Start free. Move up when you outgrow the limits. Researcher is one click in the product. Business and MSSP are a short call so we can scope the right contract for your team.
All plans run on the same live feed. The differences are limits and the surfaces you unlock around it.
Every feature, every tier, side by side. What's included, what's capped, and where the line sits between Researcher, Business, and MSSP.
| Capability | Free | Researcher | Business | MSSP |
|---|---|---|---|---|
| Intelligence | ||||
| Cluster views / day | 3 | Unlimited | Unlimited | Unlimited |
| Entity views / day | — | Unlimited | Unlimited | Unlimited |
| Smart analysis (summary, impact, technical, response) | Read-only on free cluster | ✓ | ✓ | ✓ |
| Threat scoring (0–100, four sub-scores) | ✓ | ✓ | ✓ | ✓ |
| Attack flows (CTID Attack Flow v3) | — | ✓ | ✓ | ✓ |
| D3FEND countermeasures | — | ✓ | ✓ | ✓ |
| CWE extraction | — | ✓ | ✓ | ✓ |
| Public exploit tracking (Sonar) | — | ✓ | ✓ | ✓ |
| Sub-article link enrichment | — | ✓ | ✓ | ✓ |
| X / Twitter intelligence | — | ✓ | ✓ | ✓ |
| Rising threats (Explore) | — | ✓ | ✓ | ✓ |
| Dark web | ||||
| Ransomware leak-site tracking | — | ✓ | ✓ | ✓ |
| Credential market monitoring | — | ✓ | ✓ | ✓ |
| Underground forum monitoring | — | ✓ | ✓ | ✓ |
| Breach matching | — | — | ✓ | ✓ |
| Company / domain monitoring | — | — | Single org | Multi-customer |
| Exposure management — priced separately, per device | ||||
| Asset inventory | — | — | Per device | Per device, per customer |
| Asset connectors (Tenable, Defender, CrowdStrike) | — | — | ✓ | ✓ |
| Bulk upload (CSV / JSON) and API push | — | — | ✓ | ✓ |
| CISA SSVC ranking | — | — | ✓ | ✓ |
| Asset tagging (internet-facing, crown-jewel, isolated) | — | — | ✓ | ✓ |
| Threat hunting | ||||
| Industry threat models (17 sectors) | — | ✓ | ✓ | ✓ |
| Hunting queries (KQL, SPL, Lucene) | — | ✓ | ✓ | ✓ |
| Hunt playbooks | — | ✓ | ✓ | ✓ |
| ATT&CK Navigator export | — | ✓ | ✓ | ✓ |
| Diamond Model view | — | ✓ | ✓ | ✓ |
| IOC watchlist export | — | ✓ | ✓ | ✓ |
| Feeds & alerts | ||||
| Alerting keywords — push to digest, webhooks, alerts | 5 | 20 | Unlimited | Unlimited |
| Saved feeds — named views, RSS exports | — | 3 | 10 | Unlimited |
| Entities per saved feed | 5 | 50 | 100 | 100 |
| Org-shared saved feeds | — | — | ✓ | ✓ |
| Alert rules | — | 3 | 25 | Unlimited |
| Org-shared alert rules | — | — | ✓ | ✓ |
| Webhooks | — | 1 | 3 | Unlimited |
| Org-shared webhooks | — | — | ✓ | ✓ |
| Personalised threat digest | General digest only | ✓ | ✓ | Per customer |
| RSS feed | 10 items | 50 items | 50 items | 50 items |
| MISP feed | 10 events | 50 events | 50 events | 50 events |
| Workflows | ||||
| Workflows | — | — | 10 | Unlimited |
| Workflow runs / day | — | — | 50 | Unlimited |
| Steps per workflow | — | — | 10 | 20 |
| Stored credentials | — | — | 10 | 50 |
| Triggers (cluster, CVE threshold, entity, KEV) | — | — | ✓ | ✓ |
| Actions (webhook, Slack, Teams, email, ticket, AI summary) | — | — | ✓ | ✓ |
| Dry-run against historical data | — | — | ✓ | ✓ |
| Per-workflow audit log | — | — | ✓ | ✓ |
| Reporting | ||||
| Reports / day | — | — | 10 | Unlimited |
| Notion-style editor | — | — | ✓ | ✓ |
| Dynamic content blocks (live data on every render) | — | — | ✓ | ✓ |
| Scheduled delivery (daily / weekly / monthly / quarterly) | — | — | ✓ | ✓ |
| PDF / HTML / Markdown export | — | — | ✓ | ✓ |
| Public shareable URL | — | — | ✓ | ✓ |
| White-labelled reporting | — | — | Org branding | Per customer |
| Theming (dark / light, colours, fonts, logo) | — | — | ✓ | ✓ |
