Devici MCP
Connect, configure, and use Devici MCP — Devici's Continuous Threat Modeling in any AI client.
Devici MCP lets your AI client talk directly to Devici. Create an API token in your Devici workspace, paste its credentials into any MCP-compatible client (Cursor, Claude, VS Code, etc.), and your agent can build threat models, enumerate threats with STRIDE or LINDDUN, attach mitigations from the Devici codex, and keep models current as your architecture evolves — all without leaving your editor.
What you can do
With Devici MCP connected to your AI client, you can ask things like:
- "Build a threat model in Devici for this repo."
- "Import this OTM file into the Payments collection."
- "Run a STRIDE pass over the Online Store model and attach mitigations from the codex."
- "What attributes are assigned to the API Gateway component?"
- "Validate the Mobile App model and tell me what's missing."
The agent calls Devici tools on your behalf, and the resulting threat model lives in Devici with the same visual canvas, components, threats, mitigations, and audit trail as anything else in the platform.
Watch: Building a Threat Model with Devici MCP
If you prefer a visual walkthrough, this video demonstrates how to create and build a threat model in Devici.
How it fits together
┌─────────────────────┐
│ Your AI client │
│ │
│ Cursor / Claude / │
│ VS Code │
└──────────┬──────────┘
│
│ Tool calls + auth headers
▼
┌─────────────────────┐
│ Devici MCP │
│ │
│ mcp.devici.com │
│ │
│ Validates creds │
│ Forwards calls │
│ Executes tools │
└──────────┬──────────┘
│
│ Authenticated requests
▼
┌─────────────────────┐
│ Devici Platform │
│ │
│ Collections │
│ Threat models │
│ Canvases │
│ Codex │
│ Threats │
│ Mitigations │
└─────────────────────┘
| Piece | What it does |
|---|---|
| Your AI client | The thing you're already using — Cursor, Claude, VS Code, etc. |
| Devici MCP | Hosted at https://mcp.devici.com. Authenticates your credentials and forwards tool calls to the Devici platform (where token scopes are enforced). |
| Devici platform | Your existing Devici workspace — collections, threat models, the codex. The MCP is a window into it, not a copy. |
Devici Concepts
If you're new to Devici, this is the vocabulary you'll see throughout the MCP docs:
| Concept | What it is |
|---|---|
| Collection | A folder for related threat models (e.g., a product line, a team, a domain) |
| Threat model | A single model — a system you're analyzing, with one or more canvases inside |
| Canvas | A visual diagram inside a threat model — components, dataflows, trust boundaries |
| Component | A node on the canvas — a process, external entity, datastore, or trust boundary |
| Dataflow | An edge between components — the data moving between them |
| Trust boundary | A zone that marks where the trust level changes |
| Attribute | What a component IS or DOES (e.g., "Internet-facing," "Stores PII") — drives threat generation |
| Threat | A specific risk attached to a component or dataflow, usually framed by STRIDE / LINDDUN |
| Mitigation | A specific control that addresses a threat |
| Codex | Devici's library of attributes, threats, and mitigations — built-in plus your custom content |
If you want a deeper introduction to the platform itself, see the Devici Guides. The MCP docs assume you have a Devici workspace and the basics of threat modeling already.
What's next
- Get connected in Quickstart
- Configure access in Authentication
- Set up your AI client in Client setup
- Explore available capabilities in Tool reference
- Learn common workflows in Playbooks
- Diagnose problems in Troubleshooting
Devici MCP connects your AI workflows directly to continuous threat modeling in Devici.