Import from Devici
Import from Devici brings architecture context from a Devici threat model directly into an SD Elements project.
A Devici threat model is exported as an OTM (Open Threat Model) document and imported into an SD Elements project. SD Elements reads the architecture — elements, attributes, dataflows, trust boundaries, and surfaced threats — and generates Countermeasures from the attributes set on each Element, mapped to the project’s compliance frameworks and pushed to the connected Issue Tracker.
Countermeasure generation is attribute-driven: the attributes set on each Element are the trigger, not the Elements themselves. This is the same model survey-driven projects use — the survey answers populate attributes, attributes generate Countermeasures. With Import from Devici, the Devici threat model populates those attributes.
Import from Devici helps you:
-
Replace manual re-keying of threat findings with a deterministic, repeatable import flow.
-
Generate Countermeasures that vary by the attributes the architect modeled on each Element (a public-facing API has different attributes — and therefore different Countermeasures — than an internal queue).
-
Carry a clear Reason for inclusion on every Devici-sourced Countermeasure, so any reviewer can see why the Countermeasure is in the project (which Devici Element it came from and through which path) without leaving SD Elements.
-
Keep the threat model and the developer backlog in sync as the architecture changes.
How it works
-
The threat model is authored and maintained in Devici.
-
The architect or AppSec engineer exports the threat model from Devici as an OTM v0.2.0 document. See Exporting an OTM from Devici.
-
The OTM document is uploaded into the destination SD Elements project — either at project creation (Import from a Devici file) or on an existing project’s Devici tab. See Importing into SD Elements.
-
SD Elements reads the imported attributes and generates Countermeasures, mapped to the project’s existing compliance frameworks.
-
Countermeasures push to the project’s connected Issue Tracker (Jira, GitHub, Azure DevOps) using the existing connector configuration.
-
When the Devici model changes, the user re-exports from Devici and re-uploads the new OTM file. See Re-importing an updated model.
Import from Devici is additive. It does not change existing SD Elements survey-driven projects, does not replace any Devici functionality, and does not introduce any new infrastructure.
Prerequisites
-
Active Devici license with at least one threat model authored in your Devici workspace.
-
Active SD Elements license on release
2026.6.1or later with Decision Engine enabled. -
Import from Devici feature flag enabled at the system level by an SD Elements administrator (off by default at upgrade). See Enabling Import from Devici.
Import from Devici is file-based — it does not require a network connection from SD Elements to the Devici workspace. The OTM file is exported from Devici by the user and uploaded into SD Elements. This works the same way on SaaS and on-premise deployments, including air-gapped deployments.
|
Import from Devici is available on SD Elements |
|
The Import from Devici flag is off by default on all SD Elements tenants when you upgrade to |
Permissions
Import from Devici uses the existing SD Elements global and project role model. No new privileges are introduced.
To import a Devici threat model into a project, a user needs the following project roles:
| Project role | What it controls |
|---|---|
Edit Project Survey |
Required to import a Devici threat model. The import writes the model’s attributes into the project’s survey, the same attribute pool the survey populates. |
Add Project Countermeasure |
Required to import a Devici threat model. The import adds the generated Countermeasures to the project, including the custom Countermeasures tagged devici created from custom Devici mitigations. |
Removing imported Devici content from a project requires the same two project roles, Edit Project Survey and Add Project Countermeasure. See Removing imported Devici content.
Enabling the Import from Devici feature flag is a separate, administrator-level action that uses the Manage Features permission. See Enabling Import from Devici.
What’s next
-
Enabling Import from Devici — turn on the Import from Devici system-wide flag in Manage Features.
-
Exporting an OTM from Devici — export a Devici threat model as an OTM document.
-
Importing into SD Elements — upload the OTM at project creation or on an existing project’s Devici tab, and generate Countermeasures from the imported attributes.
-
How Devici content maps — see how Devici elements, attributes, and threats become SD Elements primitives.
-
Re-importing an updated model — propagate Devici model changes into the project.
-
FAQ — licensing, behavior, roadmap, and known limitations.