Private beta · design partnerships

Detect what your email gateway misses.

Local-first phishing detection that complements Proofpoint, Mimecast and Microsoft 365 — with deep document analysis, real DKIM crypto verify, and MFA-bypass kit fingerprints.

Join the waitlist Book a demo

ThreadScanner

Deep analysis

accounts@m1cr0soft-365.com 2:14 PM

[Action required] Verify your MFA before access is revoked

Dangerous · phishing SCORE 87 / 100

DKIM signature failed verification (replay) DKIM
MFA-bypass kit signature: Tycoon 2FA KIT
Sender domain registered 2 days ago RDAP
Display-name spoof of “Microsoft 365” SPOOF

Why ThreadScanner

Four things no commercial gateway does well.

Gateways are tuned for volume. They strip URLs, parse headers, and sandbox attachments — but they miss the modern attacks: adversary-in-the-middle phishing kits, vendor email compromise, and exotic document payloads. ThreadScanner is built for the residue.

Local-first

100% on-device analysis option. BYO AI keys (OpenAI, Anthropic, Azure, Bedrock, Ollama). No cloud egress required — ever.

MFA-bypass kit fingerprints

Ten kit families covered — signature plus behavioural detection for the AiTM kits commercial gateways still wave through.

Real DKIM crypto verify

Not just header parsing. Full RSA/Ed25519 signature verification against DNS-resolved public keys — including replayed-DKIM edge cases.

Deep document analysis

PDF JS/URLs/OLE extraction, OOXML macro detection, HTML smuggling, ICS calendar phishing, and QR code decoding — all inline.

Capabilities

Built for the analyst who has to be right.

Every detection is auditable. Every signal is explainable. Nothing is a black box — because the source you can't audit isn't security software.

Detection

MFA-bypass kit fingerprints

Adversary-in-the-middle kits steal session tokens after the user completes 2FA, which means every signal that commercial gateways rely on still says “legitimate”. ThreadScanner ships signature and behavioural detection for ten of the kits running today, plus heuristics for the long tail.

Tycoon 2FA Mamba 2FA Caffeine Greatness Robin Banks NakedPages EvilGinx EvilProxy Modlishka 16Shop

Architecture

Local-first by design

Analysis runs on-device by default. Bring-your-own AI keys when you want a second opinion. Your data never leaves your machine unless you say so.

Crypto

Real DKIM crypto verify

Full RSA/Ed25519 signature verification against DNS-resolved public keys. We catch the replays the header-parser-only gateways miss.

Trust

Source you can audit

The detection logic is plain code, not a black box. Security software you can't read isn't security software.

Integrations

Sandbox provider routing

BYO API keys for ANY.RUN, Joe Sandbox, and Hatching Triage. Route selectively by file type, sender, or tenant policy.

Response

SOAR + Defender admin actions

Signed webhooks, idempotent dispatch, and Microsoft Graph admin actions — search-and-quarantine, block sender, purge from inbox. Business+ tiers.

How it works

From install to verdict in minutes.

Designed for security engineers and IT generalists alike. The scanner is local; the integrations are progressive — wire up only what you need.

Install on macOS

Native desktop app for macOS — Windows and Linux are next. Developer ID signing is being finalized; notarized builds ship with private beta.

Paste, drop, or pipe

Paste a suspect email, drop a .eml file, or wire your reporting mailbox via IMAP or Microsoft Graph. Bulk mode handles thousands of messages.

Verdict + evidence

An explainable verdict, a redacted evidence package safe to share with vendors, and an optional auto-reply to the reporter with simulation tagging.

Pricing

Honest tiers. No usage meters.

Built for the way analysts actually work. Bring your own AI keys at every tier — you pay for the product, not the inference.

Individual

$19 / mo

Billed monthly

Desktop scanner (macOS)
Bring your own AI keys
Full local analysis
Bulk mode & scan history

Join waitlist

Team

$7 / seat/mo

Billed monthly

Everything in Individual
Reporting mailbox pipeline
Auto-replies, 5 templates
Team dashboard

Join waitlist

Business

$12 / seat/mo

Billed monthly

Everything in Team
Microsoft Graph admin actions
Phishing simulations
Custom branding

Join waitlist

Enterprise

Custom

Talk to sales

Defender SOAR integration
On-prem / air-gapped mode
SSO, audit log, MSA
Dedicated support

Talk to sales

Self-serve checkout opens Q3 2026. Until then, design partners get private-beta pricing.

Private beta

Join the waitlist.

We're onboarding a small cohort of design partners through Q3 2026. Tell us a little about your environment and we'll reach out when your slot opens.

We won't share your info. No marketing automation, no list selling.