How to: Import Threat Models Created with TAM 2.1 into TAM 3.0

Syed Aslam Basha here. I am a tester on the Information Security Tools team and responsible for testing  Microsoft Threat Analysis and Modeling V3.0.

With the availability of latest beta version of TAM V3.0, it becomes increasingly more important to know “How to import threat models which were created with TAM V2.1".

TAM V3.0 has a feature of importing TAM V2.1 threat models. TAM implements plug-in architecture and it supports importing through plug-in “dll’s”. For more technical details about plug-in architecture refer to this blog posts plug-in architecture 1 and 2 . The threat models are stored as XML files. TAM uses a built in XSLT for transformation of TAM V2.1 threat model to TAM V3.0 threat model. The plug-ins and XSLT are installed in plug-in folder. After the transformation the new threat model is loaded in threat model tree.

I am going to show “How to import TAM V2.1 threat models to TAM v3.0”.

Steps to Import:

  1. Launch TAM v3.0
  2. Click on File –> New
  3. Click on File –> Import


1. “Import from version 2.1 Threat Model” plugin from the list and click on next


2. Browse TAM v2.1 “.atmx” file and click on next


3. Click on Finish


You should now be good to use the TAM V2.1 threat model in TAM V3.0. The import feature works seamlessly by mapping objects one to one and for many properties. For example threat model name, description, business objective name,description so on and so forth. In some cases, while importing V2.1 threat model some of the properties like authentication mechanism, weight, identity name, identity description in Role, data classification in Data, etc are copied to the respective descriptions as relevant properties don’t exist in TAM v3.0.