VerSprite, a global leader in risk-based threat modeling and the firm behind the PASTA (Process for Attack Simulation and Threat Analysis) methodology, today announced the general availability of Fork (www.forktm.com), a continuous application threat modeling platform, alongside Knife, an AI-led, human-on-the-loop adversarial testing platform for web applications and web API endpoints. Together, the two products operationalize a new model for product security—one where applications are securely designed, continuously modeled, and actively tested as part of the build process itself.
The launch addresses a problem every security leader knows but few tools have solved: threat modeling is essential, never more so than in an AI-driven era, yet it has remained slow, manual, and anchored to frameworks designed for a different threat landscape.
The problem: threat modeling matters more than ever—and most tools are stuck in 2005
For two decades, application threat modeling has leaned heavily on STRIDE—a categorization mnemonic for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. STRIDE is useful for sorting threats into buckets, but it was never a methodology. It does not ingest real-time threat intelligence, it does not weigh business impact, and its static categories say nothing about the adversary behaviors defining risk today—persistence, extortion, double-extortion ransomware, supply-chain compromise, and the novel attack surfaces introduced by AI-enabled applications.
The result is a familiar bottleneck. Threat modeling gets treated as a one-time, document-heavy exercise that lands too late in the lifecycle, goes stale the moment an application changes, and rarely connects to the testing that would actually validate whether a threat is real. As organizations ship faster and adopt AI across the stack, the gap between how quickly software evolves and how slowly it gets modeled has become a material risk.
The solution: risk-centric threat modeling at sprint speed
Fork is a practical, software-driven implementation of PASTA—the only risk-centric, business-aligned threat modeling methodology, co-authored by VerSprite founder and CEO Tony UcedaVelez. Rather than categorizing threats in the abstract, PASTA’s seven stages move from business objectives through attack surface, application decomposition, threat analysis, weakness and vulnerability analysis, attack modeling, and finally risk and impact analysis—so the threats that surface are the ones most likely to happen and most damaging if they do.
Fork brings that rigor to the cadence of modern development, enabling teams to produce a defensible, risk-prioritized threat model in under two hours and keep it current from Sprint 1 onward. Key capabilities include:
- AI-accelerated attack trees. Fork’s AI capabilities intelligently trim the attack tree for an application, removing noise and focusing analysts on viable, high-impact paths instead of exhaustive theoretical ones.
- Contextualized, threat-informed models. Fork enriches every model with live cyber threat intelligence, the latest vulnerability data across a product’s full technology stack, and viable attack vectors substantiated through real adversarial testing.
- Industry-aligned taxonomies. The platform automatically correlates findings with trusted MITRE and OWASP frameworks—including CWE, CVE with EPSS scoring, CAPEC, ATT&CK, D3FEND, and ASVS—to drive targeted, defensible mitigations.
- A proprietary residual risk formula. As tests complete and conditions change, Fork recalculates residual risk so leaders always have an accurate, current view of exposure.
- A single pane of glass. Industry threats, an application’s attack surface, and threat intelligence converge into one unified, collaborative view for security, engineering, product, and business stakeholders.
From blueprint to proof: introducing Knife
A threat model defines which attack paths matter most. Knife proves them.
VerSprite is debuting Knife, an AI-led, human-on-the-loop adversarial platform for web applications and web API endpoints, trained on more than 20 years of accredited, industry-recognized offensive security work from VerSprite’s BREAKERS OffSec team. Where Fork serves as the blueprint for adversarial testing, Knife executes against that blueprint—pairing the scale and speed of AI with expert human oversight to validate exploitability with real-world fidelity.
The integration closes the loop that has long separated threat modeling from testing. From within a Fork threat model, teams can request targeted, on-demand testing of specific weaknesses and attack patterns. Knife runs the assessment; results flow back into the model; and Fork updates the residual risk of the product automatically. Threat modeling and adversarial testing stop being sequential, disconnected events and become a continuous, self-updating system.
A new operating model: AI SecOps
“The future of product and software security is an integrated model of AI SecOps—where products are securely designed and tested as part of the functional build process, not bolted on afterward. STRIDE gave the industry a vocabulary. PASTA gave it a methodology. Fork and Knife now give it operational speed—continuous threat modeling and integrated, AI-led testing that keeps pace with how software is actually built and how adversaries actually behave.”
— Tony UcedaVelez, CEO and founder of VerSprite and co-author of the PASTA methodology
Operationalized visibility through deep integrations
Fork is designed to supercharge, not replace, the security tooling enterprises already run. Through integrations across the AppSec ecosystem—spanning SAST, DAST, and software composition analysis, vulnerability scanning, cloud security posture, attack surface management (CASM), penetration testing platforms, and IT service management—Fork turns scattered findings into a living risk picture. Connected and roadmapped integrations include ServiceNow, Veracode, Snyk, Semgrep, Checkmarx, OpenCTI, Qualys, Tenable, Mandiant, and Archer, among others.
The payoff is real-time visibility, operationalized: as continuous and on-demand tests complete and report back, a product’s threat model and residual risk update at the speed of delivery—giving security and product leaders an always-current understanding of what could go wrong, how likely it is, and what it would cost the business.
Availability
Fork is available today. A free Fork Community edition supports a single application threat model with vulnerability ingestion via SBOM or OVAL, while Fork Enterprise unlocks unlimited applications and teams, all integrations, SSO, granular access controls, and audit logging. Fork Enterprise PT extends the platform with on-demand adversarial testing—powered by Knife and VerSprite’s BREAKERS team—requested directly from within a threat model. VerSprite also offers Threat Modeling as a Service for organizations seeking expert-led training and managed delivery.
To learn more, request a demo, or start for free, visit www.forktm.com.
About VerSprite
VerSprite is a global cybersecurity firm specializing in risk-based threat modeling, offensive security, and managed security services. Founded in 2007 and headquartered in Atlanta, Georgia, VerSprite is the originator of the PASTA (Process for Attack Simulation and Threat Analysis) methodology and partners with Fortune 500 enterprises and product organizations worldwide to reduce cyber risk through a structured, data-driven, adversary-informed approach. Learn more at www.versprite.com.
About Fork
Fork is VerSprite’s continuous application threat modeling platform. Built on the PASTA methodology and accelerated by AI, Fork enables security, engineering, and product teams to produce risk-centric threat models in under two hours, contextualize them with live threat intelligence and full-stack vulnerability data, and keep them continuously aligned with how applications evolve—now with integrated, AI-led adversarial testing through Knife.
View source version on businesswire.com: https://www.businesswire.com/news/home/20260626289581/en/
