Consolidate Scan Results
Escape spreadsheets and
PDF reports forever
ThreadFix automatically consolidates, de-duplicates, and merges imported results from commercial and open source dynamic (DAST), static (SAST), and interactive (IAST) application scanning tools. It also tracks the results of manual testing and threat modeling, providing a unified view of the security state of all your applications.
Import Results from Multiple Scanning Tools
ThreadFix currently integrates with more than 30 SAST, DAST, and IAST application scanning tools, including IBM AppScan, HP Fortify, and HP WebInspect. Learn more about ThreadFix integrations.
Merge Vulnerabilities across SAST, DAST and IAST Application Scans
ThreadFix’s patent-pending Hybrid Analysis Mapping (HAM) technology saves security analysts time by removing the need to manually merge the results of static and dynamic testing activities using inefficient tools, such as Excel. See the full list of scanning tools ThreadFix currently supports.
Track Manual Findings
In addition to vulnerabilities identified by scanners, ThreadFix tracks vulnerabilities identified by manual testing and other assurance activities, such as penetration tests, code reviews, and threat modeling.
Consolidate and De-Duplicate Vulnerabilities
ThreadFix normalizes vulnerability data to identify duplicate SAST and DAST scan results, according to the industry standard, MITRE Common Weakness Enumeration (CWE). Vulnerability metadata, such as attack surface location and source code control flows, are also tracked to help support vulnerability analysis and resolution.
Scheduling Scan Orchestration with Scan Agents
ThreadFix maintains an internal queue of upcoming scans and configurations allowing security teams to automate the task of scheduling and importing data with multiple DAST scanning technologies. See the full list of DAST scanning technologies ThreadFix currently supports.
Using ThreadFix’s Hybrid Analysis Mapping (HAM) technology, ThreadFix performs lightweight static scans of an application’s source code to generate a list of hidden URL paths, injection points and parameters that the application may not expose to a standard scanner crawling engine. This data kickstarts the spidering process offering better scan coverage for applications that expose these sorts of hidden capabilities.