Skip to main content
Version: v2.1

ThreatMapper Architecture

The ThreatMapper product consists of a Management Console, and multiple Sensor Agents and Cloud Scanner tasks that are deployed within your production platform(s).

ThreatMapper Components

The Management Console is deployed first. The Management console generates an API key and a URL which you will need when you install the Sensor containers and Cloud Scanner tasks.

The Management Console is managed over TLS (port 443), used for administrative traffic (web browser and API) and for sensor traffic. You should firewall or secure access to this port so that only authorised admin users and remote production platforms are able to connect.

Agent-Less and Agent-Based operation

ThreatMapper uses both agent-less and agent-based operations to discover the widest-possible range of threats and render them in 'Threat Graphs' and 'Threat Maps'. You can use either or both operations, and can configure their access to your production and non-production systems in line with your own security posture.

Agent-Less (Cloud Connector)Agent-Based (Sensor Agent)
ImplementationDirect access to infrastructure APIs, using a secured Cloud Connector task, deployed local to the cloud instanceLightweight, privileged sensor agent container with access to local resources on the host
VisibilityCloud configuration and assets, as exposed through cloud or infrastructure APILocal assets, including filesystem, process list, local containers and pods, and kernel interfaces
CapabilityIdentifies deviation from good practice configuration ("Compliance Scanning") for cloud platformsIdentifies network flows and performs vulnerability, secret and local host (Linux/Kubernetes) compliance scanning
OutputAgent-less data is reported in the 'Threat Graph', which shows compliance-related issuesAgent-based data is reported in the Threat Map (for vulnerabilities, secrets etc) and Threat Graph (for compliance issues)