". </Li> <Li> SD Elements by Security Compass is a software security requirements management platform that includes automated threat modeling capabilities . A set of threats is generated by completing a short questionnaire about the technical details and compliance drivers of the application . Countermeasures are included in the form of actionable tasks for developers that can be tracked and managed throughout the entire SDLC . </Li> </Ul> <Li> Microsoft's free threat modeling tool--the Threat Modeling Tool (formerly SDL Threat Modeling Tool). This tool also utilizes the Microsoft threat modeling methodology, is DFD - based, and identifies threats based on the STRIDE threat classification scheme . It is intended primarily for general use . </Li>

Threat modelling should be done in which stage