Profile
Profile picture
Max 3MB, PNG/JPEG/WebP.
Quick Setup
Quickly configure your industry, platforms, locations, and threat actor interests
Reading preferences
Subscription
Loading subscription info...
Current Plan
Grace Period Active
You have 30 days of access remaining. Subscribe to a plan to maintain your access.
Today's Usage
Cluster Views
0
Entity Views
0
Reports
0
Tracked Interests
0
Available Plans
Choose the plan that fits your threat intelligence needs
Dark Web Monitoring
Loading settings...
Company Dark Web Monitoring Requires a Business Subscription
Track your company name, domain, and chosen keywords across ransomware leak sites, credential markets, and underground forums. Available on Business and MSSP. Researcher gets read-only dark web browsing without org-scoped monitoring.
Talk to SalesOnly organization owners and admins can change these settings.
Configure your company details for dark web threat monitoring
Used to monitor ransomware victims and breach mentions
Comma-separated. Used to monitor leaked credentials and breaches for these domains.
Flag anything across ransomware victims, groups, markets, and breaches that mentions these terms (e.g. supply chain). Case-insensitive, partial matches. Up to 100 keywords.
Tracked Entities
Pick the companies, platforms, threat actors, and other entities you care about. We'll tailor your threat feed to match.
Popular in this category
Your Tracked Entities
Blocked Entities
Clusters mentioning these will be hidden from all feeds
Custom Feeds Require a Researcher Subscription
Build saved feeds around specific entities, vendors, or sectors. Researcher gets 3 personal feeds; Business widens to 10 plus org sharing.
Upgrade SubscriptionCustom Feeds
Create custom feeds to track specific entities. Each feed can have its own set of keywords for targeted monitoring.
Your Feeds
Feed Digest
Send scheduled digests from your custom feeds to team recipients, branded with your organization logo.
New Feed Digest
GPT will analyze all recent clusters and select those matching your prompt.
Looks back 24 hours for matching threats
No feed digests configured. Create one to start sending scheduled digests to your team.
In-App Notifications
Control which notifications appear in your notification bell.
Webhooks
Loading webhooks...
Webhooks Require Paid Subscription
Researcher and Business or MSSP tier subscribers can receive real-time notifications when tracked entities appear in new threat clusters.
Upgrade SubscriptionReceive real-time notifications when your tracked entities appear in new threat clusters.
We'll sign payloads with this secret using HMAC-SHA256
Your Webhooks
View example payload
{
"event": "cluster_match",
"timestamp": "2026-01-31T12:00:00Z",
"cluster": {
"id": "abc123",
"title": "APT29 Targets Government Agencies",
"threat_score": 0.85,
"url": "https://threatcluster.io/cluster/abc123"
},
"matched_entities": [
{"type": "apt_group", "value": "APT29"},
{"type": "cve", "value": "CVE-2025-1234"}
]
}
Signature header: X-ThreatCluster-Signature: sha256=...
Alert Rules
Loading alert rules...
Alert Rules Require Paid Subscription
Researcher tier gets 3 alert rules, Business tier gets 25, MSSP gets custom limits. Create advanced notification rules with multiple conditions.
Upgrade SubscriptionCreate advanced notification rules with multiple conditions
CVE Alerts Require a Researcher Subscription
Researcher, Business, and MSSP tier subscribers can set up custom alerts for new CVEs by vendor, severity, CVSS, EPSS, KEV status, and public PoC availability.
Upgrade SubscriptionCVE Alerts
Get notified when new CVEs match your criteria. Filters by vendor, severity, CVSS, EPSS, KEV status, public PoC, and more.
New CVE Alert
Workflows
Loading workflows...
Workflows Require Paid Subscription
Researcher tier gets 3 workflows, Business tier gets 25, MSSP gets custom limits. Automate threat intelligence actions with multi-step workflows.
Upgrade SubscriptionAutomate threat intelligence actions with multi-step workflows. Workflows trigger when new clusters match your conditions.
