Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

ASTAM Correlator

The ASTAM Correlator is a vulnerability consolidation and management tool for web applications, capable of correlating and merging different Static and Dynamic scans indicating the same vulnerability. This improves scan results by combining findings that are symptoms of the same weakness, providing:

  • More information on a vulnerability as a whole
  • Reduced duplicate vulnerabilities from multiple SAST/DAST scans

Supported Web Frameworks

The following frameworks are supported by the Correlator route detection process:

  • ASP.NET MVC / Web API / Core / Web Forms
  • Struts
  • Django
  • Ruby on Rails
  • Spring MVC
  • JSP

Referencing the Endpoint Detection HAM Module

The ASTAM Correlator HAM module for endpoint detection has been published to Maven. You can add it as a dependency by adding this to your pom.xml:



Instructions for the usage and installation of the ASTAM Correlator can be found in this project's Wiki.


This project is a modification of Denim Group's software ThreadFix, Community Edition, which provides the Hybrid Analysis Mapping (HAM) that runs the correlation. A collaboration between Denim Group Ltd., and Secure Decisions, a division of Applied Visions Inc., has improved upon the open-source ThreadFix tool with a focused interface and improved HAM capabilities.

The original ThreadFix project can be found here:

This material is based on research sponsored by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHS S&T/CSD) via contract number HHSP233201600058C.


Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans








No packages published