Features
STRIDE Detection AI Analysis Multi-Cloud Support
Security Documentation
Documentation Get Started

Security & Privacy

7 min read

Security & Privacy

Your Threat Model Is Sensitive Data

Here’s the paradox: threat models reveal your security vulnerabilities, making them highly sensitive documents. Traditional SaaS security tools ask you to upload your infrastructure configurations and threat assessments to their data centers—creating the exact risk you’re trying to mitigate.

We built ThreatMitigator differently.

ThreatMitigator runs entirely on your infrastructure. Your Terraform configurations, detected threats, and security assessments never leave your environment. We don’t operate data centers, we don’t collect telemetry, and we don’t require cloud connectivity.

Why This Matters

Threat models are attack playbooks - They document exactly where your weaknesses are. If a threat model is compromised, attackers have a complete roadmap of your vulnerabilities.

Configuration files contain secrets - Even with redaction, infrastructure patterns reveal architecture, dependencies, and potential attack vectors.

Compliance requirements - Many industries (finance, healthcare, government) prohibit sending infrastructure data to external services without extensive security reviews.

Zero trust, verified - You don’t have to trust us with your data because we never see it. Our tool runs locally, processes locally, and stores results locally.

Our Philosophy: Protect Data, Don’t Collect It

We’re in the business of helping you secure your infrastructure, not introducing new security risks. That’s why ThreatMitigator is built as a local-first CLI tool, not a cloud service.

What This Means for You

Install and run without internet connectivity - Core functionality works completely offline

No accounts, no authentication, no data uploads - No sign-up required, no user tracking

Threat models stored in your Git repository - Full version control, your infrastructure

Complete control over data residency - Complies with GDPR, SOC 2, and data sovereignty requirements

No vendor lock-in - Open formats (YAML, JSON, SARIF), export anywhere

Run in air-gapped environments - Perfect for high-security networks

Bring Your Own Model (BYOM) AI

When you choose to enable AI-powered remediation, ThreatMitigator uses your API keys with your chosen provider. This “Bring Your Own Model” approach ensures you maintain complete control over data and costs.

Choose Your Provider

OpenAI

  • Use your corporate OpenAI account
  • GPT-4o, GPT-4 Turbo, or GPT-3.5
  • Your API key, your billing, your control

Anthropic Claude

  • Direct API access with your keys
  • Claude Sonnet, Opus, or Haiku
  • Industry-leading reasoning for security analysis

Ollama (100% Local)

  • Run LLMs entirely on your infrastructure
  • LLaMA 3, Mistral, CodeLlama, or custom models
  • Zero external API calls, complete data isolation

What Gets Sent (When You Enable AI)

When you explicitly query a threat for AI-powered remediation:

What IS sent to your chosen LLM provider:

  • The specific threat details you’re querying
  • Relevant infrastructure context for that resource
  • Your explicit question or prompt

What is NEVER sent:

  • Your complete infrastructure configuration
  • Other unrelated threats or resources
  • Any data when AI features are disabled
  • Anything to ThreatMitigator servers (we don’t have any)

Example: Fully Local AI Analysis

1
2
3
4
5
6
7
8
9

# Run Ollama locally
docker run -d -p 11434:11434 ollama/ollama
ollama pull llama3

# Configure ThreatMitigator for local AI
export OLLAMA_HOST="http://localhost:11434"

# Query threats with 100% local processing
threatmitigator query T-001 --provider ollama --model llama3 "How do I fix this?"

No data ever leaves your network.

Data Protection by Design

Every architectural decision in ThreatMitigator prioritizes data protection:

Local Processing

HCL Parsing - Terraform configurations parsed on your machine using native Rust libraries

Rule Evaluation - All 90+ threat detection rules execute locally with zero network calls

Offline Operation - Core functionality works without internet connectivity

No Telemetry - We don’t collect usage statistics, error reports, or analytics

Secure Defaults

Restricted File Permissions - Report files created with 0600 permissions (owner-read-only)

1
2

$ ls -la threats.yaml
-rw------- 1 user user 4096 Dec 23 10:30 threats.yaml

Automatic Secret Redaction - Secrets, passwords, and API keys automatically redacted from output

Safe HCL Parsing - No code execution, no dynamic evaluation, read-only processing

Input Validation - Git URL validation, path traversal protection, sanitized inputs throughout

