What is Mipiti?

Mipiti is a security posture platform that turns natural-language feature descriptions into structured security models — controls, compliance mapping, and verifiable evidence.

How it works

1. Describe your feature — in the chat, from a Jira issue, or through your AI coding agent via MCP
2. Generate — Mipiti's agentic pipeline produces a complete threat model in minutes
3. Refine — ask follow-up questions or request changes conversationally
4. Implement — mark controls as done and have your AI coding agent submit assertions that they're really implemented
5. Verify — your CI pipeline checks the assertions against the actual codebase — Mipiti never sees your source code
6. Discover gaps — AI coding agents report missing implementations as negative findings, so nothing slips through
7. Comply — select a compliance framework, run gap analysis, remediate
8. Track — version, export, and integrate with your workflow

Every step works through the web UI, the REST API, or the MCP server (49 tools) — so AI coding agents like Claude Code or Cursor can drive the entire workflow from the developer's IDE.

What you get

Every threat model includes:

• Trust Boundaries — where different security domains meet
• Assets — data and components that need protection, each tagged with applicable security properties (Confidentiality, Integrity, Availability, and Usage for non-extractable assets where purpose-binding matters)
• Attackers — capability-defined threat actors described by their position and concrete abilities
• Control Objectives — testable "SHALL" statements covering every asset-attacker combination, with all applicable security properties bundled into each statement
• Implementation Controls — concrete, actionable security measures mapped to control objectives, organized into mitigation groups
• Evidence verification — prove controls are really implemented with machine-checked evidence, without ever sending your source code to Mipiti
• Compliance coverage — gap analysis against frameworks like OWASP ASVS 5.0, with automated remediation for unmapped requirements
• Assumptions — explicit statements about what the model takes for granted

Key differentiator

Mipiti automates proven formal methods — capability-defined attackers and Security Problem Definition (Common Criteria ISO 15408), systematic asset-attacker mapping (NIST SP 800-30), and traceable control derivation (NIST RMF) — that were previously impractical outside high-assurance environments.

AI handles creative threat identification (Discovery mode). Deterministic evaluation handles compliance posture (Assurance mode). Control Objectives are computed as a mathematical cross-product of assets and attackers — not generated by the LLM. Coverage is guaranteed and auditable.