Introduction
This article is an English translation of the following article.
https://qiita.com/amarelo_n24/items/997a8fb958e14291ce94
At the AWS Summit New York City on June 17, 2026, the public preview of the AWS Security Agent threat modeling feature was announced.
Having previously conducted a code review, I wanted to try out various aspects of the threat modeling feature during its public preview, and so I did.
https://aws.amazon.com/jp/about-aws/whats-new/2026/06/aws-security-agent-threat-modeling/
This article represents the author's personal views. As it is based on personal testing, please use it only as a reference.
What is Threat Modeling?
Let's start by explaining what "threat modeling" is.
Threat modeling is a series of activities aimed at improving security by identifying threats and defining measures to prevent or mitigate their impact on a system.
*Quoted from the OWASP website
https://owasp.org/www-community/Threat_Modeling
About AWS Security Agent Threat Modeling
This feature identifies threats and suggests recommended countermeasures using the STRIDE framework, based on an overview of the application architecture from design documents or application source code.
SEC01-BP07 of the AWS Well-Architected Framework's security pillar describes identifying threats using threat models. I believe the Security Agent threat modeling feature was released to assist in building according to the Well-Architected Framework.
What is STRIDE?
The following is an acronym for major threats. It is one of the threat modeling analysis methods that analyzes threats from these perspectives.
| Category | Description |
|---|---|
| Spoofing | Impersonation |
| Tampering | Tampering |
| Repudiation | Denial |
| Information disclosure | Information disclosure |
| Denial of service | Denial of service |
| Elevation of privilege | Privilege escalation |
https://learn.microsoft.com/ja-jp/azure/security/develop/threat-modeling-tool-threats#stride-model
Trying out threat modeling
Let's try out the AWS Security Agent threat model.
When starting the Security Agent for the first time, you need to create an agent space. Instructions for creating an agent space are described in a previous article from a code review.
https://dev.to/aws-builders/its-not-too-late-make-your-aws-security-agent-debut-with-a-code-review-5egk
① Open the Security Agent screen.
② Click "Start with web app".
③ Click "Create threat model".
④ Select the repository where you want to run the threat model, the functional specification (design document, etc.), the service role to grant access to, and the CloudWatch log group, then create the threat model.
⑤ Click "Start Running" to begin running the threat model.
*You can also view the processing details of the threat model while it's running.
⑥ When the status changes to "Completed," the threat model execution is finished. This time it took about an hour.
Checking Threat Model Execution Results and Outputting Reports
Clicking on a completed threat model allows you to view the total detection results, threats by category, and analysis results for the target web application.
Clicking the "Threat" tag allows you to view details of the detected threats.
Clicking "Generate Report" in the upper right corner of the screen will generate a PDF report. This allows you to share information with people who cannot access the Security Agent.
I ran it in the Tokyo region, but the execution result screen and report were in English. I hope for Japanese language support in future updates.
(Question) Does it not detect web applications created for vulnerability assessment tool verification?
While not exactly a major setback, we encountered a case where the threat model failed to identify (or could not identify) a threat.
Initially, we ran the threat model on a repository containing a web application created for Security Agent verification (created using a generative AI, but I won't go into detail about which one). However, Security Agent determined that there was no threat.
Reading the purpose of the execution target analyzed by the Security Agent, there was a description that determined that "the defect is not a bug to be fixed, but rather something to be evaluated"...
Possible Cause
- When instructing the generating AI to create a test application, "Security Agent Because it included the phrase "for operational verification," the repository name suggested a Security Agent PoC (Proof of Concept).
- The README also stated that it was a "site dedicated to security testing."
*Part of the README content
It's possible that the Security Agent learned of this information while running the threat model and determined that there was no problem even if a threat existed. Since these two things haven't been changed and run, this remains speculation, but if traces suggesting it was for security tool verification remain in the repository, it's possible it might be judged as not being a problem.
After this, the repository was recreated. The instructions for recreating the repository were made without including any instructions such as "for Security Agent operational verification" or "for vulnerability assessment tool testing." We were able to detect threats by running a threat model on that repository.
Impressions: Implementing threat modeling solely through human effort is extremely difficult.
As I also realized when conducting code reviews, identifying vulnerabilities and threats solely through human effort is incredibly challenging. There aren't many people with the necessary knowledge, and I realized the enormous resources required to create a secure environment.
I also realized that effectively using agents like Security Agent to identify vulnerabilities and threats can significantly improve the resolution of the impact on the system.
However, I don't believe that all the results from the agent are always correct. Depending on the web application's configuration, there may be over-detection, and some low-risk threats may require early intervention. The final decision on whether to address the results and the final triage of threats absolutely must be made by a human.
In conclusion
Although I was familiar with the term "threat modeling," I hadn't delved deeply into what it entailed or what it could reveal. Therefore, I'm glad I was able to experience a part of it by implementing the Security Agent threat model.
Since it will likely cost a considerable amount once it becomes generally available (GA), I plan to use Security Agent in the preview version, where there are no costs involved, to learn more about code review and threat modeling. I hope Security Agent will be a good opportunity to make vulnerability assessment and threat modeling more accessible.
I hope this article is helpful to someone.
Thank you for reading to the end!
Top comments (0)