Manual threat modeling for large-scale software systems is labor-intensive, error-prone, and difficult to scale. To address this, this paper proposes a semi-automated threat modeling framework based on call-graph clustering. The method constructs a fine-grained call graph and integrates density-based clustering (DBSCAN) with community detection algorithms, augmented by interpretable code-level metrics—such as code density—to automatically identify high-risk modules and potential security weaknesses. Its key innovation lies in synergistically combining program structure analysis with graph clustering techniques for precise threat region localization, thereby significantly enhancing the systematicity, scalability, and reproducibility of threat modeling in cloud-native environments. Empirical evaluation on the Splunk Forwarder Operator demonstrates that the approach accurately pinpoints security vulnerabilities arising from high-density coupling. Overall, it establishes a novel, efficient, and structured risk assessment paradigm for large-scale software systems.

Threat modeling plays a critical role in the identification and mitigation of security risks; however, manual approaches are often labor intensive and prone to error. This paper investigates the automation of software threat modeling through the clustering of call graphs using density-based and community detection algorithms, followed by an analysis of the threats associated with the identified clusters. The proposed method was evaluated through a case study of the Splunk Forwarder Operator (SFO), wherein selected clustering metrics were applied to the software's call graph to assess pertinent code-density security weaknesses. The results demonstrate the viability of the approach and underscore its potential to facilitate systematic threat assessment. This work contributes to the advancement of scalable, semi-automated threat modeling frameworks tailored for modern cloud-native environments.