Known Limitations
This page documents what ThreatWeaver does not do today. Sales teams must know these boundaries to set accurate customer expectations. Overpromising creates churn; honest scoping creates trust.
AppSec Scannerβ
What It Does Not Doβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| No SAST (static analysis) | ThreatWeaver is a DAST platform. It tests running applications, not source code. | "We test your live application the way an attacker would. For source code analysis, we recommend pairing us with a SAST tool like Checkmarx or Semgrep. SAST integration is on our roadmap." |
| No mobile app testing | The scanner tests web applications and APIs only. It does not test iOS or Android native applications. | "We can test the API backends that mobile apps connect to, but not the mobile client itself. Mobile app pentesting is planned for Q1 2027." |
| No infrastructure pentesting | The distributed scan sensor provides lightweight network scanning (port detection, banner analysis). It is not a full network penetration testing tool. | "Our scan sensors provide network visibility, but for full internal network pentesting -- Active Directory attacks, lateral movement, credential harvesting -- you would need a product like Pentera or NodeZero. We complement those tools by covering the web/API layer." |
| No real-time OSINT automation | Phase 0 collects intelligence through guided user input. It does not perform automated Shodan lookups, breach database queries, or passive DNS reconnaissance. | "Our pre-scan intelligence phase helps you provide context about the target. Automated external reconnaissance from third-party sources is on our roadmap." |
| DOM XSS requires Playwright | Full DOM-based XSS detection requires Playwright to be installed in the deployment environment. Without it, the DOM XSS agent provides limited coverage. | "DOM XSS detection is available and works best with full browser rendering enabled. We will confirm your deployment includes this capability." |
| External tool dependencies | Some agents (Dalfox, SQLMap, Nuclei) wrap external CLI tools. If these are not installed, those specific validation steps are skipped. Core detection still works. | No need to mention unless asked. The core scanner works without external tools; these provide supplementary confirmation. |
| No published GitHub Action | CI/CD integration uses API endpoints. There is no published GitHub Action on the marketplace. | "We have CI/CD API endpoints that work with GitHub Actions, GitLab CI, and Jenkins. A pre-built GitHub Action is coming soon." |
| Limited exploit chain rules | The chain replay engine currently supports two chain types (SQLi to IDOR, and Info Disclosure to Auth Bypass). More chains are being added. | "We detect and link related vulnerabilities into exploit chains. The chain library is growing with each release." |
| Scan duration | Complex applications with hundreds of endpoints can take 30--90 minutes for a full assessment. | "Full assessments take longer than quick scans because we test business logic, authorization, and multi-step workflows -- things that fast scanners skip." |
Roadmap Itemsβ
| Item | Timeline | Status |
|---|---|---|
| SAST Integration | Q3 2026 | Planned |
| Infrastructure Pentesting (agents) | Q3 2026 | Planned |
| Published GitHub Action | Q2 2026 | In progress |
| CLI tool for developer self-service | Q2 2026 | Planned |
| Mobile App Pentesting | Q1 2027 | Planned |
| Automated OSINT (Shodan, breach DBs) | Not scheduled | Under consideration |
| PR comment injection | Q2 2026 | Planned |
Exposure Managementβ
What It Does Not Doβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| Tenable.io dependency | The Exposure Management module syncs data from Tenable.io. It does not run its own infrastructure vulnerability scans. Customers need a Tenable.io subscription. | "We integrate with your existing Tenable.io deployment to add risk prioritization, remediation tracking, and AI-powered analysis on top. We enhance Tenable -- we do not replace the scanner itself." |
| No EASM (External Attack Surface Management) | ThreatWeaver does not automatically discover internet-facing assets, subdomains, or shadow IT. | "External attack surface discovery is on our roadmap for Q3 2026. Today, you can manually add targets or sync from Tenable.io." |
| No SBOM tracking | Software Bill of Materials tracking with drift detection and dependency vulnerability correlation is not yet available. | "SBOM and supply chain tracking is planned for Q3 2026." |
| No threat intelligence feeds | ThreatWeaver does not ingest third-party threat intelligence (MITRE ATT&CK, AlienVault OTX, GreyNoise). | "Threat intelligence feed integration is planned for late 2026." |
Roadmap Itemsβ
| Item | Timeline | Status |
|---|---|---|
| EASM (External Attack Surface Management) | Q3 2026 | Planned |
| SBOM and Supply Chain | Q3 2026 | Planned |
| Threat Intelligence Feeds | Q4 2026 -- Q1 2027 | Planned |
| Additional scanner integrations (beyond Tenable) | Not scheduled | Under consideration |
Cloud Securityβ
