Link Search Menu Expand Document

OWASP Threat Dragon

Threat Dragon comes in two variants, desktop application and web application.

Desktop application install instructions

Installable versions are available for download from the OWASP GitHub area:

  • Windows (64 bit) installer
  • MacOS installer
  • Linux snap, AppImage, debian and rpm installers

Linux installer and AppImage

Packages for both Debian and Fedora Linux on AMD64 and X86-64bit platforms can be downloaded from the releases folder. Alternatively a platform independent snap installer can be downloaded, or use the AppImage provided.

MacOS installer

Download the .dmg MacOS installer from the releases folder. Open the download and drag ‘OWASP Threat Dragon’ to the application directory. When the copy has finished then Threat Dragon can be run from launchpad or Finder -> Applications.

If an error message pops up when running for the first time, along the lines of ‘OWASP Threat Dragon cannot be opened because the developer cannot be verified’ or “OWASP ZAP” cannot be opened because the developer cannot be verified, macOS cannot verify that this app is free from malware then follow this FAQ to resolve this.

Windows installer

Download the Windows .exe installer from the releases folder. Run the installer and invoke the application from the shortcut. The current versions of the desktop application are not code-signed, so you may get a warning when installing.

Command line using npm

For the latest versions of code between releases, npm can be used to install and run Threat Dragon locally:

git clone

npm install

Then to run it:

npm run start

There is a limited command line interface, with help:

npm run help

For example to export a given threat model file to pdf :

npm run pdf ./threat-model.json