The vulnerability management platform
Built to manage vulnerabilities at scale
PMAP unifies multi-vendor scanning, correlation, prioritization and remediation into one finding lifecycle. A holding company and its subsidiaries work from one inventory, one data model and one audit trail, so the same vulnerability is never tracked twice.
- 30+scanner connectors
- 48product domains
- 9connector categories
Why PMAP
One finding, created once and tracked across every scan wave.
Stop reconciling the same vulnerability across Nessus, Qualys, Rapid7 and a dozen other consoles by hand. PMAP ingests every scanner into one model, deduplicates on the way in, and tracks each finding from first detection to verified closure. The same record carries its history, its SLA and its owner, whether it was surfaced by an infrastructure scan, a DAST crawl or a SAST pass.
From scanner output to closed finding
One pipeline that turns raw scanner output into resolved findings
Each scanner result enters PMAP once, gets correlated against what already exists, then moves through policy and SLA control until it is closed. One path from ingest to remediation, whatever scanner found it.
-
Ingest
Pull results from 30 connectors over remote scan APIs, scheduled imports or file upload, across VM, DAST, SAST, SCA, network discovery and mobile.
-
Correlate
Deduplicate every result against what already exists, then enrich it with CVE, CWE, CVSS and MITRE ATT&CK.
-
Prioritize
Apply severity, ownership and SLA the moment a finding lands, with a four-eye gate on risky changes.
-
Remediate
Drive each finding to its deadline and into Jira, ServiceNow or ManageEngine, then report it closed.
Any scanner connects. Every finding is correlated, governed and resolved on one shared inventory and a complete audit trail.
Capability depth
Five capability pillars, one vulnerability platform.
Each pillar is an investment area the PMAP team owns end-to-end, from scanner connectors and the correlation engine to projects, analytics and tenant governance.
Multi-vendor scan orchestration
Every scanner your program runs, on one schedule.
Launch, pause, resume and stop scans on Nessus, Tenable, Qualys, Rapid7 and your DAST vendors without leaving PMAP. A 30-second ticker keeps status, progress and per-severity counts in sync with vendor reality.
Orphan adoption sweeps every active integration every five minutes, so scans that exist on the vendor but not yet in PMAP are pulled in automatically and the Scans view stays a faithful mirror.
Group scans into named, time-boxed assessment runs with gap-free run numbers, then import Nmap, Masscan, Nuclei, SARIF and Nessus files for anything that lands offline.
Asset and attack surface
One inventory for every asset type, owned and grouped.
Track servers, cloud instances, web apps, repositories and IoT or SCADA devices in one multi-tenant inventory. Bulk-create up to 5,000 assets at a time, or import them straight from Nmap and Masscan output.
Attach users or teams as owners, then let static and dynamic groups organize the surface by tag, criticality, CIDR range or saved query. Owner resolution pre-fills the assignee the moment a finding lands.
Scanner enrichment merges ports, services and OS details under source-precedence rules and field-level locking, so curated values are never silently overwritten.
Assessment and engagement
Run pentest programs and remediation campaigns end to end.
Plan projects with scope, milestones and planned versus actual man-days. Pin assets, asset groups or attribute selectors to define exactly what each engagement covers.
Manage external consultancies from a shared firm directory with qualification tracking, then bind them to framework agreements where man-day usage is recalculated automatically.
Drive remediation campaigns with an enforced state machine, live closure metrics and assessment checklists for OWASP, PCI-DSS and your own methodology.
Risk analytics and reporting
Prove the state of risk to every stakeholder.
Dashboards roll findings, assets and SLA posture up across a holding company and its subsidiaries, with group-level views over the whole organization.
Build reports from templates, then deliver them as signed PDF or XLSX to the right recipients on a schedule. Findings export to CSV or XLSX for downstream audit evidence.
Wave timelines and run comparisons show new, persisting, resolved and reopened findings between scans, so progress is always measurable.
Identity, RBAC and multi-tenancy
A holding company and its subsidiaries on one governed platform.
