ThreatTree

Plans & Pricing

Start free — no credit card required. Upgrade anytime. Your data is always yours and exportable.

Free

$0

Everything you need to start threat modeling — model one main system, a side project, and a practice environment. No credit card, forever free.

  • Up to 3 forests
  • Up to 3 DFDs per forest
  • Up to 5 Attack Trees per DFD
  • Data Flow Diagrams
  • Attack Trees with AND/OR logic
  • MITRE ATT&CK alignment
  • Risk register
  • Map risks to standards: ISO 27001, NIST SP 800-53, NIST CSF 2.0, CIS Controls v8, SOC 2, OWASP Top 10 & ASVS
  • Optional AES-256-GCM encryption — you control the key
Your browser generates the AES-256-GCM key, encrypts everything locally, then downloads the key and emails it to you. The server stores only ciphertext — the key never leaves your device.
Most popular

Pro

Quote on requestPricing depends on team size

For teams doing serious, ongoing threat modeling across multiple projects. When 3 forests isn't enough, or when you need collaboration across engineers, architects, and compliance leads.

  • Everything in Free
  • Unlimited forests & trees
  • Team collaboration
  • Full report generation
  • Forest backup and recovery
  • Priority support
Get a quote

No commitment — we'll get back to you within 24 to 72 hours

Enterprise

Quote on requestPricing depends on org size & requirements

For large organisations with advanced security, compliance, and integration needs.

  • Everything in Pro
  • SSO / SAML
  • Audit logs
  • STIX 2.1 export
  • Dedicated support & SLA
  • Custom integrations
Get a quote

No commitment — we'll get back to you within 24 to 72 hours

Frequently asked questions

Do I need a credit card to sign up?

No. The Free plan requires no payment information — just create an account and start building.

How does forest encryption protect my threat models?

When you lock a forest, your browser generates a unique AES-256-GCM key, encrypts every node label, edge annotation, diagram name, and property locally, then downloads the key as a JSON file and emails it to you. The server stores only ciphertext and never sees the plaintext key. To unlock, upload the key file or paste the base64 string. Without the key the data is unreadable — even after a full database breach. Available on every plan, including Free.

How is Pro and Enterprise pricing determined?

Pricing is based on the number of users and the size of your organisation. Submit a quote request and we'll send you a tailored proposal within 24 to 72 hours.

What happens when I hit the Free plan limits?

You'll see a clear message explaining the limit. Your existing forests and trees remain fully accessible — only creating new ones is blocked until you upgrade.

Can I export my data if I cancel or downgrade?

Yes. You can export any forest as JSON at any time — no lock-in. If you downgrade from Pro to Free, your forests are not deleted; you simply cannot create new ones beyond the Free limits until you upgrade again.

Is there a free trial of Pro features?

We don't currently offer a timed trial, but the Free plan is fully functional for individual use and small projects. If you'd like to evaluate Pro features for your team, get in touch at hello@threattree.com and we'll work something out.

Why use ThreatTree instead of a spreadsheet or drawing tool?

Draw.io + Excel gets you started, but it doesn't link diagrams to risk entries, can't rank threats automatically, has no standards mapping, and produces no audit-ready PDF. ThreatTree keeps your DFD, attack trees, risk register, and control mappings in one place — so when an auditor or stakeholder asks why you prioritised a risk, the answer is traceable rather than anecdotal.