About the project

Objectives

High-level summarised technical objectives for the public:

1. Simplify and strengthen threat modeling for developers and SMEs :

Make threat modeling tools easier to use and more effective through multi-factor guidance, automation and integration into everyday development workflows.

2. Understand and reduce common software risk patterns :

Analyse how developers design and implement systems, identify frequent riskpatterns and provide practical guidance to prevent, mitigate and eliminatethreats throughout the project lifecycle.

3. Build awareness, skills and a collaborative community

Raise awareness of threat modeling and its benefits, involve developers, SMEs, experts and authorities, and create a community that shares templates, experiences and best practices.

4. Align with EU cybersecurity strategies and support compliance

Map and integrate relevant EU cybersecurity legislation and strategies, and embed legal and policy requirements into the tools to support audits, preparedness and market adoption.

5. Prepare the solution for large-scale uptake and market exploitation

Ensure that IRIUSCOMMED is accepted by developers and organisations, evaluated in real-world use, and ready for successful commercial and community-driven deployment.

6. Increase the effectiveness and usability of threat modeling tools

Apply a multi-factor approach that reduces noise for developers, improves communication between security and development teams, expands the catalogue of functional security solutions and builds a community that continuously improves risk identification and threat mitigation.

7.Map and analyse common risk patterns in software design:

Study the most frequent risks developers encounter when designing architectures and systems, implement workflows that reflect these patterns, and help developers understand which code changes and design decisions are needed to apply threat models effectively.

8. Reformulate how to counter major cyber threats through design

Use threat modeling to better mitigate and eliminate threats such as malware, phishing, exploits and denial-of-service attacks by identifying the risk patterns behind them and proposing design-level measures that limit the threats developers face across the project lifecycle.

9. Scale and automate the threat modeling process

Automate as many steps as possible – such as component identification and risk assessment – to minimise uncertainty for users, improve understanding of the tool and increase efficiency and effectiveness while reducing human error.

10. Improve the entire threat modeling value chain in EU member states

Analyse the status of EU cybersecurity legislation, strategies and market pathways for digital solutions, and propose ways to make this information accessible so organisations can design more viable, compliant and collaborative technology platforms and systems.

11.Raise awareness of threat modeling and its benefits

Engage companies, organisations, SMEs and critical infrastructures, as well as citizens, policymakers, experts, technology associations and industry leaders, to promote realistic and achievable security prevention policies – especially for SMEs.

12. Evaluate developer perception and adoption of the solution

Assess how developers use and accept the tool in their daily work by monitoring the number and completeness of threat models, their components and the time required, and then test and refine the solution at larger scale.

13. Prepare for successful market implementation and exploitation

Validate the solution as a response to market needs in the face of growing cyber-attack exposure, integrate specific legal and secure-coding requirements linked to different jurisdictions, and ensure that these are applied automatically during architecture design.

14. Develop a rich library of templates for different technologies

Create and share templates adapted to different types of technological solutions and architectures, enabling untrained programmers to learn and apply threat modeling without needing to know all possible scenarios, while fostering community-driven template creation and reuse.

15. Automate threat and counter-threat management in everyday tools

Build automations for threats and counter-measures based on architecture- specific designs and manage them through familiar tools (such as Jira), so developers can learn common risk patterns and apply cybersecurity practices without prior specialist knowledge.

16. Design and execute a strong dissemination and communication plan

Reach as many developers, SMEs and relevant stakeholders as possible, improving knowledge of cybersecurity and threat modeling, and informing national authorities and policymakers who may ultimately adopt threat modeling as a mandatory practice for building digital solutions.

What is Threat Modeling & Zero Trust?

Zero Trust is the security philosophy that complements this:

Never trust, always verify.”

Instead of assuming that users, devices or services inside your network are safe, Zero Trust treats every access request as potentially hostile. It relies on strong identity, least privilege, segmentation and continuous verification.

Threat modeling is a structured way of asking:

“How could my system be attacked, and what can I do in the design so that those attacks fail?”

Instead of waiting for vulnerabilities to appear in production, threat modeling looks at:

  • The architecture of your application (components, APIs, services, data stores).
  • The data flows between those components.
  • The assets that need protection (customer data, intellectual property, services, etc.).
  • The different threats and risk patterns that could affect them.

From there, it defines concrete security requirements and countermeasures before or while you write the code. This makes security proactive, not reactive, and dramatically reduces the cost and impact of fixing issues later. In IRIUSCOMMED, threat modeling provides the method and tooling, while Zero Trust provides the guiding principles. Together they ensure that new software is designed from the start to resist modern cyber-attacks, not just patched after something goes wrong.

Why choose IRIUSCOMMED?

Simple: Most threat modeling tools today are powerful but too complex for non-experts.

They demand deep security knowledge, time and training that many SMEs and developers simply don’t have. As a result, threat modeling is far from being the everyday, transversal tool it needs to be.

IRIUSCOMMED is designed to CHANGE that.

The project directly tackles the main obstacles that limit the mass adoption of threat modeling and the training gap developers face:

From security jargon to ---> developer language

IRIUSCOMMED introduces specific innovations to simplify and translate security knowledge into concepts that any developer can understand and act on. Instead of forcing developers to “become security experts”, the tool guides them step by step, showing relevant components, data flows, threats and mitigations in a familiar way.

Integrated into---> daily development work

Threat modeling is positioned as “just another tool” in a developer’s day, not a separate, one-off exercise. By integrating with existing workflows and tools, IRIUSCOMMED helps developers continuously eliminate threats, mitigate risks and recognise risk patterns as they design and evolve their systems.

From niche practice to ---> transversal capability

By lowering the entry barrier, automating complex steps and embedding learning into the tool itself, IRIUSCOMMED aims to make threat modeling a transversal capability: something any team can use, across sectors, regardless of prior cybersecurity expertise.

From isolated cybersecurity efforts to ---> a growing risk-pattern value chain

The project doesn’t stop at a static rule set. It aims to grow a dynamic value chain of risk patterns: how threats are discovered, shared, refined and reused by the community. This turns threat modeling into a living ecosystem where every new project can benefit from the experience of many others.

From lab prototype to ---> real-life validation (TRL 6/7+)

IRIUSCOMMED will be implemented and validated at TRL 6/7 or higher, meaning the innovations are tested in realistic, operational environments – close to market conditions. Both the technical viability (does it work in real projects?) and the economic viability (is it worth it for companies and SMEs?) will be assessed through their direct impact on society and the developer community.

Results

The project has achieved all the milestones predicted, including the creation of software prototypes and the generation of design and validation reports. 

The ACSDA tool has been tested and continuously improved, contributing to the security of cloud applications. Results include the detection of new vulnerabilities and the implementation of effective security fixes.

EU Financial Support

This project has received financial support from the European Union, which has been crucial for its development and success. The funding has allowed IriusRisk to invest in research and development, as well as in the continuous improvement of its cybersecurity platform.

Logos of the European Union with text 'Funded by the European Union NextGenerationEU', the Spanish Government Ministry of Economic Affairs and Digital Transformation, red.es, and the Plan de Recuperación, Transformación y Resiliencia.