Dimension scores are derived from public data and fields; weighted into the composite. Reference only.
CAIRIS (Computer Aided Integration of Requirements and Information Security) is an open-source platform designed to bring security, usability, and requirements engineering together early in the software design process. It is not a runtime firewall, EDR, or vulnerability scanner, but a design-stage tool for security requirements, threat modeling, risk analysis, and security architecture modeling.
In terms of protection coverage, CAIRIS mainly focuses on security requirements engineering, threat modeling, risk rationalization, attack surface analysis, and privacy-by-design validation. It can centrally manage artifacts such as assets, countermeasures, requirements, personas, risks, architecture components, and more, and automatically generate 12 types of design views covering perspectives such as people, risks, requirements, architecture, and physical locations. A key strength is its support for modeling “environments” and usage contexts, allowing teams to represent how different user groups perceive asset value, threats, vulnerabilities, and risk impact differently. As the design evolves, the tool can also automatically generate threat models such as DFDs, and use attack patterns and candidate security architecture patterns to assess the attack surface.
CAIRIS is primarily intended for self-deployment. It is free and open source under the Apache Software License, with source code hosted on GitHub. The documentation states that it can run on platforms that support its dependencies, with Ubuntu offering the best experience; it can also run on Mac OS X and Windows, and Docker containers are available. For integration, CAIRIS provides the CAIRIS API, which can be used to build design applications or connect it to existing toolchains. It also supports importing data from sources such as wikis, spreadsheets, and open-source attack pattern repositories. On the compliance side, CAIRIS can identify potential GDPR compliance issues and generate GDPR DPIA documentation, but no ISO, SOC, MLPS, or similar certifications are disclosed.
CAIRIS is free and open source. The project notes that consulting services can be purchased to support adoption, but no public pricing is provided. Its advantages are broad functional coverage, the ability to model requirements, UX, security, and architecture in a unified way, and automatic generation of models and views, making it suitable for complex systems. Its limitations include insufficient information on enterprise-grade SLAs, permission auditing, alert notifications, hosted services, and commercial pricing; self-deployment and extension also require a certain level of technical capability.
CAIRIS is well suited to software security architects, requirements engineering teams, threat modelers, UX researchers, as well as critical infrastructure projects in areas such as defense, healthcare, transportation, and water treatment, plus university teaching. The source text does not provide information about access from China, so its status is unknown. If access to GitHub or the demo environment is unstable, users can consider self-hosting the source code or evaluating alternatives such as OWASP Threat Dragon, Microsoft Threat Modeling Tool, IriusRisk, and ThreatModeler.
⚠ This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on cairis.org official site.
cairis.org is an United Kingdom Security provider. TG4G tracks its product information, an overall rating of 8.0/10, and a China-accessibility score of China direct-connect friendly. Click "Visit Official Site" to reach cairis.org directly.