Credentials
Store encrypted credentials for HTTP request actions. Secrets are encrypted at rest and never displayed.
API Access
tc CLI gives agents scoped, short-lived bearer tokens.
Loading API access info...
API Access Requires a Paid Plan
Researcher, Business, and MSSP plans get programmatic access to ThreatCluster data via the REST API and tc CLI.
Upgrade SubscriptionUse your API key to access ThreatCluster data programmatically.
You don't have an API key yet. Generate one to get started.
Save Your API Key Now
This is the only time you'll see this key. Copy it and store it securely.
tc_live_...****
-
Never
0
Rate Limits
30 requests per minute. Exceeding this limit will result in 429 Too Many Requests responses.
RSS, MISP & IOC Feed Token
Loading feed token info...
Full Feeds Require Paid Subscription
Researcher and Business or MSSP tier subscribers get access to full RSS and MISP feeds with 50 items. Free users can access limited public feeds (10 items) at /feed.xml and /misp/.
Upgrade SubscriptionUse your feed token to access full RSS and MISP feeds (50 items) programmatically. Add the token as a query parameter (?token=YOUR_TOKEN) or X-Feed-Token header.
You don't have a feed token yet. Generate one to get started.
Save Your Feed Token Now
This is the only time you'll see this token. Copy it and store it securely.
tc_feed_...****
-
Never
0
Feed URLs (Researcher & above)
https://threatcluster.io/api/feed.xml?token=YOUR_TOKEN
https://threatcluster.io/api/misp/?token=YOUR_TOKEN
Public feeds (10 items) are available at /feed.xml and /misp/ without authentication.
Affiliate Program
Loading affiliate status...
Join our affiliate program and earn 30% commission on every referral's first month subscription.
Program Benefits
- Earn $9 for each Researcher tier referral ($29.99/mo)
- Earn commission for each Business or MSSP referral
- 30-day cookie tracking for referral attribution
- Real-time dashboard to track visitors, leads, and conversions
- No minimum payout threshold - withdraw after 30 days
By joining, you agree to our Affiliate Program Terms.
Share your referral link to earn 30% commission on every new subscriber's first month.
Your referral link will be available in your dashboard. Click "Open Dashboard" below to get your link.
Your Stats
0
Visitors
0
Leads
0
Conversions
Access your full affiliate dashboard for detailed stats, payouts, and more.
Member since: -
Unable to load affiliate status. Please try again later.
Organizations Require a Business Subscription
Invite team members, share feeds and alert rules across the org, and centralise API keys with custom scopes. Available on Business and MSSP.
Talk to SalesPending Invitations
Join Organization
Your email domain matches an organization that allows auto-join:
Organization
You are not currently a member of any organization. Organizations are managed by ThreatCluster administrators. If you believe you should be part of an organization, please contact your account manager.
Members
Leave Organization
You will lose access to all organization resources.
MSSP Customer Management Requires the MSSP Plan
Manage threat intelligence per managed customer: per-customer scoped feeds, alert routing, digests, and white-labelled reports. Available on the MSSP tier.
Talk to SalesCustomers
Manage customers you provide CTI services to
Add Customer
mssp_customer_id in API calls):
—
Feed Digest Subscriptions
Send daily digests from your custom feeds to customer recipients, branded with their logo.
New Feed Digest
GPT will analyze all recent clusters and select those matching your prompt.
Looks back 24 hours for matching threats
No feed digests configured. Create one to start sending branded daily digests to your customers.
CLI Access Requires a Researcher Subscription
Researcher, Business, and MSSP tier subscribers get the tc CLI plus REST API access for scripted threat-intel workflows.
Upgrade SubscriptionCLI
Loading CLI setup…
Connectors Require a Business Subscription
Pull asset inventory from Tenable, Defender, CrowdStrike and other connected systems to power per-device exposure management. Available on Business and MSSP tiers.
Talk to SalesConnectors Beta
Connect your asset inventory tools and ThreatCluster will overlay live threat intel — CVEs, exploit activity, related clusters and threat-hunting context — across your estate. Direct integrations are coming soon; bulk upload and the public API are available now.
