PRIVATE BETA — LIMITED SPOTS

Crush Every Threat
Before It Crushes You

One agent, one marketplace, two layers — CTEM to find and reduce exposures before incidents, and SIEM / EDR / SOC capabilities to detect and respond during them.

Built on the open standards your SOC already speaks: MITRE ATT&CK, D3FEND, Sigma, OCSF, NIST CSF. Today the module store is the clearest place to start — the rest of the loop fills in module by module.

📄 Free guide: Evolving from VM to CTEM →
Get started in one line
$ curl -fsSL https://threatcrush.com/install.sh | sh📋 click to copy
Read the docs →

Preferred install path

The installer detects whether this machine is a server or desktop, uses your existing package manager when available, and can bootstrap Node.js with mise on bare machines.

Linux servers get the CLI. Linux desktops get CLI + desktop app. Windows is desktop-client only and connects to a ThreatCrush server elsewhere.

Preferred lifecycle commands

threatcrush update📋 click to copy
threatcrush remove📋 click to copy

Manual npm / pnpm / yarn / bun installs still work, but curl | sh is the recommended default.

Explore Module StorePublish a Module

Start with the marketplace now. Broader platform rollout continues after the basic install/docs/housekeeping work.

ThreatCrush CLI

// INVEST

Back ThreatCrush — become a founding investor

Contribute via credit card or crypto. Live progress + recent backers at threatcrush.com/investors.

Invest now →

// CAPABILITIES

Everything You Need to Stay Ahead

🔍

Live Attack Detection

Monitors all inbound connections — every port, every protocol. Detects SQLi, XSS, brute force, SSH attacks, port scans, DNS tunneling, and more in real-time.

🛡️

Code Security Scanner

Scan your codebase for vulnerabilities, hardcoded secrets, and misconfigurations. Find problems before attackers do.

💥

Pentest Engine

Automated penetration testing on your URLs and APIs. Discovers attack vectors and rates their severity.

🔀

Network Monitor

Watches all TCP/UDP traffic across every port — HTTP, SSH, DNS, FTP, database connections. See exactly what's hitting your server and flag anomalies.

🔔

Real-time Alerts

Email, SMS, Slack, Discord, and webhook notifications the instant a threat is detected. Push alerts to your phone. Never miss an attack.

💢

Active Defense — Strike Back

Don't just detect — retaliate. Tar pits waste attacker resources, honeypots trap and fingerprint them, deception feeds them fake credentials, and auto-reports get their servers shut down. They attack you, you make them regret it.

⚙️

systemd Daemon

Runs as a background service on your server. Auto-starts on boot, monitors 24/7, zero maintenance.

// THE CTEM LOOP

Built for Continuous Threat Exposure Management

CTEM is a five-stage loop — scope, discover, prioritize, validate, mobilize — that replaces the periodic-scan-and-ticket cycle. Most teams need nine tools to run it. ThreatCrush gives you one agent and a marketplace of modules instead.

01

Scope

Protect business outcomes — not tool inventories.

02

Discover

Network monitor on every port, code scanner, pentest engine, plus marketplace ASM.

03

Prioritize

Exploitability × reachability × blast radius — beyond raw CVSS.

04

Validate

Re-run the exploit. Re-test the control. Don’t trust dashboards.

05

Mobilize

Real-time alerts, automated active defense, API for SOAR/ticketing.

// THE DETECT-AND-RESPOND LAYER

CTEM finds the gaps. SIEM, EDR, and SOC catch what slips through.

CTEM is preventive — it reduces exposures before incidents. SIEM, EDR, and SOC are reactive — they detect and respond when attackers act. ThreatCrush ships capabilities for both layers from the same agent.

SIEM

Central log brain

Inbound monitoring on every port and protocol. Correlates suspicious patterns — failed logins, traffic to known-bad domains, lateral movement signatures.

  • All-port network monitor
  • Event correlation modules
  • OCSF / ECS-shaped events
EDR

Per-host security camera + kill switch

The systemd daemon watches processes, files, and network connections on each server. Active-defense modules can kill, isolate, tar-pit, or rotate credentials in real time.

  • On-host daemon agent
  • Active defense (tar pits, deception, kill)
  • ATT&CK-tagged detections
SOC

Alerts and playbooks operators read

Real-time alerts to email, SMS, Slack, Discord, and webhooks. Playbooks reference D3FEND defensive techniques. API surface for SOAR / ticketing integrations.

  • Multi-channel alerting
  • D3FEND-mapped runbooks
  • SOAR / ticketing webhooks

Plays nicely with what you already have. ThreatCrush coexists with enterprise SIEM (Splunk, Sentinel, Elastic), EDR (CrowdStrike, SentinelOne, Defender), and SOAR — feeding telemetry up and pulling exposure context down.

// BUILT ON OPEN STANDARDS

Speaks the language your SOC already uses

Every detection, every action, every event carries a stable identifier from a public taxonomy. Your team reads T1003.001 — LSASS Memory, not Module 47 alert.

