DEV.co
Open-Source DevOps · deepfence

ThreatMapper

ThreatMapper is an open-source Cloud Native Application Protection Platform (CNAPP) that monitors production workloads and infrastructure for vulnerabilities, exposed secrets, and security misconfigurations. It combines agent-based sensors and agentless cloud scanning to provide runtime threat detection and risk-based prioritization across Kubernetes, Docker, VMs, and cloud environments.

Source: GitHub — github.com/deepfence/ThreatMapper
5.3k
GitHub stars
636
Forks
TypeScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydeepfence/ThreatMapper
Ownerdeepfence
Primary languageTypeScript
LicenseApache-2.0 — OSI-approved
Stars5.3k
Forks636
Open issues143
Latest releasev2.5.8 (2026-03-07)
Last updated2026-06-01
Sourcehttps://github.com/deepfence/ThreatMapper

What ThreatMapper is

TypeScript-based CNAPP with a centralized Management Console (Docker/Kubernetes deployable) and distributed Sensor Agents that report telemetry, software manifests, and threat data. Includes Cloud Scanner tasks (Terraform-deployed) for cloud API queries and compliance benchmarking; generates ThreatGraph visualizations for attack path enumeration and risk ranking.

Quickstart

Get the ThreatMapper source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/deepfence/ThreatMapper.gitcd ThreatMapper# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Production Cloud-Native Security Observability

Monitor running Kubernetes clusters, Docker hosts, and ECS/Fargate deployments for emerging vulnerabilities and runtime threats without halting deployments. Continuous compliance monitoring against industry benchmarks.

Multi-Cloud Configuration Compliance

Use Cloud Scanner tasks to assess AWS, Azure, and GCP infrastructure against compliance frameworks. Identify configuration drift and security deviations in cloud-provisioned resources without agents.

DevSecOps Risk Prioritization Workflow

Shift-left security practices by extending vulnerability scanning from CI/CD into production, then rank detected threats by exploitability and attack paths using ThreatGraph for resource-constrained remediation planning.

Implementation considerations

  • Deploy Management Console on a dedicated, well-resourced Docker host or Kubernetes cluster with stable network access; sensors must reach the console over HTTPS/443 with valid API keys.
  • Plan sensor placement: Kubernetes daemonset deployment, Docker socket mounting for container inspection, IAM roles for ECS/Fargate, or privileged Docker containers on bare-metal hosts—each requires different security postures.
  • Cloud Scanner tasks use Terraform; allocate AWS/Azure/GCP credentials, IAM roles with read-only cloud resource access, and manage Terraform state securely to avoid credential exposure.
  • Expect initial tuning of ThreatGraph risk rankings and compliance benchmarks to reduce false positives and align with your security policies; requires security domain knowledge.
  • Plan for agent updates: v2.5.8 is current; subscribe to release notifications and test updates in staging before production rollout to avoid disruption.

When to avoid it — and what to weigh

  • On-Premise Legacy Infrastructure Only — ThreatMapper is cloud-native focused; if your workloads are purely non-containerized legacy systems without Kubernetes or Docker, deployment and sensor coverage will be limited.
  • Minimal Operational Overhead Required — Running a Management Console plus distributed Sensor Agents and Cloud Scanner tasks requires infrastructure, network connectivity between sensors and console, and operational familiarity with containerized deployments.
  • Single-Vendor Lock-In Preference — ThreatMapper integrates with multiple cloud providers and container platforms; if you require a single-vendor solution with integrated support, consider commercial CNAPP offerings from your cloud provider.
  • No Breach Detection or Incident Response — ThreatMapper focuses on vulnerability and compliance scanning, not real-time breach detection, forensics, or incident response automation; not a SIEM or SOC platform.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved open-source license allowing use, modification, and distribution, including commercial use, provided that copies of the license and a statement of significant changes are included.

Apache-2.0 permits commercial use without royalty or licensing fees. However, commercial support, SLAs, and enterprise features (ThreatStryker) are offered separately by Deepfence. Self-hosted open-source deployments come without vendor support; ensure internal capability to maintain and troubleshoot, or evaluate commercial offerings if enterprise SLA and dedicated support are required.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Sensors run with elevated privileges (host PID, net, privileged Docker, /sys/kernel/debug mount) to inspect runtime threats and dependencies; ensure trusted deployment environments. API key management between console and sensors must be secured (no plaintext in logs, rotate keys regularly). Terraform state for Cloud Scanner contains cloud credentials; protect with remote state backends and encryption. Container image sources (quay.io/deepfenceio) should be verified for integrity. No formal security audit results documented; contact [email protected] for vulnerability disclosure.

Alternatives to consider

Snyk Container & Cloud Security

Commercial CNAPP with strong registry scanning and cloud posture management; tighter CI/CD integration, but requires subscription and may have lock-in concerns.

Aqua Security Trivy + Platform

Trivy is an open-source vulnerability scanner with strong container/registry support; Aqua's commercial platform adds runtime protection and compliance. More modular than ThreatMapper, but requires separate components.

AWS Security Hub + CloudTrail + Config

Cloud-native alternative if AWS-only; integrated compliance monitoring and threat detection, but lacks multi-cloud support and container workload visibility that ThreatMapper provides.

Software development agency

Build on ThreatMapper with DEV.co software developers

Start with the official documentation at threatmapper.org/threatmapper/docs/v2.5/, deploy the Management Console on Docker or Kubernetes, and install Sensor Agents across your production platforms. Join the Deepfence Community Slack for support.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ThreatMapper FAQ

Does ThreatMapper detect active breaches or intrusions?
No. ThreatMapper is a vulnerability and compliance scanning platform, not a SIEM or intrusion detection system. It identifies software vulnerabilities, exposed secrets, and configuration deviations—not active exploits or breach evidence.
Can I deploy ThreatMapper without a central Management Console?
No. Sensor Agents require a centralized Management Console (deployed on Docker or Kubernetes) to report and aggregate findings. The Console is mandatory.
Is ThreatMapper suitable for on-premise, non-containerized infrastructure?
Limited suitability. ThreatMapper is optimized for cloud-native and containerized workloads. Bare-metal/VM support exists via Docker-in-Docker agents, but full compliance and threat detection depth may be reduced.
What is the relationship between open-source ThreatMapper and commercial ThreatStryker?
ThreatMapper (open-source, Apache-2.0) is the community version. ThreatStryker is the commercial enterprise version with additional features, offered as SaaS or on-premises by Deepfence. Both share core scanning logic but differ in support, SLA, and feature set.

Custom software development services

DEV.co is a software development agency delivering custom software development services to companies building on open source. Our software developers and web developers design, integrate, and ship production systems — spanning web development, APIs, AI, data, and cloud. If ThreatMapper is part of your open-source devops roadmap, our team can implement, customize, migrate, and maintain it.

Ready to Deploy ThreatMapper?

Start with the official documentation at threatmapper.org/threatmapper/docs/v2.5/, deploy the Management Console on Docker or Kubernetes, and install Sensor Agents across your production platforms. Join the Deepfence Community Slack for support.