One feed. Every threat.
-
Sources
-
Articles
-
Clusters
-
Entities
How it works
From scrape to summary, in four steps.
What happens between a vendor advisory dropping and your analyst seeing it.
13,000+ sources, curated.
Vendor advisories, government CERTs, researcher blogs, national newspapers, dark-web leak sites, social platforms, and vulnerability databases. We monitor the whole open-source intelligence surface so your analyst doesn't have to.
Every source is graded. New ones are vetted before they join the feed. Dead ones drop out. The list is curated, not auto-scraped from a list of RSS endpoints someone hasn't touched since 2019.
Browse the source libraryThirty articles. One incident. One cluster.
The same incident gets written about by thirty outlets, each with a slightly different angle. Density-based semantic clustering groups them into a single record so you read the story once, not thirty times.
On a cluster page you get a sourced timeline, AI-generated summary and recommendations, the attack flow mapped to MITRE ATT&CK, the IOCs ready to export, every source article in line, and Ask AI grounded in the cluster's own content. Eight pieces of analyst work, one click.
How clustering works
Sorted before you read them.
Every article enters a classifier that tags it against 17 threat categories. Whether it's a ransomware claim, a CVE disclosure, an APT campaign report, or a piece of geopolitical reporting, it lands in the right lane.
The feed is browsable by category, by sector, by region, or by time window. You're not scrolling through a flat list of everything — you're filtering to the things that matter to your stack and your geography.
See the live feed17 entity types, extracted on the fly.
Threat actors, malware families, ransomware groups, CVEs, MITRE ATT&CK techniques, IPs, domains, hashes, email addresses, crypto wallets, tools, targeted industries, countries, platforms, vendors. Every cluster gets a structured entity layer the moment it lands.
That layer is what makes hyper-targeted CTI possible. Track a CVE across every cluster mentioning it. Watch a new APT group emerge as it's named in articles. Filter feeds by your tech stack. Trigger workflows when a tagged entity appears.
How entity extraction worksSHADOW-EARTH-053 Exploits Microsoft Exchange Vulnerabilities in Asia
The China-aligned threat group SHADOW-EARTH-053 has been exploiting unpatched Microsoft Exchange and IIS server vulnerabilities, specifically the ProxyLogon chain, to conduct cyberespionage. The group has targeted government ministries, defence contractors, and transportation entities across at least eight Asian countries and one NATO member state. Methods include deploying web shells and the ShadowPad malware via DLL sideloading and registry-based payload execution. Tools observed include Mimikatz and custom credential-theft utilities.
What this means in practice
A day of reading. An hour of decisions.
The volume problem in threat intelligence isn't too little information. It's too much. ThreatCluster ingests around 900 articles a day from 13,000+ sources — roughly 30 hours of reading if a human tried to keep up. No analyst can. So the platform does the part that doesn't need a human first.
From 13,000+ sources worldwide. Roughly 30 hours of reading.
12.7 articles per cluster on average. ~92% noise removed.
Your sector, your stack, your geography, your supply chain.
High-impact matches that hit your inbox, Slack, or Teams the moment they land.
From collection to analysis.
Without clustering, the job is collection. Trawling feeds, reading the same story across ten outlets, deduplicating in your head, pasting facts into a spreadsheet. That's labour, not analysis.
With ThreatCluster, the analyst starts the day with pre-structured intelligence. Entities extracted, sources consolidated, threat score on the front of every card. The work shifts to triage, assessment, and response — the parts of the job an analyst actually trained for.
What's in the platform
Beyond the four-step pipeline above, ThreatCluster covers everything an analyst needs day to day. Each card opens a dedicated page with the detail.
Real-time Clustering
→14,000+ sources aggregated continuously. Density-based semantic clustering groups related reporting. Thirty articles about the same incident become one cluster, not thirty alerts.
Entity Intelligence
→Click any entity, get a full intelligence page. AI overview, recent events, threat profile, and a relationship graph mapping connections to other entities.
Custom Feeds
→Build a feed in plain English, attach the entities you care about, and get hyper-specific CTI you can actually action. One feed per client, sector, or investigation.
ThreatCluster AI
→Investigation assistant grounded in cluster content with inline citations on every claim. Six pre-built actions per cluster, plus free-form questions. Not the open web.
