I built TITO because threat modeling is broken. It either requires drawing diagrams by hand, hiring consultants, or buying tools that start at $50K/year. Most teams skip it entirely.

TITO reads your code and builds the threat model for you:

    go install github.com/Leathal1/TITO/v2/cmd/tito@latest
    tito scan --repo .

What you get in ~60 seconds:

- STRIDE-LM classification — threats categorized by Spoofing, Tampering, Info Disclosure, DoS, Elevation of Privilege, Lateral Movement - MITRE ATT&CK mapping — every finding linked to real-world attack techniques - Attack path analysis — how individual findings chain into realistic breach scenarios (think BloodHound for app-layer threats) - MAESTRO analysis — maps threats across agentic AI security layers (if your code uses LLMs/agents) - Compliance mapping — PCI DSS v4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA - Interactive 3D visualization — explorable data flow diagrams with attack path overlays - PR threat diffing — catch security regressions on every pull request

Under the hood it runs Semgrep for static analysis, detects your architecture (monolith, microservices, serverless, AI/ML), and layers threat intelligence on top.

Single binary. No config files. No accounts. No data leaves your machine.

The Cloud Security Alliance is listing TITO as a community implementation of their MAESTRO framework for agentic AI security.

CI/CD integration:

    - uses: Leathal1/TITO@v2
      with:
        maestro: true
        fail-on: critical

Technical details: written in Go, ~15K LOC, MIT licensed. GitHub Action on the Marketplace. Docker images available.

I'd love feedback — especially from folks doing AppSec or building AI agents. What frameworks or compliance mappings would be most useful to add?

GitHub: https://github.com/Leathal1/TITO