Version Control Integration

Git-Friendly Format - Threat models stored as YAML with clean diffs

Standard Workflow - Use pull requests to review threat model changes

No Proprietary Formats - Open standards: YAML, JSON, SARIF, Markdown

Full Audit Trail - Git history provides complete threat model timeline

Deploy Anywhere

Your Build Servers - Run on GitLab CI, Jenkins, or any CI/CD platform

Air-Gapped Environments - No internet required for core scanning functionality

On-Premise Installation - Full control over execution environment

Container Images - Docker images available for reproducible deployments

Kubernetes - Deploy as scanning pods in your cluster

Security Features

Threat Detection Without Exposure

Traditional security scanning often requires:

  • Uploading code to vendor SaaS platforms
  • Granting read access to your repositories
  • Sending secrets to external APIs
  • Trusting third-party infrastructure

ThreatMitigator requires:

  • Local installation only
  • Read-only access to your filesystem
  • No network access for core features
  • Complete data isolation

Compliance & Certifications

Data Residency - All processing happens in your environment, meeting strict data residency requirements

GDPR Compliant - No personal data collected, processed, or stored by ThreatMitigator

SOC 2 Compatible - Local-first architecture supports your SOC 2 compliance

Government Ready - Suitable for government agencies with data sovereignty requirements

FedRAMP Compatible - Can run in FedRAMP-authorized environments

Continuous Security Without Compromise

CI/CD Integration

Integrate security scanning into your development workflow without exposing data:

1
2
3
4
5
6
7

# CI/CD example
- name: Scan Infrastructure
  run: threatmitigator scan ./terraform --format sarif

# Everything runs on your CI/CD runner
# No data sent to external services
# Results stay in your environment

Results Stay in Your Environment

  • Code Scanning Integration - SARIF format compatible with industry-standard tools
  • GitLab Security Reports - Results in GitLab Security Dashboard (your GitLab)
  • Jenkins - Artifacts stored in Jenkins workspace (your server)
  • Local Reports - JSON/YAML/Markdown files in your repository

Optional Cloud Features

When you opt-in to AI features, you control the data flow:

Configuration Example

1
2
3
4
5
6
7
8

# .threatmitigator.toml
[llm]
provider = "anthropic"  # or "openai" or "ollama"
model = "claude-sonnet-4-20250514"

# Optional: Use local Ollama instead
[llm.ollama]
host = "http://localhost:11434"

Environment Variables

1
2
3
4
5

# Only set when you want AI features
export ANTHROPIC_API_KEY="sk-ant-..."  # Your key, your account

# Or use local Ollama (no external calls)
export OLLAMA_HOST="http://localhost:11434"

AI features are disabled by default. You explicitly opt-in and control the provider.

Transparency & Trust

Transparent Architecture

ThreatMitigator’s architecture is designed for transparency and trust:

  • Enterprise customers can request comprehensive security documentation
  • Architecture reviews available under NDA
  • Verify no data exfiltration through network monitoring
  • Security audits available for enterprise deployments
  • Complete data isolation guarantees

Contact sales@threatmitigator.app for security documentation and audit reports.

No Hidden Network Calls

Audit network activity yourself:

1
2
3
4
5
6

# Monitor network calls while scanning
sudo tcpdump -i any -n host <your-ip> &
threatmitigator scan ./terraform

# Result: Zero network traffic for core scanning
# Only network calls are when YOU enable AI features

Questions?

Is my infrastructure data secure?

Yes. ThreatMitigator processes everything locally. Your infrastructure configurations, threat models, and security assessments never leave your environment unless you explicitly enable AI features with your own API keys.

Can ThreatMitigator access my secrets?

ThreatMitigator reads Terraform files but automatically redacts secrets from output. The tool has no capability to transmit data externally in its core functionality.

Do you collect any telemetry?

No. ThreatMitigator does not collect telemetry, usage statistics, error reports, or any other data about your usage.

Can I use ThreatMitigator in an air-gapped environment?

Yes. Core threat detection works completely offline. Only AI features (optional) require internet connectivity to your chosen LLM provider.

How do I verify no data is being sent?

Use network monitoring tools or run in an air-gapped environment. ThreatMitigator’s architecture is designed to be verifiable. Enterprise customers can request security documentation and architecture reviews.

Enterprise Security

Need additional security features?

  • Private rule repositories - Host custom rules on your infrastructure
  • On-premise deployment - Complete control over execution environment
  • Security reviews - Support for your security team’s evaluation process
  • Custom security controls - Tailored to your requirements

Contact Sales | View Enterprise Plan