Vendor connectors
30
One connector hub spans VM, DAST, SAST, SCA, ITSM and CI/CD scanners, with vendor credentials encrypted at rest.
Why PMAP exists
The problem we built the company around
Most security teams do not lack scanners. They lack one place where every scanner result becomes a single deduplicated finding with an owner, an SLA and a history. Before PMAP, the same vulnerability was reconciled by hand across Nessus, Qualys, Rapid7 and a dozen other consoles, and the same issue could be tracked twice in two tools at once. We built the company to close that gap. The product keeps one finding model, one inventory and one audit trail across a holding company and its subsidiaries.
Vulnerability management is a long-cycle commitment. The platform a company picks today still has to make sense to an auditor, a regulator and a board three years from now. That is the bar we hold PMAP to.
Where we come from
From scanner sprawl to one prioritized worklist
PMAP grew out of practical vulnerability management work inside Privia. The same pattern repeated on almost every engagement. Teams ran several scanners, the consoles disagreed on what was real, and someone spent days reconciling the same vulnerability across spreadsheets. There was no single place where a finding was created once, given an owner and tracked to verified closure. Closing that gap became the brief that became PMAP.
We started with multi-vendor scan orchestration and a correlation engine that deduplicates every result on the way in. The finding lifecycle, SLA workflows, the rule engine and the reporting layer followed, each shaped by teams running real programs across a holding company and its subsidiaries. We are still building it alongside them, and we measure progress by the next finding that closes faster.
PMAP at a glance
The platform by the numbers
A few data points that describe the platform today. Capability figures are drawn from the product itself. Any business figure shown is illustrative until third-party verification is in place.
Connector categories
9
Scanners are grouped into nine categories so any tool a program runs lands in the same normalized finding model.
Product domains
48
The platform is a Go modular monolith with around 500 REST endpoints spread across forty-eight backend domains.
Holding plus subsidiaries
Multi-tenant
Scoped tenancy keeps each subsidiary separate while group-level views roll findings and risk up across the whole organization.
Trust and compliance
Compliance-aware by design
PMAP is built for environments where audit trails, access control and regional data residency matter from day one. We present our compliance posture transparently and separate what the platform enforces today from what is still in scope.
- SOC 2 Type II: in progress
- ISO 27001: controls aligned
- GDPR ready · Regional data residency
- Full audit trail · RBAC with four-eyes approval
We are hiring
Help build the platform security teams fix faster with
PMAP is hiring platform and backend engineers, product people and security practitioners. If you have lived the gap between a scan result and a verified fix, we want to hear from you.
Talk to PMAP
See who is on the other side of the platform
Buyers, analysts and reporters reach PMAP through the same page on purpose. Whether you are evaluating the platform for a security team or trying to understand who builds it, two doors open the same conversation. A PMAP engineer reads what you send, not an automated inbox.