Catches the phishing your gateway waves through.
ThreadScanner re-examines every message on your own machine — re-running the cryptographic authentication math, catching impersonation and lookalike senders, and inspecting the links, documents and QR codes your gateway waves through.
Your gateway is built to clear millions of messages a minute. The mail it lets through is the mail engineered to look clean — that's the mail we re-examine.
Volume filters clear the easy mail. Attackers design for the rest.
A message can pass every check a gateway trusts and still be exactly the one that costs a finance team a wire transfer. There's no payload to detonate — only a name the recipient trusts and a request that reads as routine.
Business email compromise
No malware, no link to scan — just a payment-change request, an urgent tone, and a borrowed identity. Nothing for a volume filter to detonate.
Lookalike & forged senders
Newly registered domains, homograph swaps, and display-name spoofing — which can authenticate cleanly against the attacker's own throwaway domain.
Authentication trusted blindly
Gateways read the asserted Authentication-Results header and rarely re-run the DKIM math, so replayed and forwarded mail keeps a green check it no longer earns.
Payloads hidden in everyday files
QR codes inside images, deep links buried in PDFs, smuggled HTML and macro lures in Office files — intent tucked where the inbox never unpacks it.
Authentication is not trust. A message can be perfectly signed, perfectly aligned — and still be hostile. ThreadScanner weighs the evidence, not the envelope.
What it catches — and the evidence behind every verdict.
A deterministic engine weighs independent signals across the complete raw message — from the cryptography of the envelope to the intent of the content — and shows its work on every call.
Cryptographic authentication, re-verified
We re-run the DKIM, ARC, SPF and DMARC math against the sender's published keys and policy — not just read the asserted header. Replayed and forwarded mail loses the green check it no longer earns.
Authentication ≠ trust
The keystone. A message can be perfectly signed and aligned and still be hostile — so auth credit is withheld from freemail, throwaway, and brand-contradiction senders. Passing authentication against a disposable domain earns no discount.
Identity & impersonation
Catches lookalike and homograph senders, executive and vendor impersonation, and attackers who reply into a genuine thread — the names a recipient already trusts.
Link & redirect inspection
Unrolls shorteners and nested redirects to the true destination, and flags the structural tricks that disguise where a link really goes.
Documents, attachments & QR
Inspects what's hidden inside files and images — PDFs, Office documents, smuggled HTML, and QR codes that move the attack off the page.
BEC & social engineering
Weighs payment-change, urgency, and pretext patterns in context — the attacks that carry no link or attachment for a volume filter to detonate.
Security teams can request the full detection brief.
Built so the sensitive thing never moves.
The most sensitive thing a security tool can ask for is the contents of your inbox. ThreadScanner is architected so it never has to leave the building — and so every action it takes is accountable.
Email never leaves the device
Bodies, attachments, and raw MIME are processed on your machine. The raw body isn't stored by default, and nothing about a message is sent anywhere unless you explicitly opt into a cloud step.
Bring your own AI keys
AI is an optional second opinion, off by default. Run fully local with Ollama, add a cloud reviewer with your own key, or neither — and when cloud AI is enabled it only ever receives a redacted prompt, never the raw email.
Roles, remediation & audit
Role-based access from reporter to org admin, optional read-only mail-flow ingestion with opt-in remediation, and a hash-chained, exportable audit log for your SIEM.
Signed, notarized & single-tenant
A native desktop app, code-signed and notarized, with signature-verified auto-updates you choose to install. No remote shell, no telemetry pings, no vendor key on your data.
Request access.
We're onboarding a small group of design partners through 2026 — MSP owners, SMB finance and IT leads, and security-aware founders. Tell us about your environment and we'll reach out when your slot opens.
No marketing automation · No list selling · A real conversation
We won’t share your info. No marketing automation, no list selling.