ThreatMapper
ThreatMapper is an open-source Cloud Native Application Protection Platform (CNAPP) that monitors production workloads and infrastructure for vulnerabilities, exposed secrets, and security misconfigurations. It combines agent-based sensors and agentless cloud scanning to provide runtime threat detection and risk-based prioritization across Kubernetes, Docker, VMs, and cloud environments.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | deepfence/ThreatMapper |
| Owner | deepfence |
| Primary language | TypeScript |
| License | Apache-2.0 — OSI-approved |
| Stars | 5.3k |
| Forks | 636 |
| Open issues | 143 |
| Latest release | v2.5.8 (2026-03-07) |
| Last updated | 2026-06-01 |
| Source | https://github.com/deepfence/ThreatMapper |
What ThreatMapper is
TypeScript-based CNAPP with a centralized Management Console (Docker/Kubernetes deployable) and distributed Sensor Agents that report telemetry, software manifests, and threat data. Includes Cloud Scanner tasks (Terraform-deployed) for cloud API queries and compliance benchmarking; generates ThreatGraph visualizations for attack path enumeration and risk ranking.
Get the ThreatMapper source
Clone the repository and explore it locally.
git clone https://github.com/deepfence/ThreatMapper.gitcd ThreatMapper# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Deploy Management Console on a dedicated, well-resourced Docker host or Kubernetes cluster with stable network access; sensors must reach the console over HTTPS/443 with valid API keys.
- Plan sensor placement: Kubernetes daemonset deployment, Docker socket mounting for container inspection, IAM roles for ECS/Fargate, or privileged Docker containers on bare-metal hosts—each requires different security postures.
- Cloud Scanner tasks use Terraform; allocate AWS/Azure/GCP credentials, IAM roles with read-only cloud resource access, and manage Terraform state securely to avoid credential exposure.
- Expect initial tuning of ThreatGraph risk rankings and compliance benchmarks to reduce false positives and align with your security policies; requires security domain knowledge.
- Plan for agent updates: v2.5.8 is current; subscribe to release notifications and test updates in staging before production rollout to avoid disruption.
When to avoid it — and what to weigh
- On-Premise Legacy Infrastructure Only — ThreatMapper is cloud-native focused; if your workloads are purely non-containerized legacy systems without Kubernetes or Docker, deployment and sensor coverage will be limited.
- Minimal Operational Overhead Required — Running a Management Console plus distributed Sensor Agents and Cloud Scanner tasks requires infrastructure, network connectivity between sensors and console, and operational familiarity with containerized deployments.
- Single-Vendor Lock-In Preference — ThreatMapper integrates with multiple cloud providers and container platforms; if you require a single-vendor solution with integrated support, consider commercial CNAPP offerings from your cloud provider.
- No Breach Detection or Incident Response — ThreatMapper focuses on vulnerability and compliance scanning, not real-time breach detection, forensics, or incident response automation; not a SIEM or SOC platform.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license allowing use, modification, and distribution, including commercial use, provided that copies of the license and a statement of significant changes are included.
Apache-2.0 permits commercial use without royalty or licensing fees. However, commercial support, SLAs, and enterprise features (ThreatStryker) are offered separately by Deepfence. Self-hosted open-source deployments come without vendor support; ensure internal capability to maintain and troubleshoot, or evaluate commercial offerings if enterprise SLA and dedicated support are required.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
Sensors run with elevated privileges (host PID, net, privileged Docker, /sys/kernel/debug mount) to inspect runtime threats and dependencies; ensure trusted deployment environments. API key management between console and sensors must be secured (no plaintext in logs, rotate keys regularly). Terraform state for Cloud Scanner contains cloud credentials; protect with remote state backends and encryption. Container image sources (quay.io/deepfenceio) should be verified for integrity. No formal security audit results documented; contact [email protected] for vulnerability disclosure.
Alternatives to consider
Snyk Container & Cloud Security
Commercial CNAPP with strong registry scanning and cloud posture management; tighter CI/CD integration, but requires subscription and may have lock-in concerns.
Aqua Security Trivy + Platform
Trivy is an open-source vulnerability scanner with strong container/registry support; Aqua's commercial platform adds runtime protection and compliance. More modular than ThreatMapper, but requires separate components.
AWS Security Hub + CloudTrail + Config
Cloud-native alternative if AWS-only; integrated compliance monitoring and threat detection, but lacks multi-cloud support and container workload visibility that ThreatMapper provides.
Build on ThreatMapper with DEV.co software developers
Start with the official documentation at threatmapper.org/threatmapper/docs/v2.5/, deploy the Management Console on Docker or Kubernetes, and install Sensor Agents across your production platforms. Join the Deepfence Community Slack for support.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
ThreatMapper FAQ
Does ThreatMapper detect active breaches or intrusions?
Can I deploy ThreatMapper without a central Management Console?
Is ThreatMapper suitable for on-premise, non-containerized infrastructure?
What is the relationship between open-source ThreatMapper and commercial ThreatStryker?
Custom software development services
DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If ThreatMapper is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.
Ready to Deploy ThreatMapper?
Start with the official documentation at threatmapper.org/threatmapper/docs/v2.5/, deploy the Management Console on Docker or Kubernetes, and install Sensor Agents across your production platforms. Join the Deepfence Community Slack for support.