Arrows

Inspiration

We're both security engineers who often struggle when starting to audit a new codebase. Understanding the application, the data flows, the threats... Arrows now solve this pain point.

What it does

Arrows is an AI-powered threat modeling tool that helps security professionals identify and analyze potential security vulnerabilities in applications using the STRIDE methodology. It offers two primary analysis modes:

Description-based analysis: Users can provide a detailed description of their application architecture, and Arrows will generate a comprehensive threat model.
Whitebox analysis: Users can upload or point to their codebase, and Arrows will automatically discover the architecture and components from the code. The tool creates an interactive network graph visualizing components, data flows, and trust boundaries. It then identifies potential security threats in each STRIDE category (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege), complete with risk levels, affected components, and practical mitigation strategies.

How we built it

We built Arrows using Python for the backend with Flask as the web framework. The core of the system uses LLM integration (supporting both OpenAI and OpenRouter APIs) to analyze application descriptions or codebases. For the architecture analysis, we created specialized prompts for each STRIDE category, turning the LLMs into security experts focused on specific threat types. The system processes these analyses in parallel for efficiency. The frontend uses modern web technologies including Bootstrap, JavaScript, and Vis.js for the interactive network visualization. We designed a sleek dark theme UI for better readability and a modern feel.

Challenges we ran into

Some of the major challenges we encountered :

Architecture extraction: Developing an effective approach to extract architectural components from diverse codebases.
Response formatting: Ensuring consistent JSON output from the LLM for downstream processing.
Performance optimization: Finding ways to run multiple analyses in parallel without overwhelming the system or API limits.
Visualization layout: Creating an intuitive and readable layout for complex system architectures with many components and data flows.

Accomplishments that we're proud of

Created a tool that can produce professional-quality threat models in minutes rather than days.
Developed a system that can extract meaningful architecture information from actual code.
Built an interactive visualization that makes complex security concepts accessible and understandable.
Implemented parallel STRIDE analysis to improve performance without sacrificing quality.

What we learned

Throughout this project, we gained valuable insights into:

Effective LLM prompting strategies for specialized technical domains
Techniques for code analysis and architecture discovery
Balancing between automation and human validation in security analysis
Creating interactive visualizations for complex system architectures
Exploring the field of AI applied to security

What's next for Arrows

Our roadmap for Arrows includes:

Expanding whitebox analysis to support more programming languages and frameworks
Adding support for custom threat modeling methodologies beyond STRIDE
Implementing a collaborative mode for team-based threat modeling
Creating an API for integration with CI/CD pipelines and development workflows
Adding historical tracking to monitor how threats evolve as applications change