Open threat-modeling benchmark Apache-2.0 239 planted flaws

Find the flaw
in the design.

TMGoat is a benchmark and dojo for threat-modeling tools and engineers โ€” 30 realistic systems across 10 sectors, each seeded with deliberate design flaws, a hidden answer key, and a scoring harness that grades you on recall (did you find the real threats?) and precision (did you avoid the noise?).

// like WebGoat & TerraGoat โ€” intentionally vulnerable. teaching material, not production.

30
fixtures
10
sectors
239
planted threats
12
intake types
3
difficulty tiers
Why it exists

Most sample architectures show a tool running. None tell you if it was right.

TMGoat makes the expected output first-class. Every fixture ships an expert-authored reference model, so a tool โ€” or an engineer โ€” can be measured, not just demoed. Run it over the inputs, export findings, get a number back.

Two tiers, one corpus

Learn in the open. Prove it on held-out ground.

Publishing every solution next to its question lets tools memorize the test. So the corpus is split.

open
Practice ยท dojo

20 fixtures โ€” full solutions

The easy and moderate tiers. Model from the inputs, use graduated hints if you're stuck, then self-score against the published answer key.

  • Solutions, hints & reference models ship in-repo
  • Score locally with harness/score.py
  • Earn Bronze โ†’ Silver โ†’ Gold per fixture
โŠ˜ held-out
Benchmark ยท leaderboard

10 fixtures โ€” keys held out

The difficult tier. Inputs are public; answer keys live in a private vault and are scored by a fixed harness โ€” so no tool is graded on answers it has seen.

  • Chained attack paths & adversarial inputs
  • Contamination-resistant scoring
  • Submit via the benchmark flow โ†’ public leaderboard
The important idea

Difficulty is subtlety, not size.

A six-component app can hide a nastier flaw than a thirty-component one. Every fixture is tagged on three independent axes โ€” so the benchmark measures reasoning, not parsing.

Can you recover a big design?

Architectural complexity

How much system there is to reconstruct from the inputs.

lowmedhigh
Can you reason to non-obvious threats?

Threat subtlety

Whether the risk is textbook or a design-level trap.

obviousdesignsubtle
Are you robust to poor input?

Input completeness

From rich and corroborating to sparse โ€” or deliberately lying.

richpartialadversarial

A tool that just runs STRIDE on each box misses the race condition, the fail-open control, the over-trusted channel, the doc that lies.

Those design threats are where the points โ€” and the risk โ€” live.

Two ways in

Sharpen an engineer, or benchmark a tool.

Engineers โ€” the dojo

Open a challenge, model it from inputs/, self-score, then study the reference. Level up per fixture.

Bronze โ€” all planted found Silver โ€” + the chain Gold โ€” + mitigations mapped

Tools โ€” the harness

Run your tool over the inputs, export findings, and score recall / precision against the key.

# practice tier โ€” keys ship in-repo
python harness/score.py \
  --expected fixtures/<sector>/<tier>/solution/threat-model.yaml \
  --findings your-findings.json
Held-out benchmark

Leaderboard coming soon

Recall and precision on the 10 held-out fixtures, scored by the shared harness. Submissions open with the benchmark flow โ€” open an issue on GitHub for early access.

#ToolRecallPrecisionChained
Be the first entry โ€” submit a run โ†—