| MSSP | ||||
| Multi-customer scoping | — | — | — | ✓ |
| Customer records (name, domain, contact, logo, notes) | — | — | — | ✓ |
| Customer portal (read-only client view) | — | — | — | ✓ |
| Aggregate MSSP dashboard | — | — | — | ✓ |
| Customer-scoped alert routing | — | — | — | ✓ |
| Custom feature development | — | — | — | ✓ |
| AI assistant | ||||
| Ask AI per cluster / day | — | 3 | 10 | 99 |
| Cluster AI global search / day | — | 10 | 100 | Unlimited |
| Report editor AI inserts / day | — | 30 | 200 | Unlimited |
| Inline source citations | — | ✓ | ✓ | ✓ |
| Collections & tags | ||||
| Collections | 1 | 5 | 25 | Unlimited |
| Items per collection | 10 | 100 | 100 | 500 |
| Tags | — | Unlimited | Unlimited | Unlimited |
| Team sharing with roles | — | — | ✓ | ✓ |
| IOC exports | ||||
| TXT / CSV / JSON | — | ✓ | ✓ | ✓ |
| STIX 2.1 bundles (TLP-marked) | — | ✓ | ✓ | ✓ |
| Bulk IOC export (confidence / type / time filters) | — | ✓ | ✓ | ✓ |
| Integrations | ||||
| REST API | — | 60 req/min | 120 req/min | Higher limits |
| tc CLI | — | ✓ | ✓ | ✓ |
| API scopes | — | Read-only (5 scopes) | Full (all scopes) | Full (all scopes) |
| Org-level API keys (custom scopes) | — | — | ✓ | ✓ |
| MCP server access | — | — | ✓ | ✓ |
| AI-assisted feed creation | — | — | ✓ | ✓ |
| Agent tool surface | — | — | ✓ | ✓ |
| SIEM ingestion (Splunk, Sentinel, Elastic, OpenSearch) | — | — | ✓ | ✓ |
| SOAR / ticketing (webhook routing) | — | ✓ | ✓ | ✓ |
Yes. Free gets you a feel for how clustering reads. When you're ready, Researcher is one click in the product. No card needed for Free; cancel Researcher any time.
Both are scoped to your team or your book of clients. Custom feed counts, API limits, and white-labelling are easier to land in one short call than from a default price page. No procurement gauntlet — we keep it under an hour.
Per managed customer. No minimum, no cap. You can grow your book without rebuilding the contract every quarter.
Researcher and up. Researcher gets a read-only key (threats, IOCs, entities, vulnerabilities, feeds) at 60 req/min and the tc CLI. Business widens the scope set to include dark web and inventory, plus 120 req/min, MCP server access, and org-level API keys with custom scopes.
Researcher gets full dark web access — leak sites, credential markets, and underground forum monitoring. Breach matching and company / domain monitoring are Business-tier features. Free doesn't include any dark web surfaces.
Exposure management is scoped separately on a per-device basis on top of Business and MSSP, so the bill matches what you're actually monitoring rather than your seat count.
Researcher is monthly. Business and MSSP are annual contracts by default, with quarterly options if that fits your finance calendar better.
Yes. Researcher is free for accredited educational institutions, registered non-profits, and cybersecurity foundations (CERTs, ISACs, threat-sharing communities, infosec charities). Request access via our contact form from your institutional address.
We grew up reading the same open writeups as everyone else. If you're a university, a registered non-profit, or a cybersecurity foundation (CERTs, ISACs, threat-sharing communities, infosec charities) — ThreatCluster Researcher is free.
Reach out via our contact form from your institutional address with a one-line description of what you're working on. We turn it around in a couple of days.
Request free access →Free is one click. Researcher is one more. Business and MSSP are a short scoping call so we can match the contract to your team.