Threat Hunting
→Pick a sector. Get a live threat model with actors, malware, MITRE techniques, and SIEM-ready hunt queries in KQL, SPL, or Lucene.
Dark Web
→In-house collection across ransomware leak sites, underground forums, and Tor markets. We discover, enrich, and surface the content ourselves rather than reselling someone else's feed.
Exploits
→CVSS, EPSS, KEV status, public exploit availability, vendor references, related clusters, and X mentions in one view per CVE.
Exposures
→Pull asset inventory via Tenable, Defender, CrowdStrike, or API. Cross-reference against the live threat feed and rank every asset by CISA SSVC.
IOCs & Exports
→Per-cluster or in bulk: TXT, CSV, JSON, STIX 2.1 bundles (with TLP), MISP feed, and ATT&CK Navigator layers. Filter by type, confidence, and time.
Workflows
→Visual editor. Triggers on new clusters, CVE thresholds, KEV listings, tagged entities. Actions to webhook, Slack, Teams, ticket systems, or AI summarisation. Per-customer scoping.
Reports
→Notion-style editor with dynamic content blocks that re-fetch on every render. White-labelled per customer. Schedule daily, weekly, monthly. Share private, restricted, or public.
CLI & API
→Every capability reachable as a REST API, a tc command, or an agent tool. JSON-first, scoped agent keys, OS-keyring auth.
What ThreatCluster solves
"Are we affected?"
A major incident drops. Leadership wants answers. ThreatCluster clusters every source covering it in real time, extracts the CVEs, products, and threat actors involved, and gives you the full picture in one place instead of two hours of trawling.
"I missed something."
Set keywords for your stack, your industry, your threat actors. ThreatCluster watches thousands of sources so you do not have to. When something relevant appears, you know.
"The report takes longer than the research."
Pick your clusters. Generate a threat brief. Export it. The weekly reporting that used to eat half a day takes minutes.
Who is ThreatCluster built for
SOC teams
Related incidents, actor history, CVEs, and IOCs in one cluster. Context in seconds, not 30 minutes.
Threat intel analysts
Automated collection from thousands of sources. Entity extraction, actor timelines, and IOC feeds built as data arrives.
CISOs and security leaders
Trending threats by industry, severity scoring, and AI-generated executive briefs. Board-ready in minutes.
MSSPs
Filter by sector, generate white-labelled reports, and run org-scoped workflows across your client base.
Incident responders
Mid-incident context. Related campaigns, actor TTPs, and IOCs already clustered. Less pivoting, faster decisions.
Vulnerability management
Track CVEs from disclosure to active exploitation. Know which ones matter to your stack before the scanner tells you.
Red teams and pen testers
Current TTPs by actor and industry. Real-world attack chains to inform engagement scoping and scenario design.
OT and ICS security
Track threats to industrial systems, SCADA, and critical infrastructure. Filter by ICS-specific malware, actors, and CVEs.
Defence and government
Nation-state actor tracking. Campaign timelines. Geopolitical threat context. STIX and IOC feeds for existing tooling.
The full platform overview, in one PDF.
Every capability, walked through with screenshots, sample data, and the operational detail you need to evaluate the product against your existing stack. Built for sharing with stakeholders who don't have time to log in.
Behind ThreatCluster
Built by people who've worked the SOC night-shift, briefed federal teams on APT activity, and run intelligence for critical national infrastructure.
James Mockford 🇬🇧
Security engineering background spanning defence consultancy, managed security, telecoms infrastructure, and critical national infrastructure including OT/ICS in the water sector. Petty Officer in the Royal Naval Reserve Maritime Cyber Unit.
Reyben T. Cortes 🇺🇸
Network Security Engineer, Cyber Threat Intelligence Analyst, and OSINT practitioner. Former Cyber Threat Analyst for the U.S. Department of Homeland Security, delivering briefings to SLTT, CISA, and FBI InfraGard leaders on ransomware, APTs, and election infrastructure threats.
Advisory partnerships
ThreatCluster co-publishes joint threat advisories with Defused (cyber deception and early warning), Ransom-ISAC (ransomware analysis and collective defence), and detections.ai (community-driven detection rules). These partnerships bring complementary data sources into the platform where open-source scraping alone doesn't reach.
Defused
Ransom-ISAC
detections.ai
Stop trawling. Start knowing.
Join thousands of security professionals who get their threat intelligence from one place. Free to start, no credit card required.