● Free tool · runs locally · your code never leaves your machine

Threat-model your app with your own AI agent

Pick a security category, copy the prompt, and paste it into the AI coding agent you already use (Claude Code, Cursor, Codex…). It reads your codebase and produces a two-part report: an audit of your code that finds the security bugs and integrity flaws, and the runtime detections & mitigations to build — so you harden security at both the code level and the runtime level.

Browse 25 categories ↓How it works

What is threat modeling — in plain words

Threat modeling is asking, for one area of your app: “what could an attacker do here, and are we protected?” — then writing it down as a checklist of concrete threats, each mapped to the fix and the way you’d detect it. Instead of doing that by hand, you hand a focused, expert prompt to your AI agent and it does the legwork against your actual repo. You get two complementary outputs:

🔍

Find the threats & bugs in your code

The Code Findings report audits your real files and lists each weakness with a file:line, the exact risk, a severity, and the described fix — missing auth checks, injection sinks, leaked secrets, unpinned dependencies, weak CSP, and more. It’s an audit: it describes fixes, it never edits your code.

🛡️

Build the detections & defenses at runtime

The Detection & Mitigation report is the operational runbook: ready-to-run rules that catch the attack in live traffic, plus the edge controls to contain it (firewall, rate-limit, challenge, block, revoke). Code fixes close the hole; runtime detection catches anyone who tries — together that’s robust security at the code and runtime level.

How it works — 4 steps, a couple of minutes

  1. 1

    Install SecureNow in your project

    In your repo’s terminal. (Optional but recommended: npx securenow login connects it to your free account so the prompt can ground its rules in your real setup.)

    $ npm install securenow
    $ npx securenow login
  2. 2

    Copy a category’s prompt

    Pick any of the 25 categories below and hit Copy prompt.

  3. 3

    Paste it into your AI coding agent

    Open Claude Code, Cursor, Codex (or similar) at the root of your project and paste. The agent inventories your code, enumerates the threats, and audits your files — all in your environment.

  4. 4

    Open the report it generates locally

    It writes four files into a new threat/<category>/ folder in your repo — two Markdown reports and two self-contained HTML pages. Just double-click the …-code-findings.html and …-detection-mitigation.html to open them in your browser — no server, no internet needed.

    threat/<category>/
    ├─ <category>-code-findings.html    # the code audit (open this)
    ├─ <category>-code-findings.md
    ├─ <category>-detection-mitigation.html # rules & defenses (open this)
    └─ <category>-detection-mitigation.md

🔒 It runs locally — your codebase never leaves your machine

There is nothing to upload and no codebase to share. The prompt runs inside the AI agent you already trust, on your own computer or CI, reading your files locally and writing the report locally. SecureNow never receives your source code. The only network call the prompt may make is the optionalsecurenow CLI talking to your own SecureNow account (to ground rule names/columns in your real setup) — and even that is optional. The reports themselves are self-contained HTML with no trackers and no external requests.

  • No code upload — the agent reads files in place
  • Reports are offline, self-contained HTML
  • It audits and describes fixes — never edits your code
  • Works on any stack the agent can read

Browse the 25 threat categories

Each is a self-contained, copy-paste prompt mapped to OWASP / API / LLM frameworks. Copy one, or open it to read the full prompt first.

Web app· 12

#01A07 · A01 · API2

Authentication

Login, sessions, password reset, MFA, and account-takeover paths.

Open prompt →
#02A01 · API1 BOLA · API5 BFLA

Authorization

BOLA/IDOR, broken function-level auth, mass assignment, privilege escalation, multi-tenant.

Open prompt →
#04A03 · A05 · A07

XSS / CSRF / CORS

Client-side injection, cross-site request forgery, and cross-origin misconfiguration.

Open prompt →
#05A08 · A06 · PCI 6.4.3

Client-Side Supply Chain

Magecart, tag managers, analytics pixels, CDN scripts, and SRI/CSP on shipped code.

Open prompt →
#06A03 · CWE-89/78/94

Injection (SQLi / RCE / SSTI)

SQL/NoSQL injection, command injection, SSTI, and path traversal — server-side sinks.

Open prompt →
#07A07 · A01 · API2

OAuth / SSO / Integrations

OIDC/SAML flows, PAT/API tokens, and third-party app access & consent.

Open prompt →
#08A01 · API5 · API1

Admin & Support Tools

Internal consoles, impersonation, bulk operations, and support back-doors.

Open prompt →
#09API6 · A04

Payment & Business Logic

Checkout, refunds, coupons, race conditions, and money-flow abuse.

Open prompt →
#10API4 · API8 · A01/A03

File Upload / Download

Ingest, media processing, and serving of user-supplied files.

Open prompt →
#11API4 · API6 · A04

Messaging & Notifications

Email/SMS/push abuse, toll-fraud, spoofing, and outbound-comms flows.

Open prompt →
#12API4 · API6

Rate Limits & Abuse

Flooding, scraping, enumeration, and bot anti-automation.

Open prompt →
#13API9 · API8

Legacy Endpoints

Deprecated, shadow, and non-prod routes — inventory drift.

Open prompt →

API· 4

#14API1–API10:2023

API Security — OWASP API Top 10

The full OWASP API Security Top 10 (2023) for your HTTP/REST surface.

Open prompt →
#15API4 · API1/3/5 · A03

GraphQL Security

Introspection, query cost/depth, batching, and resolver authorization.

Open prompt →
#16API6 · API8 · API7 SSRF

Webhooks

Inbound signature/replay verification and outbound SSRF on dispatch.

Open prompt →
#17API1 · API4 · API5

Realtime — WebSocket / SSE

Long-lived & streaming connections: authz, resource use, message abuse.

Open prompt →

Cloud / Serverless / Infra· 5

#18Serverless Top 10 · API4

Serverless & Edge

FaaS & edge functions, event-source injection, and denial-of-wallet.

Open prompt →
#19A05 · Cloud-Native · CIS

Cloud Infrastructure

Network/SG, compute, containers/k8s, and IaC misconfiguration.

Open prompt →
#20A02 · A05 · API7 (IMDS)

Secrets & Cloud IAM

Key exposure, IAM role escalation, assume-role chains, and IMDS-SSRF.

Open prompt →
#21A02 · A05 · A08

DNS / TLS / Certificates

Subdomain takeover, certificate posture, and transport trust.

Open prompt →
#22A08 · A06 · API9

Supply Chain & CI/CD

Dependency integrity, pipeline injection, and artifact signing & provenance.

Open prompt →

Platform / Cross-cutting· 3

#23A01 · A09 · API8

Storage & Logs

Object storage and telemetry: at-rest access and log leakage.

Open prompt →
#24A01 · A02 · API3 BOPLA

Data Privacy / PII

PII inventory, redaction, retention, and over-returned response fields.

Open prompt →
#26A02 · A05 · A07

Secret & API-Key Hygiene

Secret-leak detection across code, history, bundles & logs — rotation & vaulting.

Open prompt →

AI / LLM· 1

#25OWASP LLM Top 10 (2025)

AI / LLM Features

Prompt injection, agents & tools, RAG, and denial-of-wallet.

Open prompt →

Find the bugs. Build the defenses. Both, free.

Start with one category that matters most for your app — authentication, payments, or your API surface — and work outward. When you’re ready to catch these threats live, SecureNow turns the detections into running rules.

$ npm install securenow
Browse categories