Custom Codex
The Custom Codex allows organizations to extend Devici’s built-in intelligence by defining their own attributes, threats, and mitigations.
Custom Codex content becomes part of the threat modeling experience, making it possible to reflect organization-specific behaviors, failure modes, and design expectations while maintaining a consistent modeling approach.
Use the Custom Codex when built-in Codex content does not fully capture how your systems behave or how they can fail.
What the Custom Codex is for
The Custom Codex exists to support reuse and consistency across threat models.
It allows you to define:
- Custom attributes that describe organization-specific behavior or data
- Custom threats that describe what can go wrong in your environment
- Custom mitigations that describe preferred design responses or controls
Custom Codex content is reusable across threat models and teams.
Tip
The Custom Codex is not required for most threat modeling workflows. Use it deliberately to extend—not replace—the built-in Codex.
How Custom Codex content fits into threat modeling
Threat modeling in Devici follows this relationship:
Attributes → Threats → Mitigations
The Custom Codex allows you to define and manage each of these objects at the library level so they are available during threat modeling.
During modeling:
- Attributes from the Custom Codex can be added to elements
- Mapped threats appear automatically
- Mapped mitigations are suggested for review
The modeling workflow remains the same regardless of whether content comes from the built-in Codex or the Custom Codex.
What you can create in the Custom Codex
Custom attributes
Custom attributes describe conditions or behaviors that are specific to your organization.
Use custom attributes to represent:
- Internal platform assumptions
- Domain-specific behavior
- Organization-specific data handling patterns
Custom attributes should be: - Stable - Reusable - Technology-agnostic
Avoid creating attributes that represent: - Controls - Temporary implementation details - One-off design decisions
Custom threats
Custom threats describe undesirable conditions that can occur when certain attributes are present.
Use custom threats when:
- Built-in threats do not capture a relevant failure mode
- The threat is reusable across multiple systems
- The threat describes what can go wrong, not how to fix it
Custom threats should explain: - What can go wrong - Why it applies - Under what conditions it becomes relevant
Custom mitigations
Custom mitigations describe preferred design responses or controls.
Use custom mitigations to:
- Standardize design guidance
- Capture internal controls or patterns
- Encourage consistent responses across teams
Custom mitigations should describe intent, not implementation detail.
Creating Custom Codex content
Custom Codex content is managed from the Codex management interface.
At a high level, creating Custom Codex content involves:
-
Choosing the type of content to create
(attribute, threat, or mitigation) -
Defining clear names and descriptions
that are understandable outside the context of a single system -
Mapping content appropriately
- Attributes map to threats
-
Threats map to mitigations
-
Making the content available for use during threat modeling
Tip
When building Custom Codex content, start with attributes and mitigations, then create threats that reference them. This ensures mappings are complete and usable.
Mapping Custom Codex content
Mapping attributes to threats
Attributes drive when threats appear.
When a custom threat is mapped to a custom or built-in attribute:
- The threat becomes eligible whenever that attribute is applied to an element
- Context (other attributes, data flows, trust boundaries) refines applicability
Mappings should be: - Intentional - Justifiable - Reviewed periodically
Mapping threats to mitigations
Mitigations are mapped directly to threats.
When a mitigation is mapped to a threat:
- It is suggested whenever that threat appears
- It becomes available for evaluation during threat modeling
- It can be reused across multiple threats when appropriate
Adding documentation and resources
Custom Codex entries can include resources to provide additional context.
Resources can be used to link to:
- Internal documentation
- Design standards
- Architecture guidance
- External references
Adding resources helps teams understand why a custom attribute, threat, or mitigation exists and how it should be interpreted.
Editing and maintaining Custom Codex content
Custom Codex entries can be updated over time.
When editing content:
- Changes are saved immediately
- Name changes create aliases to preserve continuity
- Older aliases can be reviewed and removed if no longer needed
Warning
Changing Codex content affects all threat models that use it. Review changes carefully and communicate updates when appropriate.
Governance and best practices
Because the Custom Codex influences all threat models, it should be governed intentionally.
Recommended practices include:
- Restricting who can create or modify Codex content
- Reviewing new entries before broad adoption
- Avoiding duplicate or overlapping definitions
- Periodically auditing Custom Codex usage
Uncontrolled growth can make threat modeling harder, not easier.
Practical limits and considerations
Be aware of the following limits when creating Custom Codex content:
- Titles support up to 256 characters
- Threat descriptions support up to 1000 characters
- Mitigation descriptions and supporting fields support up to 1000 characters
These limits encourage clarity and reuse.
What’s next
To continue exploring Codex concepts, see:
To apply Codex content during threat modeling, see:
The Custom Codex allows you to extend Devici’s intelligence while keeping threat modeling consistent and scalable.