AI Disclaimer

Last updated: March 2026

Document ID: TK-AI-001 | Effective Date: March 2026

How ThreatKrew Works

ThreatKrew uses large language models (via Amazon Bedrock with Anthropic Claude) across a multi-stage pipeline to analyse your architecture documents and generate threat models. Each assessment runs through independent stages — architectural analysis, threat identification, and remediation planning — with structured validation and error correction between stages.

We have built verification, deduplication, and quality scoring into the pipeline. But at its core, every finding is generated by AI. And AI has inherent limitations that you need to understand.

AI Systems We Use

ThreatKrew currently employs the following AI models:

  • Claude Sonnet (via Amazon Bedrock): Primary threat analysis engine — generates STRIDE assessments, MITRE ATT&CK mappings, and NIST SP 800-53 remediations.
  • Claude Haiku (via Amazon Bedrock): Classification and routing tasks.

All AI processing is subject to Anthropic’s zero-day data retention policy — your architecture documents are not stored by Anthropic after processing and are never used for model training.

What AI Can Get Wrong

AI-generated threat models can contain errors. Specifically:

  • False positives. The system may flag threats that don’t apply to your specific context, configuration, or deployment model.
  • False negatives. The system may miss threats — especially novel attack vectors, zero-day vulnerabilities, or risks specific to bespoke or proprietary systems.
  • Hallucinated mappings. MITRE ATT&CK technique IDs, NIST SP 800-53 control references, or STRIDE categorisations may occasionally be inaccurate or misattributed.
  • Input dependency. The quality of the analysis depends heavily on the quality and detail of your input architecture document. Vague or incomplete descriptions produce vague or incomplete threat models.
  • Context limitations. The system doesn’t have visibility into your runtime environment, actual configurations, network topology, or operational practices. It analyses what you describe, not what you’ve deployed.

What ThreatKrew Is

ThreatKrew is a tool to accelerate and augment threat modelling. It’s designed to give you a structured starting point for security analysis, surface threats you might not have considered, map findings to established frameworks (STRIDE, MITRE ATT&CK, NIST SP 800-53) with evidence traceability, and deliver a first draft in around 15 minutes so your team can focus on review and remediation.

What ThreatKrew Is Not

  • Not a replacement for security professionals. AI can identify patterns. It can’t replace the judgement of an experienced security architect who understands your business context, threat landscape, and risk appetite.
  • Not a compliance certification. A ThreatKrew report does not certify compliance with any standard, regulation, or framework — including the ones we reference (NIST, MITRE, etc.).
  • Not a guarantee against breaches. No tool, methodology, or team can guarantee you won’t be breached. ThreatKrew reduces risk. It doesn’t eliminate it.
  • Not a substitute for penetration testing, code review, or security architecture review. These are complementary activities. ThreatKrew works alongside them, not instead of them.

Our Governance Framework

ThreatKrew’s AI usage is governed by an internal AI Governance Policy aligned with ISO/IEC 42001:2023 (target-state) and the NIST AI Risk Management Framework. Key principles: transparency, explainability, fairness, safety and security, human oversight, and privacy.

All AI outputs are recommendations. Users control all decisions. There are no autonomous actions.

Your Responsibility

  • Review and validate all findings. Treat ThreatKrew output as a starting point, not a final answer. Every finding should be reviewed by someone who understands your system.
  • Engage qualified professionals for critical systems. If you’re building something where security failures have serious consequences, work with experienced security professionals.
  • Don’t rely on any single tool. ThreatKrew should be one part of your security programme — not the whole thing. Combine it with manual review, testing, and ongoing monitoring.

Our Commitment

We continuously improve our analysis pipeline, add verification stages, and are transparent about what our system can and can’t do. We’d rather under-promise and over-deliver than the reverse.

If you find an issue with our analysis — a false positive, a missed threat, or an incorrect mapping — we want to hear about it. Reach out at feedback@threatkrew.io.

For the full legal terms, see our Terms of Service.