Your threat models now have a direct line to your vulnerability management program.
We're excited to announce the launch of the DefectDojo + IriusRisk Connector, a new native integration that imports threat modeling findings from IriusRisk directly into DefectDojo for centralized vulnerability management, deduplication, risk scoring, and remediation tracking.
If your organization uses IriusRisk to model threats and identify security controls during design, those findings no longer need to live in a separate workflow. They now flow into the same platform where your SAST, DAST, SCA, container, infrastructure, and edge security results already live.
Threat modeling is one of the most effective ways to catch security issues early, before a single line of code is written. IriusRisk is one of the leading platforms for automated threat modeling, helping teams build architectural diagrams, identify threats, recommend countermeasures, and validate compliance with standards like PCI DSS, NIST, and GDPR.
But there's a disconnect that shows up in almost every security program: threat modeling outputs and vulnerability management live in separate worlds. Your threat models flag risks during design. Your scanners flag vulnerabilities during development and production. And the two rarely meet in the same dashboard, the same triage workflow, or the same compliance report.
That disconnect means security teams lose track of whether the threats they identified during design were actually addressed. Countermeasures get recommended but never verified. And CISOs are left stitching together design-time risk data and runtime scan results manually to get the full picture.
The DefectDojo + IriusRisk Connector closes that gap.
Now, threats, weaknesses, and countermeasure gaps identified in IriusRisk flow directly into DefectDojo. Once there, they're deduplicated against your scan results, risk-scored based on asset criticality, and tracked through remediation alongside every other finding in your environment. Design-time risks and runtime vulnerabilities, finally in one place.
The new IriusRisk Connector enables your team to:
Import threat modeling findings automatically. Pull threats, weaknesses, and unimplemented countermeasures from IriusRisk into DefectDojo. No manual exports. No spreadsheet reconciliation. Just structured threat modeling data flowing into your existing vulnerability management workflow.
Apply unified risk scoring. DefectDojo calculates risk based on asset criticality, vulnerability severity, and environmental context. Threat modeling findings get scored and prioritized in the same queue as your scan results, so your team knows what to address first regardless of where it was discovered.
Track countermeasure implementation. When IriusRisk recommends a security control, you can now track whether it was actually implemented by connecting it to your remediation workflow in DefectDojo. Assign it to an engineering team, push a ticket to Jira or GitHub, and track it to closure.
Report with design-to-production visibility. With IriusRisk data now part of your DefectDojo instance, your executive dashboards and compliance reports reflect security posture across the full lifecycle, from architectural design through production scanning.
Every security program talks about shifting left. But shifting left without connecting the dots means you end up with two separate security programs: one during design and one during development. Threat modeling insights stay in the threat modeling tool. Scanner results stay in the scanner. And nobody has a unified view of risk.
This connector changes that. By bringing IriusRisk findings into DefectDojo alongside 200+ other security tool integrations, you get true lifecycle visibility. You can answer questions that were previously impossible without manual effort: Did the threats we modeled actually get addressed? Are our countermeasures implemented? Where are the gaps between what we designed and what we shipped?
Your security stack is unique. Your vulnerability management platform should support that, not fight it.
Setting up the DefectDojo + IriusRisk Connector takes just minutes:
For detailed setup instructions, visit our documentation at docs.defectdojo.com.
If you're already a DefectDojo Pro customer, the IriusRisk Connector is available now. If you're exploring DefectDojo for the first time, there's never been a better moment to see how centralized vulnerability management transforms the way your team operates.
Request a Demo Explore the Platform Read the Docs
DefectDojo is the leading open-source and enterprise vulnerability management platform, trusted by security teams worldwide to consolidate, deduplicate, and manage findings from 200+ security tools. Learn more at defectdojo.com.