Scoped tenancy keeps every subsidiary data separate while group-level roles roll risk up across the organization. A granular role matrix controls who sees and changes what.
A four-eyes approval gate holds risk acceptance, false-positive and closure decisions until a second reviewer signs off, and self-review is blocked at the API.
LDAP, MFA, API keys and a complete audit trail back every action, ready for internal review or external attestation.
Four layers, one platform
The work splits into four layers so nothing gets re-keyed between scan and close.
PMAP runs as four connected layers (ingest, correlate, prioritize and remediate). A finding is created once, enriched once and tracked across every later scan wave, so the same record carries its history instead of being rebuilt at each step.
Get StartedGroup scans into named, time-boxed assessment runs and let PMAP keep the inventory honest. Every active integration is swept every five minutes, vendor scans that exist remotely but not yet in PMAP are adopted automatically, and the raw vendor payload is archived for replay.
This layer includes:
- Assessment runs with gap-free sequential run numbers per project
- Orphan adoption sweep every five minutes, plus a delete blocklist that never re-adopts
- File import for Nmap XML, Masscan, Nuclei JSONL, SARIF 2.1 and Nessus XML
- Raw scanner payloads archived to MinIO for audit and replay
A two-stage lookup decides whether each inbound result is new, an update or a reopen. The engine checks the scanner reference key first and a SHA-1 fingerprint second, and the fingerprint stage matches across any status so a closed finding is reopened with its history intact.
This layer includes:
- Scanner-ref match first, SHA-1 fingerprint second, in one atomic step
- Closed findings reopen in place and keep their full status history
- Recurrence counters record scans seen, reopen count and last wave timestamp
- Smart Match backfills CVE, CWE, CVSS and MITRE ATT&CK from the template library
Findings move only along permitted status transitions, and the API rejects invalid ones outright. Policy rules carry an optional expiry, an idempotent tag action and a recorded override message, so automated decisions stay auditable as new scans arrive.
This layer includes:
- Enforced status state machine with terminal states and valid-next surfacing
- 16 criteria operators including severity-ordinal comparison and regex match
- Dry-run preview against up to 500 findings before a rule is saved
- Rule revoke walks the audit log and restores each finding to its prior state
Owners are notified across up to five channels, and PMAP confirms the fix instead of trusting it closed. Analysts run a formal retest cycle, DAST findings can trigger an async vendor retest, and an SLA breach must be explicitly acknowledged for an auditable record.
This layer includes:
- In-app, email, webhook, Slack and Microsoft Teams delivery per recipient
- Analyst retest cycle plus async DAST vendor retest without leaving PMAP
- SLA pause and resume with tracked paused duration, breach acknowledged on record
- Inbound Jira, ServiceNow and ManageEngine webhooks update status in real time
Built for enterprise scale
PMAP by the numbers
Three data points that describe how PMAP unifies vulnerability management across scanners, one data model and multi-tenant governance.
PMAP imports from every scanner to the same normalized standard, in real time over API sync or on a schedule. Integrity is enforced across the pipeline, and multi-tenant isolation keeps every subsidiary's data separate.
-
Hover for details
30Vendor connectors and importers
One platform, every scanner your program runs
One platform unifies 30 vendor connectors across 9 categories, covering vulnerability scanners, DAST, SAST, SCA, ITSM and CI/CD. Results flow in over live API sync or scheduled imports, every finding is mapped to an asset and owner, and the correlation engine deduplicates across vendors.
Tenable Qualys Rapid7 DAST, SAST and SCAExplore integrations -
Hover for details
48Product domains, one data model
Findings, assets, projects and reports in one model
PMAP spans 48 backend domains across finding lifecycle, assets, scanning, reporting, automation and tenancy, all on one normalized model. A finding moves from import to remediation without ever leaving the platform.
Findings Assets Projects Reports RunbooksExplore the platform -
Hover for details
Multi-tenant
One platform for the whole group and every unit
A holding company and its subsidiaries share one platform with scoped data, a 10 by 6 role matrix, SLA thresholds and four-eye approvals. Group-level views roll findings and risk up across the entire organization.
