Skip to main content

Documentation Index

Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

ZeroPath generates a threat model for each application it identifies in a repository. The threat model captures how the application is structured, who uses it, what trust boundaries matter, what attackers are realistic, and what parts of the codebase should be treated as out of scope. Threat models are not just notes in the dashboard. ZeroPath feeds this context back into scanner agents, triage, reachability reasoning, Dynamic Testing, and downstream prioritization so future analysis is aligned with the application you actually operate.
The Threat Model tab is currently an early-access dashboard feature. A threat model appears after a full scan identifies at least one application in the repository.

How Threat Models Are Created

Threat models are generated automatically during full scans. When ZeroPath identifies an application, it creates an application overview and, once the threat-modeling agent has enough context, a structured threat model for that application. For monorepos, a repository can have multiple application threat models. The repository Threat Model tab shows an application picker so you can review each application separately.

What You Can Edit

Each application has an Application Overview plus fixed threat-model sections:
  • Components - services and infrastructure pieces.
  • Interfaces - HTTP handlers, jobs, CLIs, webhooks, queues, and other entry points.
  • Actor Types - legitimate users, services, and integrations.
  • Authn/Authz Model - identity, authorization, tenancy, and permission rules.
  • Control Plane - security-relevant configuration and operational controls.
  • Attacker Types - realistic attacker starting positions.
  • Application-Specific Attacker Objectives - goals that matter for this app.
  • Datastores - persistent data locations and sensitivity.
  • Assumptions - deployment or architecture assumptions the scanner should rely on.
  • Out of Scope - code paths, environments, or concerns to exclude.
You can also add custom sections when your team has context that does not fit one of the fixed sections.

Editing A Threat Model

1

Open the repository

Go to the repository in ZeroPath and select the Threat Model tab.
2

Choose an application

If the repository contains multiple applications, choose the application from the sidebar.
3

Review generated context

Read the application overview and fixed sections. Look for missing trust boundaries, incorrect auth assumptions, or out-of-scope paths that should be ignored.
4

Save edits

Edit the relevant section and save. Future scans and validation workflows use the updated context.

When To Update It

Update the threat model when:
  • The application adds or removes authentication flows.
  • A new tenant boundary, role model, or admin surface is introduced.
  • A new datastore or sensitive data type becomes relevant.
  • A path or service should be explicitly out of scope.
  • A scan produces findings that reflect a wrong assumption about how the app is deployed.

Operational Notes

  • Threat models are per application, not just per repository.
  • If the tab says no applications have been identified, run a full scan first.
  • If a generated threat model is missing for an application, the next full scan can generate it.
  • Edits require permission to modify SAST configuration.
  • Dynamic Testing uses the same application context when deciding how to exercise a deployed target.