Threats Manager Studio (TMS) has gone a long way since it started in late 2017. First a mad idea, then a prototype, an internal tool to facilitate my personal work, and finally since November 2020 a free tool open to everyone.
Since its first days, TMS has been a passion project entirely funded by me. Development was fueled by my passion for threat modeling and by the intent to do something new, overcoming the many issues I was facing. I envisioned with TMS a tool that would have grown with the new use cases I found, and to test solutions for big and small problems. A crucial part of all this has been played by the feedback I’ve received from colleagues and customers. I owe you all so much!
I’ve invested a lot in TMS: its development has occupied thousands of my free hours, and has cost me over $ 1200 per year in software and services. I’ve done that gladly, because I’ve had a significant return for my investment. TMS has played a major role in getting me the recognition I’ve received inside my Company, and externally. It has provided me a unique view of threat modeling and of the threat modeling processes. Unique, because I’ve had the opportunity to experiment with new ideas and concepts, and to really understand what works and what not. This has gained me a few promotions, has allowed me to write a book with my heroes and friends, Michael Howard and Heinrich Gantenbein, and has lent me the job I’ve dreamt for over 15 years.
Unfortunately, things have changed.
After I moved to my new role, I’ve had no possibilities to use TMS. The processes I must comply with do not have a space for it. The investments my Company is making on threat modeling do not consider TMS as a possibility. I haven’t even updated TMS on my PC since August 2024!
At the same time, I must recognize that TMS has received a very tepid reception. It is a niche tool in a niche sector, and cannot compete with commercial software. I know that there are a couple of Organizations worldwide which have adopted TMS, but that doesn’t justify my investment of time and money anymore. Some parts of my Company have accepted TMS, but even them have never really supported its development.
At this point, I must stop investing on it.
The most informed and acute among you might have already seen this coming, but now it is official for everyone.
This is the sunsetting roadmap for TMS:
- Minor releases until December 2025, mostly to fix bugs requiring a limited effort.
- December 2025: last official release. Interruption of the Telemetry service.
- January 2026 – May 2026: eventual emergency releases for major issues communicated via GitHub, provided that no major effort is required.
- June 2026: interruption of support for TMS, even on GitHub.
- June 2027: retirement of the Threats Manager site.
I am not planning to retire the project from GitHub.
This roadmap is forced by the expiration dates of some services I’ve already bought or that I’m renewing now, like the Code Signing Certificate and the hosting for the site. Given that these represent significant costs, I’m not going to further extend them.
The situation might change for external factors. I cannot exclude that I might change my mind and restart active development of TMS, but for now this is my plan. Given that this is highly improbable, as of today, I must recommend whoever has adopted or is pondering the adoption of TMS to search for different tools to fit their needs. Of course, you can continue using TMS as long as you want if it is fine with you.
I’m sorry for all the troubles you might face due to this announcement.
Thank you again to everyone who supported this initiative over the years.
Threats Manager Studio 