Threatlas vs IriusRisk
Threatlas vs IriusRisk
Both are automated threat modeling platforms, and both are EU-built — so the real decision is where the AI runs and how independent the vendor is. IriusRisk’s assistant runs on OpenAI’s cloud; Threatlas runs self-hosted open models on your own infrastructure.
The short version
IriusRisk is the established player — a decade old, EU-built in Spain, ISO 27001 certified, with a broad pre-built content library and a free Community Edition. As of January 2026 it’s part of ThreatModeler. Threatlas is the independent, data-sovereign challenger: the same automated, agentic approach, but able to run self-hosted AI models on your own infrastructure — air-gapped if needed — instead of calling out to a cloud model. If you need the broadest off-the-shelf catalog, IriusRisk is strong. If you can’t hand your code to a cloud AI, that’s where Threatlas is built to win.
Side by side
Based on publicly available information as of June 2026. “Not publicly documented” means the vendor hasn’t published that detail — not that it’s absent.
| IriusRisk | Threatlas | |
|---|---|---|
| Approach | Diagram-driven modeling plus an inference rules engine (Drools) over a security-pattern library. “Jeff” AI assistant generates models from text or images. | Agentic platform on a structured security knowledge graph — threats, controls, frameworks, and components, linked. |
| AI models | “Jeff” AI assistant powered by OpenAI (cloud). Self-hosted / bring-your-own-model: not publicly documented. | Frontier models, plus self-hosted open models (e.g. Qwen, Llama) running fully on-premises. |
| Deployment | SaaS, plus on-premise for Enterprise. Free Community Edition (SaaS, limited to 3 models). Air-gapped: not publicly documented. | Managed SaaS (EU & US) plus on-premises / air-gapped deployment. |
| Data control & ownership | ISO 27001 certified. EU-built (Spain) — now part of ThreatModeler (US, Invictus Growth Partners) since January 2026. | Zero data retention and data-residency options; built in the EU, independent. |
| Integrations | Jira, Azure DevOps, ServiceNow, GitHub Issues, Python CLI (MCP), Terraform, CloudFormation, AWS import (beta). GitLab / Bitbucket: not publicly documented. | GitHub, GitLab, Jira, Jenkins, Confluence. |
| Security content | Broad: 14+ regulatory frameworks, 22+ standards (NIST, OWASP, MITRE ATT&CK, CWE, IEC 62443, ISO 21434). Created the Open Threat Model (OTM) standard. | NIST, OWASP, ISO 27001, PCI DSS, CIS, STRIDE, MITRE ATT&CK, CWE — and fully extensible with your own frameworks and controls. |
| Company | Founded 2015, Spain; ~$29M Series B; hundreds of customers including major global banks. Acquired by ThreatModeler, January 2026. | Built by AppSec practitioners from Europe’s tier-1 financial sector; EU & US. |
| Maturity | Established platform; hundreds of customers and tens of thousands of threat models. | Private beta with a select group of design partners. |
When IriusRisk is the right call
- You need the broadest mature, off-the-shelf content library on day one — 14+ regulatory frameworks and 22+ standards, including IEC 62443 and ISO 21434 for industrial and automotive.
- You want to start for free — the Community Edition lets you build a few threat models at no cost.
- You prefer a diagram-first workflow on an established rules engine with a large existing customer base.
When Threatlas is the better fit
- You can’t send source code or architecture to a cloud AI — IriusRisk’s “Jeff” runs on OpenAI cloud, whereas Threatlas runs self-hosted open models on-premises, air-gapped.
- You want an independent platform rather than one now folded into a larger enterprise group (ThreatModeler / Nexus).
- You want a knowledge-graph-native agentic platform, fully extensible to your own frameworks and controls, with EU data residency and zero retention.
Threatlas vs IriusRisk — FAQ
Is Threatlas an alternative to IriusRisk?
Yes. Both are automated threat modeling platforms. Threatlas is a strong fit when you need self-hosted AI models running on-premises or air-gapped, an independent vendor, and a knowledge-graph-native agentic approach. IriusRisk brings a larger, longer-established content library and a free Community Edition.
What’s the main difference between Threatlas and IriusRisk?
The sharpest difference is where the AI runs. IriusRisk’s “Jeff” assistant is powered by OpenAI in the cloud, while Threatlas supports bring-your-own-model with self-hosted open models (such as Qwen and Llama) running fully on-premises for air-gapped, regulated environments. IriusRisk offers a broader, more mature pre-built content library.
Is IriusRisk still an independent company?
No. IriusRisk was acquired by ThreatModeler in January 2026 (majority owner Invictus Growth Partners) and combined under the ThreatModeler Nexus platform. If you’re comparing the combined enterprise offering, see our Threatlas vs ThreatModeler Nexus comparison.
Can Threatlas run AI fully on-premises?
Yes. Threatlas supports self-hosted open models running fully on-premises for air-gapped, regulated environments, paired with zero data retention and data-residency options.
See where your code and your models actually run.
Threatlas is in private beta with a select group of security teams. Request a demo to see on-prem, self-hosted AI threat modeling on your own stack.
Request a demoCompare Threatlas to other tools
IriusRisk® is a trademark of its respective owner. Threatlas is not affiliated with, endorsed by, or sponsored by IriusRisk or ThreatModeler. This comparison is based on publicly available information as of June 2026 and is provided for general information; “not publicly documented” indicates details the vendor has not published.