> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Architecture Modeling

> Map the components, data flows, and routes of target applications. Identify component-level risks and import infrastructure from cloud providers for a comprehensive architecture view.

## Overview

Architecture modeling in Pwnbook lets you build a structured map of the target application or infrastructure. Where threat modeling focuses on threats and attack vectors, architecture modeling focuses on the system itself — its components, how they communicate, what routes they expose, and where risks exist at the component level.

Architecture models are created per engagement and give your team a shared reference for the target's structure.

## Components

Components are the building blocks of your architecture model. They represent logical or physical units of the target system:

* Web applications
* APIs and microservices
* Databases
* Message queues
* External third-party services
* Mobile clients
* CDNs and load balancers
* Authentication providers
* Storage systems

### Adding components

1. Navigate to the **Architecture** tab in your engagement.
2. Click **Add Component**.
3. Enter the component name and select a component type.
4. Add optional metadata: version, technology stack, hosting environment, and notes.
5. Click **Save**.

Components appear in the architecture canvas. You can drag them to arrange them spatially.

## Data flows

Data flows represent how information moves between components. Defining data flows helps you understand trust boundaries, identify where sensitive data travels, and spot potential security issues in how components communicate.

### Adding a data flow

1. On the architecture canvas, hover over a source component until the connection handle appears.
2. Click and drag to a target component.
3. In the data flow editor that opens, specify:
   * **Name**: A descriptive label for what this flow represents (e.g., "User authentication request", "DB query with PII")
   * **Protocol**: HTTP, HTTPS, gRPC, WebSocket, AMQP, SQL, etc.
   * **Data classification**: What type of data flows (credentials, PII, payment data, general data)
   * **Authenticated**: Whether the flow requires authentication
4. Click **Save**.

Data flows appear as labeled arrows on the canvas.

## Routes

Routes document the specific API endpoints, URL paths, or entry points exposed by the target application. This complements the higher-level component view with specific, actionable attack surface data.

### Adding routes

1. Click on a component in the canvas to open its detail panel.
2. Go to the **Routes** tab.
3. Click **Add Route**.
4. Enter the route details:
   * **Method**: GET, POST, PUT, DELETE, etc.
   * **Path**: The URL path, e.g., `/api/v1/users/{id}`
   * **Description**: What the route does
   * **Authentication required**: Whether the route is protected
5. Click **Save**.

Routes can also be imported automatically from API specifications (OpenAPI/Swagger).

## Component risks

Each component can have risks associated with it. Risks represent security concerns you've identified at the component level, distinct from the detailed findings documented elsewhere.

### Adding a component risk

1. Click on a component to open its detail panel.
2. Go to the **Risks** tab.
3. Click **Add Risk**.
4. Describe the risk, assign a severity, and note any mitigating controls.
5. Click **Save**.

Component risks give you a clear picture of where the system's weakest points are, independent of specific vulnerabilities you've confirmed.

## Infrastructure import

<Note>Cloud infrastructure import requires the relevant cloud integration to be configured. See [AWS Integration](/integrations/aws).</Note>

Rather than manually creating components for every service in a cloud environment, Pwnbook can import your infrastructure directly from cloud providers.

### Importing from AWS

1. Ensure the AWS integration is configured for your organization (see [AWS Integration](/integrations/aws)).
2. In the **Architecture** tab, click **Import Infrastructure**.
3. Select **AWS** as the source.
4. Choose the AWS account and region to scan.
5. Select the resource types to import (EC2 instances, RDS databases, Lambda functions, S3 buckets, etc.).
6. Click **Import**.

Pwnbook creates components for each discovered resource and attempts to map data flows based on security group rules and VPC configuration.

## Exporting architecture diagrams

You can export the architecture canvas as an image or PDF for inclusion in reports or client deliverables:

1. Click the **Export** button in the canvas toolbar.
2. Choose the format (PNG, SVG, PDF).
3. The export downloads automatically.

## Relationship with threat modeling

Architecture and threat modeling are complementary. A common workflow is:

1. Build the architecture model first to understand the system's components and data flows.
2. Use the architecture model as the foundation for your threat model, adding threats and attack vectors on top of the component map.

Both models live in the same engagement, so you can switch between them and cross-reference as needed.
