VerSprite, one of the global leaders in risk-based threat modelling and the firm behind the PASTA (Process for Attack Simulation and Threat Analysis) methodology, announced on June 26th the general availability of Fork, a continuous application threat modelling platform, alongside Knife, an AI-led, human-on-the-loop adversarial testing platform for web applications and web API endpoints. Together, the two products operationalise a new model for product security—one where applications are securely designed, continuously modelled, and actively tested as part of the build process itself.
The launch addresses a problem every security leader knows, but few tools have solved: threat modelling is essential, never more so than in an AI-driven era, yet it has remained slow, manual, and anchored to frameworks designed for a different threat landscape.
The problem: threat modelling matters more than ever—and most tools are stuck in 2005
For two decades, application threat modelling has leaned heavily on STRIDE—a categorisation mnemonic for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. STRIDE is useful for sorting threats into buckets, but it was never a methodology. It does not ingest real-time threat intelligence; it does not weigh business impact; and its static categories say nothing about the adversary behaviours defining risk today—persistence, extortion, double-extortion ransomware, supply-chain compromise, and the novel attack surfaces introduced by AI-enabled applications.
The result is a familiar bottleneck. Threat modelling gets treated as a one-time, document-heavy exercise that lands too late in the lifecycle, goes stale the moment an application changes, and rarely connects to the testing that would actually validate whether a threat is real. As organisations ship faster and adopt AI across the stack, the gap between how quickly software evolves and how slowly it gets modelled has become a material risk.
The solution: risk-centric threat modelling at sprint speed
Fork is a practical, software-driven implementation of PASTA—the only risk-centric, business-aligned threat modelling methodology, co-authored by VerSprite founder and CEO Tony UcedaVelez. Rather than categorising threats in the abstract, PASTA’s seven stages move from business objectives through attack surface, application decomposition, threat analysis, weakness and vulnerability analysis, attack modelling, and finally risk and impact analysis—so the threats that surface are the ones most likely to happen and most damaging if they do.
Fork brings that rigour to the cadence of modern development, enabling teams to produce a defensible, risk-prioritised threat model in under two hours and keep it current from Sprint 1 onward. Key capabilities include:
- AI-accelerated attack trees. Fork’s AI capabilities intelligently trim the attack tree for an application, removing noise and focusing analysts on viable, high-impact paths instead of exhaustive theoretical ones.
- Contextualised, threat-informed models. Fork enriches every model with live cyber threat intelligence, the latest vulnerability data across a product’s full technology stack, and viable attack vectors substantiated through real adversarial testing.
- Industry-aligned taxonomies. The platform automatically correlates findings with trusted MITRE and OWASP frameworks—including CWE, CVE with EPSS scoring, CAPEC, ATT&CK, D3FEND, and ASVS—to drive targeted, defensible mitigations.
- A proprietary residual risk formula. As tests complete and conditions change, Fork recalculates residual risk so leaders always have an accurate, current view of exposure.
- A single pane of glass. Industry threats, an application’s attack surface, and threat intelligence converge into one unified, collaborative view for security, engineering, product, and business stakeholders.
From blueprint to proof: introducing Knife
A threat model defines which attack paths matter most. The knife proves them.
VerSprite is debuting Knife, an AI-led, human-on-the-loop adversarial platform for web applications and web API endpoints, trained on more than 20 years of accredited, industry-recognised offensive security work from VerSprite’s BREAKERS OffSec team. Where Fork serves as the blueprint for adversarial testing, Knife executes against that blueprint—pairing the scale and speed of AI with expert human oversight to validate exploitability with real-world fidelity.
The integration closes the loop that has long separated threat modelling from testing. From within a Fork threat model, teams can request targeted, on-demand testing of specific weaknesses and attack patterns. Knife runs the assessment; results flow back into the model; and Fork updates the residual risk of the product automatically. Threat modelling and adversarial testing stop being sequential, disconnected events and become a continuous, self-updating system.
A new operating model: AI SecOps
“The future of product and software security is an integrated model of AI SecOps—where products are securely designed and tested as part of the functional build process, not bolted on afterwards. STRIDE gave the industry a vocabulary. PASTA gave it a methodology. Fork and Knife now give it operational speed—continuous threat modelling and integrated, AI-led testing that keep pace with how software is actually built and how adversaries actually behave.”
— Tony UcedaVelez, CEO and founder of VerSprite and co-author of the PASTA methodology
Operationalised visibility through deep integrations
Fork is designed to supercharge, not replace, the security tooling enterprises already run. Through integrations across the AppSec ecosystem—spanning SAST, DAST, software composition analysis, vulnerability scanning, cloud security posture, attack surface management (CASM), penetration testing platforms, and IT service management—Fork turns scattered findings into a living risk picture. Connected and roadmapped integrations include ServiceNow, Veracode, Snyk, Semgrep, Checkmarx, OpenCTI, Qualys, Tenable, Mandiant, and Archer, among others.
The payoff is real-time visibility, operationalised: as continuous and on-demand tests complete and report back, a product’s threat model and residual risk update at the speed of delivery—giving security and product leaders an always-current understanding of what could go wrong, how likely it is, and what it would cost the business.
