Deepfence open-sources ThreatMapper to find and rank software vulnerabilities

Join gaming leaders online at GamesBeat Summit Next this upcoming November 9-10. Learn more about what comes next. 

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

Deepfence, a cloud-native security observability platform used by companies such as Amyris, Flexport, and Harness, has open-sourced a tool that automatically finds, maps, and ranks application vulnerabilities across environments.

Founded in 2017, Deepfence focuses chiefly on protecting cloud-native workloads, spanning serverless, Kubernetes, container, and multi-cloud deployments. With Kubernetes, for example, companies can deploy Deepfence to analyze network traffic, file-system integrity, running processes, and more. It also works natively with managed Kubernetes services including OpenShift, Google GKE, and Amazon EKS.

While Deepfence has always offered an enterprise edition and a community incarnation known as ThreatMapper, the latter of these is now being released under an open source license from tomorrow, October 14.

The announcement comes as software supply chain attacks explode, with “upstream” open source components often in the firing line. Countless organizations, from government agencies to corporations, have been hit by targeted software supply chain attacks in the past year, leading President Biden to issue an executive order outlining measures to combat the threats, while “big tech” has also upped their investments in protecting critical open source software.

Securing the software supply chain

ThreatMapper scans runtime environments for vulnerabilities across the software supply chain, helping companies to contextualize identified threats and prioritize ones that need to be addressed urgently.

At a time when many companies are “shifting left” in terms of focusing their security checks earlier in the development (pre-deployment) process, ThreatMapper acknowledges that vulnerabilities still very much exist in production software, scanning proprietary and third-party (e.g., open source) applications, and components for vulnerabilities.

ThreatMapper is built on top of dozens of community feeds that are used by other open source software security scanners out there, including the National Vulnerability Database (NVD). It also funnels into databases from various vendors, operating system distributions, language maintainers, and GitHub repositories.

Above: ThreatMapper by Deepfence is going open source

Deepfence initially launched ThreatMapper as a freemium, proprietary product last year, and in the intervening months, the company has worked with “early adopters” from the developer security operations (DevSecOps) community to refine the product and make it fully open source.

“ThreatMapper has been a learning experience, as we considered how the technology would evolve, how it could be put to use, and what business model we would put in place to sustain it,” Deepfence’s head of products and community Owen Garrett told VentureBeat. “Open-sourcing the technology too early would have been a distraction and would have created external pressure, while we iterated on different roadmaps and models.”

While ThreatMapper will shortly be available under an Apache 2.0 license, Deepfence is also renaming its commercial enterprise product as ThreatStryker, which is being transitioned into a runtime threat mitigation product using insights from ThreatMapper to model the “evolution of sophisticated attacks,” providing advance warnings of threats and taking actions to block the source of the attack and quarantine any workload that has been compromised.

In the coming months, Deepfence is also planning to migrate some existing premium features over to the open source project, such as deep packet inspection (DPI) for network traffic and network and resource anomaly detection. It is also preparing to develop Deepfence into more of a platform by launching APIs to enable developers to integrate ThreatMapper insights into other apps.

“Experimenting in private, without open-sourcing the code too early, has allowed us to come up with a community and enterprise model that we believe will serve the community very well,” Garrett said.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Deepfence open-sources ThreatMapper to find and rank software vulnerabilities