Connectors are organization-scoped
Inventory data belongs to an organization, not an individual account. Create or join an organization first, then return here to connect your tools.
Go to Organization →Connectors are part of Researcher
Asset inventory and threat overlay are available on Researcher and above. Start a 7-day free trial to try them. Cancel anytime before day 7, no charge.
Connect a tool
Each connector pulls your asset list and installed-software inventory on a 12-hour schedule. We never run agents on your endpoints — we read what your existing tool already knows.
Tenable.io
Vulnerability management
Pulls assets and installed-software CPEs from your Tenable.io tenant. Best fit for shops already running credentialed scans.
Microsoft Defender for Endpoint
Endpoint protection
Pulls device inventory and software per device from your Defender tenant via Microsoft Graph. Requires Defender for Endpoint Plan 2 or Defender Vulnerability Management.
CrowdStrike Falcon
Endpoint detection & response
Pulls hosts and applications per host from Falcon Discover. Falls back to Hosts + Spotlight Vulnerabilities for tenants without Discover.
Generic Inventory Push
REST API
POST your asset inventory to /api/public/v1/inventory from any source — your CMDB, a custom script, or a CI pipeline. Authenticate with your API key. Full schema in the API docs.
Push asset inventory
Authenticate with your API key from the API Access tab. Maximum 50,000 components per request. Re-pushes upsert by host_id. Required scope: inventory:write.
curl -X POST https://threatcluster.io/api/public/v1/inventory \
-H "X-API-Key: tc_live_..." \
-H "Content-Type: application/json" \
-d '{
"source": "manual",
"components": [
{
"host_id": "laptop-jdoe-01",
"hostname": "laptop-jdoe-01.corp",
"os_platform": "Windows",
"os_version": "11 24H2",
"vendor": "Microsoft Corporation",
"product": "Microsoft Office",
"version": "2019"
}
]
}'
Threat overlay (GET /api/public/v1/inventory/threats) recomputes within seconds of each push. See the API docs for the full schema.
Bulk upload
Drop a JSON or CSV file to upsert assets and software for the
active context.
Same shape as the public /api/public/v1/inventory endpoint —
see the API docs
for the JSON envelope. CSV columns:
host_id, hostname, os_platform, os_version, vendor, product, version.
Sample formats
{
"source": "manual",
"components": [
{
"host_id": "laptop-jdoe-01",
"hostname": "laptop-jdoe-01.corp",
"os_platform": "Windows",
"os_version": "11 24H2",
"vendor": "Microsoft Corporation",
"product": "Microsoft Office",
"version": "16.0.18827"
}
]
}
host_id,hostname,os_platform,os_version,vendor,product,version laptop-jdoe-01,laptop-jdoe-01.corp,Windows,11 24H2,Microsoft Corporation,Microsoft Office,16.0.18827 laptop-jdoe-01,laptop-jdoe-01.corp,Windows,11 24H2,Google LLC,Google Chrome,120.0.6099.71
Recent activity
Connect CrowdStrike Falcon
Create an API client in Falcon (Support → API Clients and Keys → Add New API Client). Required scopes: hosts:read, discover:read (preferred), spotlight-vulnerabilities:read (fallback). The secret is shown once at creation.
We probe both Discover and Spotlight at save time and pick the best available data path. If you only have Spotlight licensed, inventory will be limited to software with detected vulnerabilities.
Connect Microsoft Defender
Create an app registration in Entra (Azure AD), grant the Software.Read.All application permission on WindowsDefenderATP, grant admin consent, then paste the values below.
Required license: Defender for Endpoint Plan 2 or Defender Vulnerability Management. Plan 1 / Defender for Business won't expose the inventory tables. Microsoft setup guide →
Connect Tenable.io
Generate API keys in Tenable.io under Settings → My Account → API Keys. Both Access Key and Secret Key are required. The Basic role + asset read permission is enough.
Keys are encrypted at rest.
Danger Zone
Permanently delete your account and all data