Skip to content

Elements

Elements are the building blocks of a threat model in Devici. They describe the features, components, and boundaries of the system you are modeling.

By identifying and structuring elements, you define what the system does, how data moves, and where trust changes. This structure allows Devici to accurately generate threats and recommend mitigations.

Use this guide when you are building or refining a threat model’s structure.

In this guide

  • Trust boundaries
  • Data flows
  • Processes
  • Data stores
  • External entities
  • Adding and editing elements
  • Customizing elements

Element types in Devici

Trust boundaries

A trust boundary (also called a security boundary or trust zone) represents a separation between areas of differing trust within a system.

Trust boundaries help identify where data or control moves from a more trusted context to a less trusted one—or vice versa—which is a common source of security risk.

Data flows

A data flow represents the path data takes as it moves through a system—from one element to another.

Processes

A process represents an active component that performs operations on data (e.g., authentication, validation, business logic, encryption).

Data stores

A data store is any location where data persists and can be read or written (e.g., databases, files, queues, caches).

External entities

An external entity is any actor or system outside your trust boundaries that interacts with the system (e.g., users, third-party services, external systems).

How to add elements

Use the modeling canvas to add elements to your diagram. Add the major components first, then refine.

Add a process, data store, or external entity

  1. Open your threat model and go to the modeling canvas.
  2. Choose the element type you want to add from the left hand toolbar (Process, Data Store, or External Entity).
  3. Click on the canvas to place the element.
  4. Rename the element to something descriptive (see Rename an element below) via the sidedraw popout.

Tip

Start with a small number of high-level elements. You can add detail after the main flow is correct.

How to connect elements with data flows

Data flows show how information moves through the system. They are essential for identifying where data is exposed, transformed, or crosses trust boundaries.

Add a data flow between two elements

  1. Select the connector / data flow tool in the canvas.
  2. Click the source element.
  3. Click the destination element.
  4. Add a label describing what moves over the flow (e.g., “Credentials”, “JWT”, “Customer profile data”).

Warning

Missing or incorrect data flows can result in missing threats—especially for data exposure and injection risks.

How to add trust boundaries

Trust boundaries should be used wherever assumptions about identity, control, or security change.

Add a trust boundary to a model

  1. Choose the Trust Boundary element type.
  2. Place it on the canvas.
  3. Resize the boundary to enclose one or more elements that share a similar level of trust.
  4. Rename the boundary to reflect the trust zone (e.g., “Public Internet”, “Internal Network”, “Production Data Zone”).

Why trust boundaries matter

  • They highlight where validation, authentication, or authorization is required
  • They focus threat analysis on high-risk interactions
  • They help ensure appropriate security controls are applied at system edges

Tip

If a data flow crosses a trust boundary, pause and ask: “What assumptions am I making about this data?”

Editing elements

Rename an element

Use clear names that reflect responsibilities, not technologies.

  1. Select the element on the canvas.
  2. Open the element mini-menu or properties menu.
  3. Edit the element label/name.

Examples of good names:

  • “Web App”
  • “Auth Service”
  • “Payments API”
  • “Customer Database”

Customizing elements

Devici allows you to customize elements to improve clarity and readability without changing threat generation logic.

You can:

  • Rename elements (including data flows)
  • Change fill and line colors
  • Adjust opacity
  • Modify font color, size, and bolding

Change element styling

  1. Select the element on the canvas.
  2. Open the element mini-menu.
  3. Adjust styling options such as fill, outline, opacity, and text formatting.

Tip

Use styling to communicate meaning consistently (e.g., external entities one style, data stores another). Avoid using colors in a way that implies “secure” vs “insecure” unless that is your team’s convention.

Hiding data flow labels

If labels create visual clutter, you can hide data flow labels using a setting in the Threat Model drawer.

  1. Open the Threat Model drawer.
  2. Find the setting for data flow label visibility.
  3. Toggle it to hide or show data flow labels.

What’s next

Once your elements are defined:

Well-defined elements lead to more accurate threats and more actionable outcomes.