Compare
IriusRisk automates the threat model. Alvor runs the program around it: assets, risk, compliance evidence, policies, and sign-offs on one graph, with agentic AI that answers to you.
The quick verdict
Choose Alvor when
Choose IriusRisk when
The bigger picture
IriusRisk is the best-known dedicated threat modeling tool, acquired by ThreatModeler in January 2026 for $100M+. It automates one artefact of a security program: the threat model. The program around it lives in other tools.
IriusRisk earned its reputation by automating threat modeling when everyone else was drawing on whiteboards, and its component and countermeasure libraries are mature. But the category it leads just consolidated: in January 2026, ThreatModeler acquired IriusRisk for over $100 million, putting the two biggest point tools under one owner. Consolidation is rarely good news for customers. Roadmaps merge, editions get harmonised, renewals get renegotiated. It is the right moment to ask a sharper question: what is the threat model actually for?
Because here is the structural problem with every dedicated threat modeling tool, IriusRisk included: the threat model is where the work begins, not where it ends. In IriusRisk, the output is a list of threats and countermeasures exported to Jira; connecting them to a risk register, compliance evidence, and policy is your integration project, forever. In Alvor, the same afternoon of modeling produces required build controls on the project, entries in the risk register, evidence in the compliance module, and a sign-off trail, because all of it lives on one asset and control graph. The AI gap is just as structural: Jeff is a vendor-hosted assistant running on IriusRisk's chosen model. Alvor's studios run on the model your organization chooses, draw real editable shapes on your canvas, reuse your libraries before inventing anything, and pause every write on an audit-logged approval card.
If threat modeling is genuinely the entire job, a standalone function producing models as its only deliverable, IriusRisk remains a capable specialist and its Community Edition costs nothing to try. For everyone else, buying a point tool means buying its integration burden too. Alvor ships the connected program, with the price on the page.
Side by side
Plain-text descriptions, no checkmark games. If we can't say it, we don't.
Capability
Alvor
IriusRisk
Primary category
Alvor
Unified security and compliance platform; threat modeling lives inside the Secure by Design module
IriusRisk
Dedicated threat modeling platform (part of ThreatModeler since January 2026)
Scope
Alvor
Eight integrated modules: asset management, secure by design (security architecture), risk, compliance, policy, program, third-party risk, and business continuity, plus an embedded AI assistant.
IriusRisk
Threat modeling: diagramming, automated threat and countermeasure generation, reports, and dev-toolchain handoff.
Threat modeling approach
Alvor
Diagram-anchored STRIDE register: elements from real diagram shapes, library-first threat reuse (MITRE ATT&CK, OWASP, CAPEC, NIST references), controls mapped from your catalog.
IriusRisk
Component-based automated generation: pre-defined components carry threats and countermeasures from IriusRisk's libraries; countermeasures marked recommended or required per standard.
AI capabilities
Alvor
Four agentic studios: diagrams drawn as editable shapes, threat models proposed in approval batches, design explanations from a team interview, policy drafting. Cross-module assistant beyond the studios.
IriusRisk
Jeff AI assistant: diagrams and preliminary threat models from text prompts, images, user stories, docs, or code; AI analysis views over the model.
AI governance
Alvor
Bring your own model (Anthropic, OpenAI, Google, Azure OpenAI, Bedrock, or compatible endpoint). Writes pause on approval cards; everything audit-logged; admins can disable actions per tool.
IriusRisk
Vendor-managed AI service (OpenAI-based per IriusRisk documentation, single-tenant architecture).
Beyond the threat model
Alvor
Business impact analysis, design explanations written from interviews, architecture decision records, human sign-off matrix, one-click design-document PDF.
IriusRisk
Technical and compliance reports and exports of the threat model (PDF, XLS, HTML, CSV, XML).
Downstream GRC
Alvor
Native: mapped controls become build controls, findings escalate to the risk register, evidence flows into compliance, policies link to the same graph.
IriusRisk
Countermeasures hand off to Jira, CI/CD, and issue trackers; risk registers, compliance, and policy live in separate tools.
Libraries and standards
Alvor
Threat library seeded from MITRE ATT&CK, OWASP, CAPEC, NIST, deduplicated and growing as you model; your own control catalog does the mitigating.
IriusRisk
Deep component and countermeasure libraries mapped to OWASP, PCI DSS, NIST, and GDPR.
Free tier
Alvor
No free tier; guided demo against your own use case.
IriusRisk
Community Edition: free, up to three threat models, draw.io diagramming, limited reports, Jeff included.
Pricing
Alvor
Published. Starter $8K, Growth $18K, Scale $48K. One seat per employee. 10% renewal cap.
IriusRisk
Not publicly published; subscription quoted by licenses and usage. Community Edition free.
Ownership
Alvor
Independent.
IriusRisk
Acquired by ThreatModeler in January 2026; product-line integration announced as ongoing.
Comparison based on each product's publicly described scope at the time of writing. Capabilities and pricing may change; we update this page when we notice. If something here is out of date, write to us and we'll fix it.
Questions
Common questions security leaders ask while shortlisting.
ThreatModeler announced its acquisition of IriusRisk on January 8, 2026, a deal reported at over $100 million, and has said the products will be integrated over time. IriusRisk continues to operate today, but buyers evaluating it should ask about the combined roadmap, plan consolidation, and what happens to existing contracts. If vendor independence and roadmap predictability matter to your purchase, that consolidation is worth weighing.
Get started
Whether you lead security, run IT, manage compliance, or sit in the C-suite - we'll show you your view.