IriusRisk is a single integrated console to manage application security risk throughout the software development process.


Create a threat model and derive security requirements in minutes using a straightforward questionnaire based system

Self-service application and architectural security for developers using a straight-forward questionnaire based approach

Manage security risk throughout the SDLC by choosing a risk response and synchronising security requirements with issue trackers

Manage risks at portfolio scale across the enterprise or per business unit


We built IriusRisk to solve three key problems in application security:

  • How to reduce the number of security vulnerabilities in applications, caused by weak security design and inadequate controls.
  • How to reduce the time and resources required to perform risk analysis and threat modeling so that these activities can truly scale to meet enterprise requirements and constraints.
  • How to measure, view and respond to application security risk through all of the software development and delivery steps.

“We want to build a mobile payment application and store personal details on the device”

What are the inherent security risks?

How do we mitigate those risks?

What is the current progress of the countermeasures?

Are the countermeasures effective?

Have we met our compliance objectives?



Get started with a Threat Model in minutes
Choose a Risk Response
Implement Countermeasures
Test Weaknesses and Countermeasures
Manage Application Risk across the enterprise

Editions and Pricing

IriusRisk is offered as both a hosted SaaS or on-premise solution. Pricing is tiered based on the number of applications managed by the solution. The number of users is unlimited in all the editions.

Limited to 3 ApplicationsFREE
  • Generate threat model through questionnaires
  • Integrate with Jira
  • Create Templates
  • Share Templates with other users
SaaS Hosted
Tiered pricing based on number of apps CONTACT US
  • Generate threat model through questionnaires
  • Integrate with Jira
  • Create Templates
  • Integrate with ThreadFix
  • Define security classifications, Trust Zones and Data Assets
  • Customise questionnaires
  • Permissions based access control
  • Premium risk pattern libraries
  • API
On Premises
Tiered pricing based on number of apps CONTACT US
  • Generate threat model through questionnaires
  • Integrate with Jira
  • Create Templates
  • Integrate with ThreadFix
  • Define security classifications, Trust Zones and Data Assets
  • Customise questionnaires
  • Permissions based access control
  • Premium risk pattern libraries
  • API
  • LDAP/Active Directory
  • Java WAR or Docker install

Our Philosophy

We are dedicated to building the tools you need to manage and test the security of your software. Security tools and processes have to be business enablers, not blockers; and they cannot slow down the speed of development. Our solutions integrate with the normal development workflow, so that security is truly built in and not bolted on.

Security is the whole team's responsibility

Security is the whole team's responsibility

Security is not special. Performance, quality and availability is everyone’s responsibility and so is security. After all, who understands the code and environment better than the developers and ops teams themselves? A team trained to identify and evaluate security risk is able to easily avoid common security pitfalls and build solutions that meet your security requirements.

Embed security in the build

Embed security in the build

Secure design and security testing should be embedded in the build to reduce feedback time and get developers fixing issues as soon as possible. Unit, Integration and Functional testing are routinely automated and security testing is no different. Using an integrated approach, the whole team can view the current state of the security tests alongside their other test results, right in the CI server.

Continuous Security Testing

Continuous Security Testing

Modern development practices such as DevOps and Continuous Delivery rely on automation to bring value to market faster. Security need not be the anchor holding development back; instead by using security automation tools we can provide security testing at the same cadence as delivery. Our security tests can be run from a Continuous Integration server, providing continuous and seamless security testing.

Our Team

  • Stephen de Vries
    Stephen de Vries Co-Founder and CEO

    Stephen is our co-founder and CEO. He started his career as a C, C++ and Java developer, moving into security operations and then software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing.
    Stephen enjoys tinkering with renewable, off-grid energy systems and writing code.

  • Cristina Bentue
    Cristina Bentue Co-Founder and COO

    After studying several masters in Near Eastern Studies, Cristina forged her career in technology startups between Barcelona and the City of London before co-founding Continuum Security. Cristina currently manages operations as COO with a growing team of developers and security analysts. Cristina is an advocate for open platforms and leads the community edition of Continuum Security’s product suite to offer users a free and collaborative platform to share threat models of system architectures. Cristina is a champion of women in technology and for encouraging girls to choose STEM subjects at an early age.

  • Paul Santapau Nebot
    Paul Santapau Nebot CTO

    Paul is our CTO and has been working in security for more than 10 years in both defensive and offensive roles. His experience ranges from working in security research at the Nisu Security Research Group and building an innovation department at a startup. His passions are working on effective and pragmatic approach to Security and Security applied to DevOps, Software Engineering and Networking. Paul enjoys mountain biking, running and swimming between being a father.

  • Víctor Cañizares Mata
    Víctor Cañizares Mata Senior Developer

    Born and raised in the New York of La Mancha, Albacete. Java and Groovy codebasher by calling. Environmental activist out of necessity. Lover of homemade stews. Retired drummer. Basketball fan and cyclist. Half classic geek: loud heavy metal music, coffee, GNU/Linux and The X-Files. Half not-so-classic geek: I’m not into gadgets, nor do I play Pokemon GO and I don’t watch TV series. I prefer to be surrounded by nature and my dream is to live in a country house with a vegetable garden.

  • Rafael Topera
    Rafael Topera Senior Developer

    Rafael Topera is a code guru in Groovy, Java and JavaScript. When he’s not coding, he’s trying to help his wife with the most critical task ever: raising two children. He also likes running, playing the drums and tries to not be in the 1% worst Acoustic Guitar players ranked in his country. Currently lives in São José dos Campos, a quiet city in Brazil.


BDD-Security is a security testing framework that uses natural language in a Given, When, Then Gherkin syntax to describe security requirements as features. Those same requirements are also executable as standard unit/integration tests which means they can run as part of the build/test/deploy process.

Key Features

  • Free and Open Source automated security testing framework
  • Ready to run on a Continuous Integration Server , as part of the build/test/deploy process
  • Upgrade DevOps to SecDevOps
  • Generate reports, to easily be viewed and understood by business and security users
  • Tests are run dynamically against a deployed application, no need to access your source code


BDD-Security v2.0 Released

Now with power. This version has a number of improvements, including: Simpler test execution with less background magic. Just standard Gradle tasks and Cucumber-JVM Simpler integration with [...]

Contact Us

Parque Tecnologico Walqa
"Félix de Azara" Building
Ctra. Zaragoza N-330A, km 566
22197 Cuarte (Huesca)

Parc Científic Tecnològic i Empresarial - Espaitec
Universitat Jaume I Edificio ESPAITEC1
Campus del Riu Sec
Avda Sos Baynat s/n
12071 Castellón de la Plana (Spain)
+34 974 032 183
[email protected]
Business Hours
Monday - Friday 9am to 7pm CET