Our Story

A side project
that kept going.

ThreatCluster started in February 2025 as a side project called Project Argus, built on a laptop in Bath after too many years of watching the same problem go unsolved.

Read the story Try the platform
Feb 2025

Threat intel that nobody can afford.

Every security team needs threat intelligence. Most can't afford it. The platforms that exist charge five or six figures a year, which means the only people who get decent visibility into what's actually happening are the organisations that already have the budget, the headcount, and the tooling to deal with it.

Everyone else reads blogs, checks Twitter, and hopes they catch the right advisory before it matters.

What we were doing before Argus click to expand
image · 1
What we were doing instead
Screenshot of the early news-monitoring chaos — a wall of Twitter / blog tabs, an inbox of advisories, anything that shows the "everyone reads blogs and hopes" reality.
Feb 2025

Project Argus.

A clustering experiment. Take thousands of open-source articles, advisories, and reports. Group the ones covering the same incident. Pull out the entities that matter — threat actors, CVEs, malware, targeted industries, IOCs. See if the result looks more like intelligence than a news feed.

The early version ran 67 feeds through a Flask app on a local machine. The clustering used TF-IDF vectors and cosine similarity. It mostly worked. It sometimes didn't.

67 feeds · Flask · TF-IDF · cosine similarity

The Project Argus prototype click to expand
image · 2
The Argus prototype
Original Flask UI, first clustering output, or a terminal showing the early pipeline running locally. Anything from /home/james/Desktop/project-argus.
May 2025

The M&S cluster.

The prototype was handling real-world incidents. It pulled the M&S cyberattack together across a dozen sources that all described the same event in different words. The clustering was no longer a toy.

The M&S cluster click to expand
image · 3
The M&S cluster
The M&S cluster page itself (multiple articles grouped), or the early clustering visualisation that proved the model worked.
Jun 2025

The name changed.

The clustering engine had been rewritten twice. The entity extraction pipeline was producing structured output. The project needed a real name.

Project Argus became ThreatCluster.

Naming notes click to expand
image · 4
Naming notes
Optional — a snip of the naming brainstorm, the first logo sketch, or a tag commit renaming the repo. Skip if you don't have anything; remove this image block.
Late 2025

Building the platform.

PostgreSQL replaced flat files. The source list grew from 67 feeds to thousands. Semantic embeddings replaced TF-IDF. DBSCAN replaced the early similarity thresholds. Entity extraction expanded to cover 17 types.

The web app went from a Flask prototype to something you could actually log into. Dark web monitoring went live. The free tier launched alongside a Researcher tier and a Business tier. The first paying customers arrived.

PostgreSQL · embeddings · DBSCAN · 17 entity types · dark web · paying customers

ThreatCluster v1 — the platform takes shape click to expand
image · 5
The platform takes shape
The threats feed once it was clearly a product, or an early architecture sketch. Side-by-side prototype vs. v1 would work well.
Early 2026

Reyben joined.

Reyben Cortes joined as co-founder, bringing experience from the U.S. Department of Homeland Security and hands-on threat intelligence work across government and APAC. The platform had outgrown what one person could build, maintain, and sell at the same time.

Reyben Cortes click to expand
image · 6
Reyben Cortes
Clean headshot or candid working photo. If no photo, swap to an org-chart / team graphic.
Today

Where we are.

ThreatCluster aggregates over 12,000 sources. The platform runs real-time clustering, attack flow generation mapped to MITRE ATT&CK, D3FEND countermeasures, public exploit tracking, SIEM-ready hunting queries, exposure management with CISA SSVC ranking, a reporting engine, dark web monitoring across ransomware leak sites and underground forums, and a CLI and REST API.

We co-publish joint threat advisories with Defused, Ransom-ISAC, and detections.ai. We've been quoted in Forbes. Our weekly threat briefs are read by security teams at organisations we never expected to reach when this was a script on a laptop.

Defused Ransom-ISAC detections.ai Forbes
The ThreatCluster platform today click to expand
image · 7
The platform today
Current /index threats feed, an attack-flow render, or the dark-web overview. Pick whichever contrasts most with image · 2.
What hasn't changed

Why we keep the core free.

Threat intelligence should be accessible to everyone defending a network, not just the organisations that can write a six-figure cheque.

We charge for the features that scale — multi-tenant MSSP tooling, exposure management, branded reporting — and keep the core intelligence free.

Registered in England and Wales (Company No. 17124226).

More about the platform

Real-time clusteringThe engine that started it all Dark web monitoringRansomware leak sites and underground forums Every capabilityFull feature index

The free tier is the same engine.

Sign up, no sales call. Same clustering, same entity extraction, same dark-web monitoring.

Open the threat feed See pricing