Map application identities
Detect and map application identities across your deployment
Map application identities
Threatmatic continuously detects and maps application identities across your environment as part of its Island Identity Awareness engine. This gives the control plane the information it needs to verify traffic on both the user and application axes before allowing any flow.
How application identity mapping works
When the Threatmatic agent is active on an endpoint, it observes all processes and network activity. It identifies applications by their cryptographic signature, executable path, and network behavior — building a live map of what is running where and what it is communicating with.
This map is used to:
- Enforce application-level Zero Trust policies
- Detect unexpected or unsigned applications
- Power the "observe, verify and allow" enforcement model
Steps
Review discovered applications
- Go to Devices → Applications
- Threatmatic will have already begun discovering applications on enrolled endpoints
- Each entry shows the application name, version, signing status, and communication patterns
Verify application signatures
Applications are classified as:
| Status | Meaning |
|---|---|
| Verified | Signed by a trusted publisher |
| Unverified | Unsigned or unknown publisher |
| Blocked | Explicitly denied by policy |
Create application identity labels
Labels allow you to reference applications in policies without hardcoding paths or hashes.
- Go to Devices → Applications
- Select an application
- Click Create Label
- Enter a name (e.g.
slack,custom-erp,zoom) - Click Save
Use labels in policies
Application identity labels can now be used as a target in any policy rule. See Create your first policy for details.
Threatmatic is operational and mapping identities before IAM systems are required — there is no gap in coverage during startup or failover.
Next steps
How is this guide?
Last updated on