RBAC SLA Approvals Audit trail LDAP and MFASee access controls
Figures describe the PMAP platform across integrations, data model and multi-tenant governance.
Resources
Guides, datasheets and playbooks for vulnerability teams.
Datasheet
Correlation and Deduplication Engine
Decide once, for every scanner result, whether a vulnerability is new, recurring, or returning, before a single finding is written,…
Guides
Configuring SLA Thresholds and Escalation
Set severity-based remediation deadlines in PMAP, layer company and project overrides through a strict four-level waterfall, route a three-level escalation…
E-book
Building a Multi-Tenant VM Practice
One platform, many tenants: how an MSSP runs vulnerability management across companies, teams, consulting firms, and framework agreements without a…
Connect and deliver
Plugs into the stack you already run.
PMAP pulls results from every scanner category into one correlated model, then pushes governed findings out to the ticketing, pipeline and reporting tools your teams already use.
Pulls from
- VM and infra Nessus, Qualys, Rapid7, Tenable
- DAST, SAST, SCA Acunetix, SonarQube, Snyk
- Discovery and cloud Nmap, Masscan, Prisma, MobSF
Pushes to
- ITSM Jira, ServiceNow, ManageEngine
- CI/CD GitHub, GitLab, Jenkins gates
- Reports Signed PDF and XLSX delivery
Credentials encrypted at rest · Vendor severity never trusted · Raw payloads archived for replay
Our difference. Your outcomes.
Eight reasons teams standardize on PMAP.
One model, governed correlation and multi-tenant control: the platform decisions that compound across every scan wave.
-
One unified finding model
Findings from Nessus, Qualys, Rapid7, Acunetix, SonarQube, Snyk and every other connector land in a single normalized model. No per-scanner silos, no spreadsheet reconciliation.
30 connectors, 1 model
-
Dedup that survives re-scans
Each result matches on scanner reference first, then a SHA-1 fingerprint across any status, so re-scans and cross-vendor overlaps never create duplicates and closed findings reopen in place.
-
Any scanner, any category
VM, DAST, SAST, SCA, ITSM, CI/CD, container, mobile and network discovery, all behind one connector hub with credentials encrypted at rest.
-
Four-eyes risk acceptance
Risk acceptance, false positive and closure can require a second reviewer before they take effect. Self-review is blocked both in the UI and at the API.
-
SLA that proves itself
Severity-based deadlines with pause and resume, and a breach that must be acknowledged on record. Every status change lands in the audit trail.
-
Rules and runbooks
Ordered AND/OR policy rules apply severity, status and owner the moment a finding lands. Event-triggered runbooks fire on finding, scan and SLA events.
-
Fixes into the tools you run
Native Jira, ServiceNow and ManageEngine tickets with bidirectional status sync, plus a CI/CD security gate that can block a risky merge.
-
Multi-tenant across the holding group
Every subsidiary runs as its own isolated tenant with scoped data and access, while group-level views roll findings and risk up across the entire organization under one role matrix and one audit trail.
One tenant · every subsidiary
Related resources
Go deeper on the PMAP platform.
Guide
Wiring CI/CD Pipelines for Pipeline-Triggered Scans
Stand up a signed inbound webhook for one of six CI/CD vendors, fan pipeline events out to SAST and SCA scans, and gate pull requests with a threshold-driven commit-status check in PMAP, with every delivery signed and every event auditable.
Read the resource
Ebook
Vulnerability Management in DevSecOps
Wire the pipeline to the platform: how HMAC-verified webhooks, pipeline-triggered scans, and developer-facing evidence move vulnerability work left without slowing the developer down.
Read the resource
Datasheet
Vulnerability Finding Lifecycle
Drive every vulnerability from discovery to verified closure: governed, deduplicated, and auditable at enterprise scale.
Read the resourceReady to manage every vulnerability on one platform?
See how an analyst drives a finding from scanner import to verified closure in a 30-minute walkthrough with a PMAP engineer.