PILLAR: An Automated Privacy Threat Modeling Tool Based on Large Language Models

PILLAR is an open-source tool developed by the Fondazione Bruno Kessler research institute. It uses large language models (LLMs) to implement the LINDDUN privacy threat modeling methodology, helping developers automatically identify privacy risks in software systems and provide mitigation recommendations. Its core value lies in democratizing the complex privacy threat modeling process, enabling developers without deep privacy expertise to perform effective analysis through natural language interaction or Data Flow Diagram (DFD) input.

In the data-driven era, privacy protection is a key part of software development, and regulations like GDPR impose strict compliance requirements on enterprises. Traditional privacy threat modeling relies on manual analysis, requiring deep domain knowledge from security experts, which becomes a bottleneck for development teams. LINDDUN, as a widely adopted privacy threat framework (covering 7 types of threats such as Linkability and Identifiability), is time-consuming and labor-intensive to execute manually, and it is easy to miss potential threats.

PILLAR's core functions include:

1. Multi-modal input: Supports natural language descriptions, DFD uploads, and DFD generation from images;
2. Three-tier analysis mode: SIMPLE (quick identification of obvious threats), LINDDUN GO (multi-agent collaborative analysis), LINDDUN PRO (precise identification based on detailed DFDs);
3. Risk assessment and recommendations: Evaluates threat impacts and provides mitigation strategies based on the Privacy Patterns knowledge base;
4. Report generation: Outputs standardized reports containing threats, risk ratings, recommendations, and compliance references, which can be used for audits or archiving.

PILLAR is developed in Python and uses Streamlit to build a user-friendly interface. It supports multiple LLM providers:

• OpenAI: Full functionality (including multi-agent collaboration);
• Mistral AI: Core threat modeling functions;
• Google Gemini: Alternative model option;
• Local models: Deployed via Ollama/LM Studio to meet the needs of local processing of sensitive data. This architecture reflects a deep understanding of privacy, allowing users to keep data in their local environment.

PILLAR is suitable for various scenarios:

• Agile development teams: Quickly identify privacy risks of new features during sprint planning to achieve shift-left privacy protection;
• Enterprise security teams: Provide standardized processes to establish a consistent privacy assessment system;
• Compliance auditors: Automatically generated reports can serve as evidence for GDPR compliance;
• Education field: Visually demonstrate the application of LINDDUN, providing a learning tool for students and junior practitioners.

PILLAR is based on solid academic research:

• Published a paper at the IWPE25 workshop (on the PILLAR methodology);
• An upcoming paper in the Journal of Information Security and Applications on benchmark research of multi-agent LLM collaborative privacy threat modeling; The research has verified the effectiveness of LLMs in this task, and the multi-agent mode significantly improves the coverage and accuracy of threat identification.

The PILLAR team's future plans include:

• Enhancing DFD management (multi-trust boundaries, color-coded visualization);
• Establishing a model performance evaluation framework to continuously compare the performance of different LLMs;
• Improving risk assessment methods and integrating the latest frameworks and recommendations;
• Optimizing prompt engineering to improve the accuracy of threat identification;
• Supporting export in Open Threat Modeling (OTM) format to enhance tool interoperability.

PILLAR represents an important direction in the field of privacy engineering: using AI to lower the threshold for professional security practices, combining the LINDDUN methodology with LLMs to provide accessible and scalable solutions for development teams. With the improvement of privacy regulations and the increase in public awareness, PILLAR will play a more important role in the software development lifecycle, and it is a worthwhile open-source project for organizations to enhance their privacy protection capabilities.