ThreatMapper — Cloud Native Application Protection Platform

Introduction

ThreatMapper by Deepfence is a runtime security platform that discovers and ranks threats across your cloud infrastructure. It deploys lightweight sensors on hosts and Kubernetes clusters to scan for vulnerabilities, exposed secrets, malware, and compliance violations, then ranks findings by exploit likelihood to help teams prioritize remediation.

What ThreatMapper Does

• Scans container images, hosts, and serverless functions for known vulnerabilities (CVEs)
• Detects exposed secrets, API keys, and credentials in running workloads
• Performs malware scanning using YARA rules across file systems and container layers
• Checks compliance against CIS benchmarks for Linux, Docker, and Kubernetes
• Generates a threat graph ranking vulnerabilities by attack path and exploitability

Architecture Overview

ThreatMapper uses a management console (web UI and API) and distributed sensors. Sensors run as containers or DaemonSets on workload hosts, collecting inventory and scan data. The console aggregates results, correlates findings across the topology, and builds a threat graph that maps attack paths from the internet to sensitive assets. Scanning engines use Syft for SBOM generation, Grype for CVE matching, and custom detectors for secrets and malware.

Self-Hosting & Configuration

• Deploy the management console via Docker Compose or Helm chart on a dedicated host
• Install sensors on each workload host or as a Kubernetes DaemonSet
• Configure cloud connectors for AWS, Azure, or GCP to discover cloud-native resources
• Set up notification integrations (Slack, Jira, PagerDuty, Splunk, Elasticsearch)
• Schedule periodic scans or trigger on-demand scans from the console

Key Features

• Unified scanning for vulnerabilities, secrets, malware, and compliance in one platform
• Threat graph with exploit-path ranking for prioritized remediation
• Runtime topology visualization showing connections between workloads
• Support for Kubernetes, Docker, bare metal, AWS Fargate, and serverless
• REST API and CI/CD integration for shift-left security scanning

Comparison with Similar Tools

• Trivy — CLI vulnerability scanner; ThreatMapper adds runtime topology, threat graphs, and centralized management
• Falco — Runtime threat detection via syscall monitoring; ThreatMapper focuses on vulnerability and compliance scanning
• Wiz / Prisma Cloud — Commercial CNAPPs; ThreatMapper is open source and self-hosted
• Grype — Container image CVE scanner; ThreatMapper extends scanning to running workloads with attack-path analysis

FAQ

Q: Does ThreatMapper require privileged containers? A: Sensor containers run in privileged mode to access the host filesystem and network namespace for thorough scanning.

Q: Can I scan container registries without deploying sensors? A: Yes. ThreatMapper supports registry scanning for Docker Hub, ECR, GCR, and other OCI-compatible registries directly from the console.

Q: How is the threat graph different from a regular vulnerability report? A: The threat graph maps network paths from external-facing services to vulnerable internal workloads, ranking findings by actual exploitability rather than just CVSS scores.

Q: Is there a SaaS version available? A: Deepfence offers ThreatStryker as a commercial version with additional features. ThreatMapper is the fully open-source community edition.

Sources

• https://github.com/deepfence/ThreatMapper
• https://community.deepfence.io/docs/threatmapper