What It Does Not Doβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| Module in active development | Cloud Security is functional but still being built out. Some features may be limited compared to dedicated CSPM tools. | "Our Cloud Security module provides CSPM across AWS, Azure, and GCP with CIS benchmark scoring. We are actively expanding coverage with each release." |
| No runtime protection | ThreatWeaver detects misconfigurations but does not provide runtime protection, WAF, or workload protection. | "We identify cloud misconfigurations and compliance gaps. For runtime protection, you would pair us with a CWPP tool." |
| No Kubernetes-native scanning | Container inventory tracking is available. Kubernetes-specific security testing (pod security, network policies, RBAC) is limited. | "We track container vulnerabilities and inventory. Deep Kubernetes security analysis is being expanded." |
Roadmap Itemsβ
| Item | Timeline | Status |
|---|---|---|
| Enhanced container security | Q2 2026 | In progress |
| Kubernetes security policies | Q3 2026 | Planned |
| Cloud workload protection | Not scheduled | Under consideration |
Identity Securityβ
What It Does Not Doβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| Module in active development | Identity Security is functional for AD and Entra ID. Okta and Google Workspace connectors are not yet complete. | "We support Active Directory and Entra ID today with attack path analysis. Okta and Google Workspace connectors are coming in Q3 2026." |
| No real-time identity monitoring | Identity risk is assessed on a sync schedule, not in real time. | "We assess identity risk on a configurable schedule. Real-time monitoring integration with SIEM is planned." |
| No automated remediation | ThreatWeaver identifies identity risks but does not automatically remediate them (e.g., disabling stale accounts). | "We identify the risks and provide recommendations. Remediation actions are performed by your team through your identity provider." |
Roadmap Itemsβ
| Item | Timeline | Status |
|---|---|---|
| Okta connector | Q3 2026 | Planned |
| Google Workspace connector | Q3 2026 | Planned |
| Real-time identity event monitoring | Q4 2026 | Planned |
| Autonomous remediation | Q4 2026 -- Q1 2027 | Planned |
AI Labsβ
What It Does Not Doβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| Requires AI provider configuration | AI features require an API key for Claude (Anthropic) or GPT (OpenAI). The customer or their ThreatWeaver instance must have a configured AI provider. | "AI features work with Claude or GPT. Your ThreatWeaver instance comes pre-configured, or you can bring your own API key for data residency control." |
| No auto-remediation | AI Labs generates fix plans and tickets, but does not automatically apply code changes or configuration fixes. | "Our AI generates detailed fix plans with code examples, but a developer reviews and applies the changes. Autonomous remediation is on our roadmap." |
| AI cost per query | Each AI operation consumes tokens from the configured LLM provider. High-volume usage may incur measurable API costs. | "AI features are included in your license. There may be usage-based AI provider costs depending on your query volume -- we provide cost tracking in the admin panel." |
Roadmap Itemsβ
| Item | Timeline | Status |
|---|---|---|
| Autonomous remediation | Q4 2026 -- Q1 2027 | Planned |
| Local/on-premises LLM support | Q3 2026 | Planned |
| AI Security module (AI model governance) | Q2 2026 | In progress |
Platform-Level Limitationsβ
| Limitation | Detail | What to Tell the Customer |
|---|---|---|
| No FedRAMP certification | ThreatWeaver is not FedRAMP authorized. Government agencies with FedRAMP requirements cannot use the SaaS deployment. | "We do not have FedRAMP certification today. For government customers, we offer on-premises deployment where you control the infrastructure and data. FedRAMP certification is being evaluated." |
| No SOC 2 Type II certification (platform) | The ThreatWeaver platform itself is not yet SOC 2 Type II certified, though it helps customers achieve their own SOC 2 compliance. | "Our platform generates SOC 2-mapped reports for your compliance program. Our own SOC 2 Type II certification is in progress." |
| No offline/air-gapped deployment | The SaaS deployment requires internet connectivity. On-premises deployment requires outbound internet for AI features and license validation. | "On-premises deployment keeps all scan data in your environment. The only outbound connections are for AI provider APIs (optional) and license validation." |
| Test suite limitations | The automated test suite has some platform-specific build issues on certain architectures. | Not customer-facing. Internal awareness only. |
| Redis optional | Redis caching is used in production but the platform degrades gracefully without it. | Not customer-facing. This is a deployment consideration. |
How to Use This Pageβ
- Before a demo: Review the limitations relevant to the prospect's use case
- During a call: If a prospect asks about a capability we do not have, be honest and reference the roadmap timeline
- In proposals: Do not include features listed as "Not scheduled" or "Under consideration" as upcoming capabilities
- For RFPs: Use the "What to Tell the Customer" column for honest, professional responses