Threat intelligence,
pointed at your boxes.

A CVE feed is generic. ThreatCluster Exposures pairs the live threat graph with each customer's actual inventory and tells you, host by host, what to patch first.

Open Exposures How it works

Two streams against your stack.

Exposures joins the live threat feed with each client's asset inventory and tells you what to patch first. Two overlays: direct exposures (CVEs against their installed software) and related threats (actors and malware targeting their tech).

Filter by KEV-only, CVSS ≥ 9, or has-exploit. Sort by severity, latest activity, asset reach, or cluster volume. Search by CVE, product, or vendor to jump straight in.

  • Direct CVE matches against installed software
  • Related threat actors and campaigns targeting their stack
  • Per-asset breakdown showing which boxes are affected
  • Filter by KEV, EPSS threshold, public-exploit availability
The exposures dashboard click to expand
image · 1
Exposures dashboard
/exposures page. Stat strip, three tabs, ranked CVE-affecting-asset rows with KEV / Exploit pills.

Per-customer, end to end.

For MSSPs, every asset, every CVE match, every SSVC ranking is scoped to a specific customer. Switch the active customer from the navbar and the entire exposures page re-scopes. Assets, software, threats, all of it.

Each customer's data stays in its own lane. Analysts see only what they're allowed to see, and the switcher makes it impossible to accidentally take action against the wrong client.

Strict isolation Per-customer connectors Aggregate dashboard Audit logged
Active customer switcher with per-customer exposure view click to expand
image · 2
Customer switcher
Navbar customer dropdown open. /exposures rendered for one specific customer's inventory.

Connect what you already run.

Pull asset inventory via Tenable, Microsoft Defender, CrowdStrike, bulk CSV/JSON upload, or the public REST API. All per-client. The MSP brings the eyes, ThreatCluster does the matching.

Soft-deletion and re-syncs are non-destructive. Assets you stop reporting fall out gracefully without losing history, so trend lines stay intact when an MSP swaps scanner vendor or a client decommissions a host.

Tenable
Microsoft Defender
CrowdStrike
Bulk CSV / JSON
REST API
Connector configuration in Settings click to expand
image · 3
Connectors pane
Settings → Connectors. Tenable / Defender / CrowdStrike cards with auth status. Bulk upload card.

Ranked the way CISA ranks them.

CISA's SSVC stages map exploitation evidence to action. Every host gets one: Act, Attend, Track*, Track, or Clear. Things to patch first sit at the top. Hover any pill for the reasoning. The pill explains the KEV listing, the public exploit, the EPSS score, and the asset tag context that drove the ranking.

Tag assets as internet-facing, crown-jewel, or isolated and the SSVC tree adapts. An exploitable bug on an isolated lab box doesn't deserve the same urgency as the same bug on the public-facing VPN concentrator.

Act
Patch immediately
Attend
High priority
Track*
Monitor closely
Track
Standard backlog
Clear
No action needed
SSVC ranking on the assets view click to expand
image · 4
Assets View · SSVC ranked
Asset detail with edit-tags / delete chrome. Asset row showing "Act" pill, OS, source, tags, matched CVEs.

Asset view, host by host.

Every host ranked by CISA SSVC. Bulk columns surface CVE count, KEV count, exploit count, max CVSS, and max EPSS at a glance. Click any host to see the full software list, the matched CVEs per product, and the historical activity on each.

Tag editor is one click. Tags affect the SSVC tree immediately, no recalculation lag.

Asset list with bulk SSVC columns click to expand
image · 5
Assets list
/exposures Assets tab. ASSET / OS / SOURCE / TAGS columns with SSVC stage left.

Software view. Patch the product, not the host.

Pivoted by vendor and product so patch decisions land at product level. Same SSVC ranking aggregated across every host running that product. Shows the blast radius before you start the rollout.

Click any product to see every host running it, the specific versions in play, and the matched CVEs across those versions. Useful for "we need to patch Ivanti EPMM this week, how many hosts is that?" without spreadsheet gymnastics.

Software view with vendor / product / version click to expand
image · 6
Software list
/exposures Software tab. VENDOR / PRODUCT / VERSIONS columns. Product detail with hosts list and matched CVEs.

Goes well with

The Exploits DatabaseWhere the CVE rankings come from Threat HuntingSector threat models for the gaps your scanner won't see For MSSPsPer-customer scoping across the whole platform

Or see every capability area in one place.

Exposures is the bit that points the rest of the platform at your actual stack. The threat feed, the dark-web alerts, the IOC matching — they all become specific the moment a connector lands.

Connect a scanner.
See your stack ranked.

Five minutes from connector to a CISA-graded exposure list per customer. Free to try, no sales call required.

Open Exposures Read the brochure