The full ThreatCluster capability matrix, compared across Free, Researcher, Business and MSSP. No asterisks, no "coming soon" — every row below ships today.
| Capability | Free | Researcher | Business | MSSP |
|---|---|---|---|---|
| Intelligence | ||||
| Cluster views / day | 3 | Unlimited | Unlimited | Unlimited |
| Entity views / day | — | Unlimited | Unlimited | Unlimited |
| Smart analysis (summary, impact, technical, response) | Read-only on free cluster | ✓ | ✓ | ✓ |
| Threat scoring (0–100, four sub-scores) | ✓ | ✓ | ✓ | ✓ |
| Attack flows (CTID Attack Flow v3) | — | ✓ | ✓ | ✓ |
| D3FEND countermeasures | — | ✓ | ✓ | ✓ |
| CWE extraction | — | ✓ | ✓ | ✓ |
| Public exploit tracking (Sonar) | — | ✓ | ✓ | ✓ |
| Sub-article link enrichment | — | ✓ | ✓ | ✓ |
| X / Twitter intelligence | — | ✓ | ✓ | ✓ |
| Rising threats (Explore) | — | ✓ | ✓ | ✓ |
| Dark web | ||||
| Ransomware leak-site tracking | — | ✓ | ✓ | ✓ |
| Credential market monitoring | — | ✓ | ✓ | ✓ |
| Underground forum monitoring | — | ✓ | ✓ | ✓ |
| Breach matching | — | — | ✓ | ✓ |
| Company / domain monitoring | — | — | Single org | Multi-customer |
| Exposure management — priced separately, per device | ||||
| Asset inventory | — | — | Per device | Per device, per customer |
| Asset connectors (Tenable, Defender, CrowdStrike) | — | — | ✓ | ✓ |
| Bulk upload (CSV / JSON) and API push | — | — | ✓ | ✓ |
| CISA SSVC ranking | — | — | ✓ | ✓ |
| Asset tagging (internet-facing, crown-jewel, isolated) | — | — | ✓ | ✓ |
| Threat hunting | ||||
| Industry threat models (17 sectors) | — | ✓ | ✓ | ✓ |
| Hunting queries (KQL, SPL, Lucene) | — | ✓ | ✓ | ✓ |
| Hunt playbooks | — | ✓ | ✓ | ✓ |
| ATT&CK Navigator export | — | ✓ | ✓ | ✓ |
| Diamond Model view | — | ✓ | ✓ | ✓ |
| IOC watchlist export | — | ✓ | ✓ | ✓ |
| Feeds & alerts | ||||
| Alerting keywords — push to digest, webhooks, alerts | 5 | 20 | Unlimited | Unlimited |
| Saved feeds — named views, RSS exports | — | 3 | 10 | Unlimited |
| Entities per saved feed | 5 | 50 | 100 | 100 |
| Org-shared saved feeds | — | — | ✓ | ✓ |
| Alert rules | — | 3 | 25 | Unlimited |
| Org-shared alert rules | — | — | ✓ | ✓ |
| Webhooks | — | 1 | 3 | Unlimited |
| Org-shared webhooks | — | — | ✓ | ✓ |
| Personalised threat digest | General digest only | ✓ | ✓ | Per customer |
| RSS feed | 10 items | 50 items | 50 items | 50 items |
| MISP feed | 10 events | 50 events | 50 events | 50 events |
| Workflows | ||||
| Workflows | — | — | 10 | Unlimited |
| Workflow runs / day | — | — | 50 | Unlimited |
| Steps per workflow | — | — | 10 | 20 |
| Stored credentials | — | — | 10 | 50 |
| Triggers (cluster, CVE threshold, entity, KEV) | — | — | ✓ | ✓ |
| Actions (webhook, Slack, Teams, email, ticket, AI summary) | — | — | ✓ | ✓ |
| Dry-run against historical data | — | — | ✓ | ✓ |
| Per-workflow audit log | — | — | ✓ | ✓ |
| Reporting | ||||
| Reports / day | — | — | 10 | Unlimited |
| Notion-style editor | — | — | ✓ | ✓ |
| Dynamic content blocks (live data on every render) | — | — | ✓ | ✓ |
| Scheduled delivery (daily / weekly / monthly / quarterly) | — | — | ✓ | ✓ |
| PDF / HTML / Markdown export | — | — | ✓ | ✓ |
| Public shareable URL | — | — | ✓ | ✓ |
| White-labelled reporting | — | — | Org branding | Per customer |
| Theming (dark / light, colours, fonts, logo) | — | — | ✓ | ✓ |
| MSSP | ||||
| Multi-customer scoping | — | — | — | ✓ |
| Customer records (name, domain, contact, logo, notes) | — | — | — | ✓ |
| Customer portal (read-only client view) | — | — | — | ✓ |
| Aggregate MSSP dashboard | — | — | — | ✓ |
| Customer-scoped alert routing | — | — | — | ✓ |
| Custom feature development | — | — | — | ✓ |
| AI assistant | ||||
| Ask AI per cluster / day | — | 3 | 10 | 99 |
| Cluster AI global search / day | — | 10 | 100 | Unlimited |
| Report editor AI inserts / day | — | 30 | 200 | Unlimited |
| Inline source citations | — | ✓ | ✓ | ✓ |
| Collections & tags | ||||
| Collections | 1 | 5 | 25 | Unlimited |
| Items per collection | 10 | 100 | 100 | 500 |
| Tags | — | Unlimited | Unlimited | Unlimited |
| Team sharing with roles | — | — | ✓ | ✓ |
| IOC exports | ||||
| TXT / CSV / JSON | — | ✓ | ✓ | ✓ |
| STIX 2.1 bundles (TLP-marked) | — | ✓ | ✓ | ✓ |
| Bulk IOC export (confidence / type / time filters) | — | ✓ | ✓ | ✓ |
| Integrations | ||||
| REST API | — | 60 req/min | 120 req/min | Higher limits |
| tc CLI | — | ✓ | ✓ | ✓ |
| API scopes | — | Read-only (5 scopes) | Full (all scopes) | Full (all scopes) |
| Org-level API keys (custom scopes) | — | — | ✓ | ✓ |
| MCP server access | — | — | ✓ | ✓ |
| AI-assisted feed creation | — | — | ✓ | ✓ |
| Agent tool surface | — | — | ✓ | ✓ |
| SIEM ingestion (Splunk, Sentinel, Elastic, OpenSearch) | — | — | ✓ | ✓ |
| SOAR / ticketing (webhook routing) | — | ✓ | ✓ | ✓ |
See pricing for plan costs, or ThreatCluster for MSSPs for multi-customer details.