ThreadFix is one of the original application vulnerability management platforms, now powered by a modern Kubernetes-based architecture.

It aggregates results from multiple security tools and provides risk-based prioritization for remediation efforts.

What is ThreadFix?

ThreadFix was created by Denim Group and has been a staple in the application security industry for over a decade.

It provides a centralized platform for managing vulnerability data from various security testing tools.

The platform was acquired by Coalfire, a leading cybersecurity consulting firm.

ThreadFix 3.1 introduced a complete architectural overhaul with Kubernetes-managed microservices, resulting in 10x+ ingestion speed improvements and horizontal scaling capabilities.

Key Features

Vulnerability Aggregation

ThreadFix imports results from numerous security tools:

SAST - Fortify, Checkmarx, Veracode, SonarQube
DAST - Burp Suite, OWASP ZAP, Qualys WAS
SCA - OWASP Dependency-Check, Snyk, Black Duck
Penetration Testing - Manual findings import

Risk-Based Prioritization

ThreadFix calculates risk scores based on:

Vulnerability severity (CVSS)
Application criticality
Exposure and exploitability
Business context

Defect Tracker Integration

Seamless integration with issue trackers:

Jira
Azure DevOps
Bugzilla
GitHub Issues

Vulnerabilities can be automatically pushed to development teams.

How It Works

Security Tools → ThreadFix → Prioritized Findings → Defect Tracker
     ↑                                                    ↓
     └──────────── Remediation Feedback ──────────────────┘

ThreadFix provides a feedback loop for tracking remediation progress.

Architecture

ThreadFix 3.1 runs as microservices in a Kubernetes-managed container cluster.

Key architectural improvements:

Horizontal scaling with configurable processing services
Rewritten ingestion and merge logic for faster processing
Container-based deployment for cloud or on-premises environments

Deployment options include SaaS (managed by Coalfire) and self-hosted enterprise installations for air-gapped environments.

Key Capabilities

Vulnerability Correlation

ThreadFix correlates findings across tools:

Source	Finding	Location
SAST Tool A	SQL Injection	users.java:142
SAST Tool B	Query Flaw	users.java:142
DAST Scanner	SQLi	/api/users

All three findings are correlated as a single vulnerability.

Trend Analytics

Track security posture over time:

New vs. closed vulnerabilities
Mean time to remediation
Team performance metrics
Compliance status

API Access

ThreadFix provides a comprehensive REST API:

# Example: Get vulnerabilities
curl -X GET "https://threadfix.example.com/rest/v3/applications/1/vulnerabilities" \
  -H "Authorization: APIKEY abc123"

Integration

ThreadFix integrates across the security and development lifecycle:

Category	Integrations
Scanning	SAST, DAST, SCA, threat modeling tools
Issue Tracking	Jira, Azure DevOps, Bugzilla, GitHub Issues
GRC	Compliance and risk management platforms
CI/CD	Jenkins, GitHub Actions, GitLab CI

CI/CD Example

# GitHub Actions
- name: Upload to ThreadFix
  run: |
    curl -X POST "$THREADFIX_URL/rest/v3/applications/$APP_ID/upload" \
      -H "Authorization: APIKEY $API_KEY" \
      -F "[email protected]"

When to Use ThreadFix

ThreadFix fits organizations with multiple security testing tools that need centralized vulnerability tracking, defect tracker integration, and remediation metrics.

The Kubernetes-based architecture handles high-volume environments efficiently.

Note: SaaS platform discontinued by Coalfire in 2025. Coalfire now focuses on Programmatic Application Security solutions including threat modeling and SAST/DAST services.