ThreatCluster's MSSP tier is multi-tenant from the database up. Customers are first-class records, each with their own feeds, alert rules, webhooks, scheduled digests, and PDF reports. Same product, with the multi-customer plumbing turned on.
Every feature below ships in the MSSP tier today. No roadmap items, no stubs. What's on this page is what's in the product.
Each client gets a customer record with name, domain, contact email, free-text notes, and a logo. Everything that needs to be scoped to that client (feeds, alert rules, webhooks, digests, reports) keys off it. Customers can be deactivated without losing their history.
Daily, weekly, or monthly digests for each customer, tied to a feed you've set up for them. Recipients are configurable per digest. An optional AI prompt biases each digest toward what that client cares about. Healthcare wants HIPAA enforcement, logistics wants maritime CVEs. Same engine, different output.
ThreatCluster's report generator accepts a brand name and logo URL on export. Pair that with the customer's uploaded logo and the rendered PDF carries their identity, not yours. Same scoring, same entity extraction, same source links. Output you can send as the deliverable.
ThreatCluster has org-scoped feeds, alert rules, and webhooks underneath. The MSSP layer extends that with customer records that aren't tied to a sign-up, so you can run a customer's pipeline without them ever logging in. Per-org alerts route to the client's SIEM, Slack, or ticketing, not yours. No shared workspace, no cross-client bleed.
Everything in the dashboard is in the API: customer records, digests, feeds, alert rules. Pull a per-customer threat list into your existing reporting tooling, sync customer state from your billing system, automate onboarding with the baseline alert rules and feeds you'd otherwise click through. MSSP accounts get higher rate limits than Business; specific limits are set per contract.
If you serve more than one client, the Business tier doesn't have the plumbing for it. No customer record, no per-customer digest, no branded report. MSSP is the same product with that layer turned on.
The full MSSP-tier capability matrix. No asterisks, no "coming soon". Every row below is shipping today.
| Feature | MSSP |
|---|---|
| Intelligence | |
| Cluster Views | Unlimited |
| Entity Views | Unlimited |
| Enhanced Analysis | Yes |
| Attack Flows (CTID Attack Flow v3) | Yes |
| D3FEND Countermeasures | Yes |
| CWE Extraction | Yes |
| Public Exploit Tracking (Sonar) | Yes |
| Sub-Article Link Enrichment | Yes |
| X / Twitter Intelligence | Yes |
| Rising Threats (Explore) | Yes |
| Dark Web | |
| Ransomware Leak-Site Tracking | Yes |
| Credential Market Monitoring | Yes |
| Underground Forum Monitoring | Yes |
| Breach Matching | Yes |
| Company Domain Monitoring | Multi-customer |
| Exposure Management | |
| Per-Customer Asset Inventory | Yes |
| Asset Connectors (Tenable, Defender, CrowdStrike) | Yes |
| Bulk Upload (CSV / JSON) | Yes |
| API Asset Push | Yes |
| CISA SSVC Ranking | Yes |
| Asset Tagging (internet-facing, crown-jewel, isolated) | Yes |
| Threat Hunting | |
| Industry Threat Models (17 sectors) | Yes |
| Hunting Queries (KQL, SPL, Lucene) | Yes |
| Hunt Playbooks | Yes |
| ATT&CK Navigator Export | Yes |
| Diamond Model View | Yes |
| IOC Watchlist Export | Yes |
| Feeds and Alerts | |
| Personalised Threat Digest | Yes |
| Custom Feeds | Custom |
| Tracked Interests | Unlimited |
| Alert Rules | Custom |
| Webhooks | Custom |
| RSS Feed | Yes |
| MISP Feed | 50 events |
| Scheduled Reports | Yes |
| Workflows | |
| Visual Workflow Editor | Yes |
| Triggers (cluster, CVE threshold, entity, KEV) | Yes |
| Actions (webhook, Slack, Teams, email, ticket, AI summary) | Yes |
| Dry-Run Against Historical Data | Yes |
| Per-Workflow Audit Log | Yes |
| Reporting | |
| Report Generation | Custom |
| Notion-Style Editor | Yes |
| Dynamic Content Blocks | Yes |
| White-Labelled Reporting | Yes |
| Scheduled Delivery (daily / weekly / monthly / quarterly) | Yes |
| PDF / HTML / Markdown Export | Yes |
| Public Shareable URL | Yes |
| Theming (dark/light, colours, fonts, logo) | Yes |
| MSSP | |
| Multi-Customer Scoping | Yes |
| Customer Portal (read-only client view) | Yes |
| Aggregate MSSP Dashboard | Yes |
| Customer-Scoped Alert Routing | Yes |
| Per-Customer Exposure Management | Yes |
| Custom Feature Development | Yes |
| AI | |
| Ask AI (per-cluster) | 99 / day |
| Cluster AI (global search) | 999 / day |
| Report AI (editor) | Yes |
| Inline Source Citations | Yes |
| Collections and Tags | |
| Collections | Custom |
| Tags | Unlimited |
| Team Sharing | Yes (with roles) |
| IOC Exports | |
| TXT / CSV / JSON | Yes |
| STIX 2.1 Bundles (TLP-marked) | Yes |
| Bulk IOC Export (confidence / type / time filters) | Yes |
| Integrations | |
| REST API | Higher limits |
| CLI (tc) | Yes |
| Agent Tool Surface | Yes |
| SIEM Ingestion (Splunk, Sentinel, Elastic, OpenSearch) | Yes |
| SOAR / Ticketing (webhook routing) | Yes |
MSSP pricing is per managed customer. No minimum, no cap. Add a customer when you win the contract, remove them when you don't.
Every feature in the matrix above, walked through with screenshots, sample data, and the operational detail you need to evaluate the product against your existing stack. Send it to your underwriter, your CISO, or the client who keeps asking what they're paying for.
Built by people who've worked the SOC night-shift, briefed federal teams on APT activity, and run intelligence for critical national infrastructure.
Security engineering background spanning defence consultancy, managed security, telecoms infrastructure, and critical national infrastructure including OT/ICS in the water sector. Petty Officer in the Royal Naval Reserve Maritime Cyber Unit.
Network Security Engineer, Cyber Threat Intelligence Analyst, and OSINT practitioner. Former Cyber Threat Analyst for the U.S. Department of Homeland Security, delivering briefings to SLTT, CISA, and FBI InfraGard leaders on ransomware, APTs, and election infrastructure threats.
ThreatCluster co-publishes joint threat advisories with Defused (cyber deception and early warning), Ransom-ISAC (ransomware analysis and collective defence), and detections.ai (community-driven detection rules). These partnerships bring complementary data sources into the platform where open-source scraping alone doesn't reach.
Tell us how many clients you serve, what they expect from a weekly brief, and what their stack looks like. We'll set up a working environment, not a sandbox demo.