Features
STRIDE Detection IaC Support Rego Policy Engine AI Analysis Discovery & DFDs CI/CD Integration Output Formats Plugin System Threat Tracking Performance
Security Documentation
Documentation Get Started
Core Engine

Rego Policy Engine

Industry-standard Rego policy language from Open Policy Agent, powered by Microsoft's Regorus runtime in Rust. Write custom policies without recompiling.

Industry Standard

Portable, well-documented policy language used across the cloud-native ecosystem with Open Policy Agent.

Expressive & Declarative

Write complex security rules in a declarative style with full Rego language support.

Fast Parallel Evaluation

4x performance over legacy YAML engine with parallel evaluation powered by Rayon.

Fully Extensible

Add custom policies without recompiling the tool. Merge or replace built-in policies.

Why Rego?

The core detection engine uses Rego, the policy language from Open Policy Agent (OPA), powered by Microsoft’s Regorus runtime in Rust.

  • Industry standard - Portable, well-documented policy language used across the cloud-native ecosystem
  • Expressive - Write complex security rules in a declarative style
  • Fast - Parallel evaluation delivers 4x performance over the legacy YAML engine
  • Extensible - Add custom policies without recompiling the tool

Custom Policies

Load your own Rego policies to enforce organization-specific security standards:

1
2
3
4
5

# Merge custom policies with built-in ones
threatmitigator scan terraform ./infra --custom-policy ./policies/

# Replace built-in policies entirely
threatmitigator scan terraform ./infra --custom-policy ./policies/ --policy-mode replace

Custom policies follow the same structure as built-in ones and have access to helper libraries for Terraform resource matching, AWS-specific patterns, and remediation guidance templates.

Built-in Helper Libraries

ThreatMitigator ships with helper libraries to simplify policy authoring:

  • Terraform resource matchers and attribute checkers - Match resources by type and check configuration attributes
  • AWS-specific helpers - S3 bucket analysis, IAM policy evaluation, networking checks
  • Custom Regorus extensions - net.cidr_contains(), net.cidr_intersects(), time operations

90+ Built-in Policies

ThreatMitigator ships with 90+ policies covering all six STRIDE categories across multiple cloud providers. Each policy includes:

  • Threat category classification
  • Severity rating
  • Detailed description
  • Remediation guidance
  • Platform-specific resource matching

All built-in policies can be inspected, overridden, or extended with custom policies.

See it in action

Write and evaluate security policies using the industry-standard Rego language with blazing-fast Rust execution.

Demo

Ready to Secure Your Infrastructure?

Join teams already using ThreatMitigator to identify security threats in their Terraform, CloudFormation, Docker, and Helm configurations.

Get Started Free View Documentation