ThreadFix: Discontinued by Coalfire (2025)

Name: ThreadFix
Availability: OnlineOnly

ThreadFix is one of the original application vulnerability management platforms, now powered by a modern Kubernetes-based architecture.

It aggregates results from multiple security tools and provides risk-based prioritization for remediation efforts.

What is ThreadFix?

ThreadFix was created by Denim Group and has been a staple in the application security industry for over a decade.

It provides a centralized platform for managing vulnerability data from various security testing tools.

The platform was acquired by Coalfire, a cybersecurity consulting firm.

ThreadFix 3.1 introduced a complete architectural overhaul with Kubernetes-managed microservices, resulting in 10x+ ingestion speed improvements and horizontal scaling capabilities.

Key Features

Vulnerability Aggregation

ThreadFix imports results from numerous security tools:

SAST - Fortify, Checkmarx, Veracode, SonarQube
DAST - Burp Suite, OWASP ZAP, Qualys WAS
SCA - OWASP Dependency-Check, Snyk, Black Duck
Penetration Testing - Manual findings import

Risk-Based Prioritization

ThreadFix calculates risk scores based on:

Vulnerability severity (CVSS)
Application criticality
Exposure and exploitability
Business context

Defect Tracker Integration

Seamless integration with issue trackers:

Jira
Azure DevOps
Bugzilla
GitHub Issues

Vulnerabilities can be automatically pushed to development teams.

How It Works

Security Tools → ThreadFix → Prioritized Findings → Defect Tracker
     ↑                                                    ↓
     └──────────── Remediation Feedback ──────────────────┘

ThreadFix provides a feedback loop for tracking remediation progress.

Architecture

ThreadFix 3.1 runs as microservices in a Kubernetes-managed container cluster.

Key architectural improvements:

Horizontal scaling with configurable processing services
Rewritten ingestion and merge logic for faster processing
Container-based deployment for cloud or on-premises environments

Deployment options include SaaS (managed by Coalfire) and self-hosted enterprise installations for air-gapped environments.

Key Capabilities

Vulnerability Correlation

ThreadFix correlates findings across tools:

Source	Finding	Location
SAST Tool A	SQL Injection	users.java:142
SAST Tool B	Query Flaw	users.java:142
DAST Scanner	SQLi	/api/users

All three findings are correlated as a single vulnerability.

Trend Analytics

Track security posture over time:

New vs. closed vulnerabilities
Mean time to remediation
Team performance metrics
Compliance status

API Access

ThreadFix provides a comprehensive REST API:

# Example: Get vulnerabilities
curl -X GET "https://threadfix.example.com/rest/latest/applications/1/vulnerabilities" \
  -H "Authorization: APIKEY abc123"

Integration

ThreadFix integrates across the security and development lifecycle:

Category	Integrations
Scanning	SAST, DAST, SCA, threat modeling tools
Issue Tracking	Jira, Azure DevOps, Bugzilla, GitHub Issues
GRC	Compliance and risk management platforms
CI/CD	Jenkins, GitHub Actions, GitLab CI

CI/CD Example

# GitHub Actions
- name: Upload to ThreadFix
  run: |
    curl -X POST "$THREADFIX_URL/rest/latest/applications/$APP_ID/upload" \
      -H "Authorization: APIKEY $API_KEY" \
      -F "file=@scan-results.xml"

When to Use ThreadFix

ThreadFix fits organizations with multiple security testing tools that need centralized vulnerability tracking, defect tracker integration, and remediation metrics.

The Kubernetes-based architecture handles high-volume environments efficiently.

Note: SaaS platform discontinued by Coalfire in 2025. Coalfire now focuses on Programmatic Application Security solutions including threat modeling and SAST/DAST services.

Frequently Asked Questions

What is ThreadFix?

ThreadFix is an application vulnerability management platform that aggregates findings from SAST, DAST, and SCA tools with risk-based prioritization and defect tracker integration.

Is ThreadFix still available?

ThreadFix’s SaaS platform was discontinued by Coalfire in 2025. Coalfire now focuses on Programmatic Application Security services.

What does ThreadFix do?

ThreadFix correlates vulnerability findings across multiple security tools, calculates risk scores, and syncs prioritized findings to issue trackers like Jira and Azure DevOps.

What tools does ThreadFix integrate with?

ThreadFix integrates with SAST tools (Fortify, Checkmarx, Veracode), DAST tools (Burp Suite, OWASP ZAP), SCA tools (Snyk, Black Duck), and issue trackers (Jira, GitHub Issues).