THE PMAP PLATFORM
PMAP brings multi-vendor scanning, correlation, triage, and remediation into one governed platform. Scanner results from every connected tool land in a single finding model, get deduplicated on ingest, and move through an enforced path to closure. Your teams work one source of truth instead of stitching together separate scanner consoles.
PMAP is built as a multi-tenant platform across 48 backend domains, so scanning, asset inventory, analytics, automation, and access control share one consistent data model. Every downstream repository enforces the tenant boundary, which means a project-scoped grant never silently opens the owning company and data stays inside the engagement it belongs to.
The same vulnerability is never tracked twice. On ingestion, each inbound scanner result is matched against existing findings by scanner reference key first, then by SHA-1 fingerprint. Existing open findings are updated in place and previously closed findings are reopened with full status history preserved. Fingerprint matching is scanner-agnostic, so the same issue found by two different scanners on the same asset resolves to one finding.
Scan and ingest
Launch, schedule, and import scans across infrastructure, DAST, SAST, and SCA tools from one place. Live status sync polls running vendor scans so the platform reflects vendor reality without manual refresh.
Correlate
A pure ingestion engine answers one question for every scanner result. Does this vulnerability already exist or is it new. It then creates, updates, or reopens a single finding accordingly.
Triage and remediate
Every finding moves through a governed triage-to-closure pipeline. Status changes follow an enforced state machine, owners and SLA deadlines are assigned, and closure can require four-eyes approval.
Prove and report
Turn raw finding data into live dashboards and shareable deliverables. Six report types generate as PDF, DOCX, or HTML from one shared pipeline, and risk scoring ranks assets, companies, and projects.
Integrate
A connector hub spans 30 vendors across 9 categories. Create tickets on Jira, ServiceNow, or ManageEngine from findings, and gate pull requests when new critical or high findings appear.
Govern
Custom roles, scoped grants, and tenant boundaries keep every engagement isolated. Permissions resolve at global, company, or project scope, and the platform defaults to deny when no access is granted.
PMAP follows one narrative spine. Scanner data is ingested, correlated into single findings, triaged with ownership and SLA, then remediated through tickets, gates, and automation.
Connect 30 vendors across vulnerability scanners, DAST, SAST, SCA, ITSM, CI/CD, and network discovery. Scans run on a schedule or launch on demand, and findings import through the correlation engine. PMAP never trusts vendor severity directly, so a configurable threshold filter and optional rule override apply on import.
Each inbound result is checked against existing findings by scanner reference key, then by SHA-1 fingerprint across any status including closed. Matches update or reopen one finding and no-match results create a new one. Wave-visibility accounting tracks how often a finding recurs across scans.
Findings follow an enforced status state machine, so invalid transitions are rejected at the API level. Each finding gets a severity-based SLA deadline and can be assigned to users and teams. Severity and status override rules apply automatically at ingest, so analyst queues surface prioritised items from the start.
Create Jira, ServiceNow, or ManageEngine tickets from a single finding or a bulk selection, with status kept in sync via polling and webhooks. CI/CD pipelines can gate pull requests on new critical or high findings. Event-triggered runbooks automate response across a 22-action catalog when subscribed events match.
PMAP integrates 30 vendors across 9 categories. Infrastructure scanners include Nessus, Tenable SC, Tenable IO, Qualys VMDR, Rapid7 InsightVM, and Nuclei. DAST covers Acunetix, Invicti, and Burp Suite Enterprise. SAST covers SonarQube, Checkmarx, and Fortify. SCA covers Snyk, Black Duck, and Sonatype Lifecycle. ITSM covers Jira, ServiceNow, and ManageEngine, with CI/CD support for GitHub, GitLab, Jenkins, Azure DevOps, Bamboo, and Bitbucket.
PMAP is multi-tenant by design. Companies can be organised into a holding and subsidiary hierarchy, and every downstream domain repository filters by the company set derived from the role-based access scope. A grant can be issued at global, company, or project scope, and a project-scoped grant does not implicitly open the owning company. An empty allowed-company set with no unrestricted flag is default-deny.
Reporting is built for evidence. Every successful generation creates a timestamped version record so prior versions stay downloadable, and each generated file carries a SHA-256 integrity hash with a public verification endpoint that needs no PMAP account. Security and activity events are written to immutable audit logs, and SLA escalations must be explicitly acknowledged, leaving a complete record of overdue handling.
Bring your vendor mix and watch ingest, correlation, triage, and remediation run on one platform. Our team will walk you through the capabilities that matter most to your environment.