MITRE ATT&CK

Adversary tactics + techniques

Universal language for SIEM/EDR/SOC alerts. Every detection carries a technique ID.

MITRE D3FEND

Defensive countermeasures

The other half of ATT&CK — what defenders do. Response modules map here.

Sigma

Portable SIEM detection rules

Detection logic that travels between SIEMs. Modules ship Sigma rules where applicable.

YARA

Malware + payload patterns

File and binary signatures for content detection across scanners and EDRs.

osquery

Open endpoint telemetry

SQL-style queries against host state — processes, sockets, packages, users.

OCSF / ECS

Event schema normalization

Events emit in OCSF-compatible shape with ECS aliases. No bespoke parsers downstream.

CTEM (ctem.org)

Exposure taxonomy

Vendor-neutral identifiers for exposures (CTEM-EXP-* series), tagged on findings.

NIST CSF

Governance framework

Identify · Protect · Detect · Respond · Recover. Maps to executive + audit reporting.

CIS Controls

Practical control checklist

Concrete prioritized controls. Pairs with CTEM — exposures plus what to actually do.

// FREE GUIDE

Get the operator's playbook — CTEM, SIEM/EDR/SOC, and the standards that tie them together

14-page PDF · the 5 CTEM stages · how it maps to ATT&CK, D3FEND, Sigma, OCSF · a 90-day implementation plan.

Download the guide →

// START HERE

The Module Store Comes First

After the basic housekeeping work, the first real wedge for ThreatCrush is the marketplace. Discover modules, publish your own, and shape the ecosystem before the rest of the platform fills in.

Browse modules

See what exists today in the marketplace and where the ecosystem is heading.

Open Store →

Publish your module

Submit a repo or website URL, fetch metadata automatically, review it, then list it.

Publish Module →

Read module docs

Understand contributor expectations, listing quality, required metadata, and what’s still planned.

Module Docs →

// SETUP

Three Commands to Full Protection

📦
01

Install

curl -fsSL https://threatcrush.com/install.sh | sh

Detects server vs desktop, can bootstrap with mise, then installs the right bundle cleanly

⚙️
02

Configure

threatcrush init

Auto-detects all services — web, SSH, DNS, databases

🚀
03

Monitor

threatcrush monitor

Real-time protection, runs as a daemon

// PREVIEW

See It in Action

Real-time security monitoring across every platform.

⚡ CLI

ThreatCrush CLI

▣ TUI Dashboard

ThreatCrush TUI Dashboard

🖥️ Desktop App

ThreatCrush Desktop App

📱 Mobile App

ThreatCrush Mobile App

// DOWNLOAD

Available Everywhere

Monitor your servers from anywhere — terminal, desktop, or on the go.

CLI

Linux servers · desktop clients

The core agent. Linux servers run the real monitoring/daemon stack. Desktop installs are for operating and interfacing with a ThreatCrush server.

$ curl -fsSL https://threatcrush.com/install.sh | sh
📦 npmSource
🖥️

Desktop

macOS · Windows · Linux

Full dashboard with real-time event stream, module management, and threat analytics. E2E encrypted connection to your daemon.

🍎 macOS🪟 Windows🐧 Linux
Public betaDownload →
📱

Mobile

iOS · Android

Get instant push alerts when threats are detected. Monitor dashboards, manage modules, and check server status from anywhere.

🍎 App Store🤖 Google Play
In developmentJoin mobile beta →
🌐

Browser Extension

Chrome · Firefox · Edge

Scan any website from your browser. Get real-time alerts, check security headers, and monitor your servers without leaving the tab.

🔵 Chrome🦊 Firefox🧭 Safari (soon)
Dev previewSideload from source →

🔒All apps connect via end-to-end encryption — your vulnerability data never touches our servers unencrypted.

// PRICING

One Price. Forever.

CONTACT FOR PRICING

Talk to Sales

Full platform: CLI, daemon, scanner, pentest engine, API. Tell us about your environment and we'll send you a quote.

AI-enhanced modules billed on usage — pay only for what you use

  • Live attack detection & blocking
  • Code vulnerability scanner
  • Automated pentest engine
  • Network monitor — all ports, all protocols
  • Real-time email + SMS alerts
  • Webhook support for custom integrations
  • Active defense — tar pits, honeypots, deception
  • systemd daemon — runs 24/7
  • Full CLI, desktop & mobile apps
  • All core modules + future updates
  • Priority support
Contact Us for Pricing

Quotes typically returned within 1 business day.

🏢

Enterprise

Custom modules, SLA, dedicated support, on-prem hardware appliances, volume licensing.

📅 Schedule a Call
🏳️

Government & Defense

FedRAMP-ready, air-gapped deployment, FIPS 140-2, ITAR compliant, GSA Schedule compatible.

📅 Schedule a Call

// FAQ

Questions? Answers.

Ready to Crush Threats?

Join the waitlist now. Your server deserves real-time protection. Early waitlist locks our lowest launch pricing.