Skip to main content

Overview

Architecture modeling in Pwnbook lets you build a structured map of the target application or infrastructure. Where threat modeling focuses on threats and attack vectors, architecture modeling focuses on the system itself — its components, how they communicate, what routes they expose, and where risks exist at the component level. Architecture models are created per engagement and give your team a shared reference for the target’s structure.

Components

Components are the building blocks of your architecture model. They represent logical or physical units of the target system:
  • Web applications
  • APIs and microservices
  • Databases
  • Message queues
  • External third-party services
  • Mobile clients
  • CDNs and load balancers
  • Authentication providers
  • Storage systems

Adding components

  1. Navigate to the Architecture tab in your engagement.
  2. Click Add Component.
  3. Enter the component name and select a component type.
  4. Add optional metadata: version, technology stack, hosting environment, and notes.
  5. Click Save.
Components appear in the architecture canvas. You can drag them to arrange them spatially.

Data flows

Data flows represent how information moves between components. Defining data flows helps you understand trust boundaries, identify where sensitive data travels, and spot potential security issues in how components communicate.

Adding a data flow

  1. On the architecture canvas, hover over a source component until the connection handle appears.
  2. Click and drag to a target component.
  3. In the data flow editor that opens, specify:
    • Name: A descriptive label for what this flow represents (e.g., “User authentication request”, “DB query with PII”)
    • Protocol: HTTP, HTTPS, gRPC, WebSocket, AMQP, SQL, etc.
    • Data classification: What type of data flows (credentials, PII, payment data, general data)
    • Authenticated: Whether the flow requires authentication
  4. Click Save.
Data flows appear as labeled arrows on the canvas.

Routes

Routes document the specific API endpoints, URL paths, or entry points exposed by the target application. This complements the higher-level component view with specific, actionable attack surface data.

Adding routes

  1. Click on a component in the canvas to open its detail panel.
  2. Go to the Routes tab.
  3. Click Add Route.
  4. Enter the route details:
    • Method: GET, POST, PUT, DELETE, etc.
    • Path: The URL path, e.g., /api/v1/users/{id}
    • Description: What the route does
    • Authentication required: Whether the route is protected
  5. Click Save.
Routes can also be imported automatically from API specifications (OpenAPI/Swagger).

Component risks

Each component can have risks associated with it. Risks represent security concerns you’ve identified at the component level, distinct from the detailed findings documented elsewhere.

Adding a component risk

  1. Click on a component to open its detail panel.
  2. Go to the Risks tab.
  3. Click Add Risk.
  4. Describe the risk, assign a severity, and note any mitigating controls.
  5. Click Save.
Component risks give you a clear picture of where the system’s weakest points are, independent of specific vulnerabilities you’ve confirmed.

Infrastructure import

Cloud infrastructure import requires the relevant cloud integration to be configured. See AWS Integration.
Rather than manually creating components for every service in a cloud environment, Pwnbook can import your infrastructure directly from cloud providers.

Importing from AWS

  1. Ensure the AWS integration is configured for your organization (see AWS Integration).
  2. In the Architecture tab, click Import Infrastructure.
  3. Select AWS as the source.
  4. Choose the AWS account and region to scan.
  5. Select the resource types to import (EC2 instances, RDS databases, Lambda functions, S3 buckets, etc.).
  6. Click Import.
Pwnbook creates components for each discovered resource and attempts to map data flows based on security group rules and VPC configuration.

Exporting architecture diagrams

You can export the architecture canvas as an image or PDF for inclusion in reports or client deliverables:
  1. Click the Export button in the canvas toolbar.
  2. Choose the format (PNG, SVG, PDF).
  3. The export downloads automatically.

Relationship with threat modeling

Architecture and threat modeling are complementary. A common workflow is:
  1. Build the architecture model first to understand the system’s components and data flows.
  2. Use the architecture model as the foundation for your threat model, adding threats and attack vectors on top of the component map.
Both models live in the same engagement, so you can switch between them and cross-reference as needed.