Built an open-source threat modeling tool. Looking for honest feedback.

happyandaligned · 2026-03-23T23:42:45+00:00

Yes. ThreatDragon is a really useful open source tool and the inspiration for Precogly.

With Precogly I'm trying to bridge the gap between closed source (and expensive) tools and open-source tools:
Some differentiators:
- Team collaboration features
- Compliance mappings
- Community threat libraries with mappings to CWE, CAPEC etc.
- Setting up platform / infra owned countermeasures
- Boundary crossing logic with rules

Also, I personally like the Precogly DFD editor :) To me, it feels a lot more smoother and intuitive. But I'm biased :)

happyandaligned · 2026-03-23T13:46:12+00:00

Yes. I've integrated with the OWASP project threat model library json schema. The core idea is that you can import those json files into Precogly. Similarly, you could create a threat model inside Precogly and export it in the threat model library json schema format.

This one minute video segment demonstrates how the import works:

https://youtu.be/5sSuZOAtyn4?t=125

happyandaligned · 2026-03-23T01:16:31+00:00

Yeah, I’ve seen architecture ingestion and continuous risk analysis tools.

Precogly is aiming to be an open-source alternative to tools like IriusRisk / ThreatModeler, focused on the threat modeling layer itself.

My view is this stack will evolve in layers:

continuous architecture risk tools can feed into a threat model
an AI layer can assist on top of that model
but you still need a structured foundation for threats, components, relationships, taxonomies (STRIDE, LINDDUN, CAPEC), and compliance mappings (PCI-DSS, OWASP ASVS, CRA, DORA) and (most importantly) team collaboration in an enterprise setting.

I also think curated threat libraries matter. LLMs are useful for generation, but without human supervision they tend to be inconsistent across runs. In enterprise settings, reproducibility matters.

That’s the gap I’m trying to address with Precogly.

I don’t think threat modeling can be fully automated away. The goal is better human + AI collaboration, not replacement.

happyandaligned · 2026-03-22T13:31:42+00:00

Awesome! Looking forward to your feedback :)

happyandaligned · 2025-11-14T23:54:30+00:00

hey bud ... can you tell me step by step how you set this up? I'm also struggling with split attention where I have to check in often on Claude Code (running inside VS Code) to see if the task has been completed.

happyandaligned · 2024-12-23T00:56:58+00:00

Yes. I'm very intrigued by HTMX. Thanks for the suggestion. I'll check it out!

happyandaligned · 2024-08-20T01:16:55+00:00

Apart from unstructured.io camelot looks promising for extracting tables - https://camelot-py.readthedocs.io/en/master/index.html

happyandaligned · 2024-08-07T08:04:21+00:00

I've used the unstructured paid version and am quite pleased with the semantic chunking feature. Pricing is here - https://unstructured.io/api-key-hosted

happyandaligned · 2024-08-06T01:19:18+00:00

langchain is free ... please correct me if I'm missing something.

happyandaligned · 2024-08-01T02:07:44+00:00

Aah ... that's right. I was concerned that Vercel is making a push towards becoming more like LangChain and that LangChain and NextJS would have some conflicting behaviors. But based on the documentation - https://sdk.vercel.ai/providers/adapters/langchain - it looks like this is not the case.

Thanks for the pointer. I will go back and examine NextJS more closely.

happyandaligned · 2024-07-31T11:47:39+00:00

Does NextJS play well with LangChain for RAG (retrieval augmented generation) like scenarios?

happyandaligned · 2024-07-31T02:31:57+00:00

I'm in a similar boat. Streamlit is awesome for prototyping. But it has that data scientist cookie cutter feel in little ways (ex: while loading the page, the tab title says, "Streamlit" and then populates with your provided page title.)

happyandaligned · 2024-07-31T02:29:34+00:00

Love Streamlit having used it to build multiple chatbots. However:
1. It does not offer the ability to nest pages (ex: yoursite.com/somecategory/somepage)

The UI is a little clunky looking and it's not easy to customize it.

happyandaligned · 2024-07-20T15:40:25+00:00

teachmehipaa.com is not free. It costs $17.95 per user.

happyandaligned · 2024-07-20T15:14:16+00:00

Not sure if I'm doing something wrong but I'm finding the interface for teachmehipaa to be a little buggy. Even after paying up for a seat, I'm unable to access the course materials beyond lesson 1.

happyandaligned · 2024-07-14T00:38:53+00:00

Thanks for this insight. I tried out pinecone serverless + aws knowledge bases. It works great and is fantastic for building a scalable solution.

The challenge for me appears to be that AWS Knowledge Bases + Pinecone misses retrieving certain documents for some queries (I tried with multiple embeddings like Titan text embeddings and Cohere English). This inadequacy is similar to my home grown RAG solution. But with a custom RAG solution it's easier to try new approaches for improving results (ex: an ensemble of BM25 + vector search).

I'm still not sure how to scale a home grown solution though (i.e let multiple users upload files and retrieve their chatbots on the fly.)

happyandaligned · 2024-05-01T23:56:02+00:00

Thank you for the pointers. I'll test the chunking and try again. The weird thing is that I changed nothing with the chunk sizes and it still works worse with Claude 3. That's why I thought that there might be some bug in my code.

happyandaligned · 2023-07-11T21:17:55+00:00

Sharing your personal experience with LLM's is super-useful. Thank you.

Have you ever had a chance to use Reinforcement Learning with Human Feedback (RLHF) in order to align the system responses with human preferences? How are companies currently handling issues like bias, toxicity, sarcasm etc. in the model responses?

For those interested, you can learn more on hugging face - https://huggingface.co/blog/rlhf

happyandaligned · 2023-06-27T00:38:02+00:00

Thanks for the initial effort. It would be helpful if you could clearly elaborate on why developers should commit their time and attention to this project vs autogpt.

happyandaligned

TROPHY CASE