July 9, 2026
Building ThreatMap: Redefining Security Scanning with Local AI Triage
In the fast-paced landscape of cybersecurity, running security scans is only half the battle. The real bottleneck lies in triage —…

By Nitindahiya
1 min read
In the fast-paced landscape of cybersecurity, running security scans is only half the battle. The real bottleneck lies in triage — filtering out the noise, gathering contextual evidence, and spinning up actionable reports before a vulnerability can be exploited.
To bridge this gap, I've been working on a project called ThreatMap. It is an open-source, CLI-driven security scanning ecosystem designed to streamline everything from automated evidence collection to AI-powered vulnerability triaging, all completely locally.
Inside ThreatMap: Architecture & Core Features
ThreatMap isn't just a wrapper for existing scanners; it's modularized into dedicated components to make scanning and reporting as seamless as possible:
- The Scanner Core (
/core): Orchestrates the heavy lifting. It manages dynamic environment checks, coordinates scan runners, tracks multi-stage logging, and employs an explicit evidence collector to pull the deterministic technical proof needed for validation. - Local AI Triage & Reporting (
/ai): The component I am most excited about. Instead of sending sensitive internal scan logs to third-party APIs, ThreatMap features a setup framework for local Small Language Models (SLMs). It uses offline AI to perform automatic threat triage and generate comprehensive, context-aware remediation reports. - Interactive CLI Framework (
/cli): Features a robust, menu-driven command-line environment protected by an authorization gate to make operating the scanner intuitive but secure. - Persistent Storage (
/db): Driven by an internal database manager to securely log scan histories, verify vulnerability status changes over time, and prevent duplicative analysis.
How ThreatMap Approaches the Problem
Most security tools overwhelm analysts with continuous text files and unprioritized severities. ThreatMap changes this narrative through a systematic workflow:
- Verify: It checks the localized host environment to ensure it has the appropriate dependencies and permissions to execute safely.
- Collect: It runs the targeted scans and isolates specific data points as concrete evidence.
- Triage: The offline SLM parses the structural scan results to evaluate real-world severity and likelihood.
- Report: It compiles an intuitive technical report complete with categorized security insights and mitigation suggestions.
Try It Out & Let's Collaborate!
ThreatMap is built out of a passion for making security testing faster, more private, and highly accessible via terminal-driven automation. The core infrastructure is live, stable, and ready to deploy via a simple shell install script.
I'm putting a call to action out to the community:
Go clone the repository, run some local test scans, set up the SLM engine, and break things! See how the evidence collection behaves against your environments and check out the quality of the AI-triaged outputs.
Open for Collaboration
This is only the beginning of what ThreatMap can do. If you're a security engineer, software developer, or an AI/LLM enthusiast who wants to take this tool further, I am completely open to working together.
Whether it's adding new target scanning plugins, optimizing local model weights for better triage precision, or refining the core engine, let's build something impactful together. Check out the codebase, spin up an issue or PR, or reach out to me directly to chat about the roadmap!
Let's build a smarter, privacy-first mapping of our security frontiers.