Local-first email security

Catches the phishing your gateway waves through.

ThreadScanner re-examines every message on your own machine — re-running the cryptographic authentication math, catching impersonation and lookalike senders, and inspecting the links, documents and QR codes your gateway waves through.

Your gateway is built to clear millions of messages a minute. The mail it lets through is the mail engineered to look clean — that's the mail we re-examine.

The coverage gap

Volume filters clear the easy mail. Attackers design for the rest.

A message can pass every check a gateway trusts and still be exactly the one that costs a finance team a wire transfer. There's no payload to detonate — only a name the recipient trusts and a request that reads as routine.

01

Business email compromise

No malware, no link to scan — just a payment-change request, an urgent tone, and a borrowed identity. Nothing for a volume filter to detonate.

02

Lookalike & forged senders

Newly registered domains, homograph swaps, and display-name spoofing — which can authenticate cleanly against the attacker's own throwaway domain.

03

Authentication trusted blindly

Gateways read the asserted Authentication-Results header and rarely re-run the DKIM math, so replayed and forwarded mail keeps a green check it no longer earns.

04

Payloads hidden in everyday files

QR codes inside images, deep links buried in PDFs, smuggled HTML and macro lures in Office files — intent tucked where the inbox never unpacks it.

Authentication is not trust. A message can be perfectly signed, perfectly aligned — and still be hostile. ThreadScanner weighs the evidence, not the envelope.

How it detects

What it catches — and the evidence behind every verdict.

A deterministic engine weighs independent signals across the complete raw message — from the cryptography of the envelope to the intent of the content — and shows its work on every call.

01

Cryptographic authentication, re-verified

We re-run the DKIM, ARC, SPF and DMARC math against the sender's published keys and policy — not just read the asserted header. Replayed and forwarded mail loses the green check it no longer earns.

02

Authentication ≠ trust

The keystone. A message can be perfectly signed and aligned and still be hostile — so auth credit is withheld from freemail, throwaway, and brand-contradiction senders. Passing authentication against a disposable domain earns no discount.

03

Identity & impersonation

Catches lookalike and homograph senders, executive and vendor impersonation, and attackers who reply into a genuine thread — the names a recipient already trusts.

04

Link & redirect inspection

Unrolls shorteners and nested redirects to the true destination, and flags the structural tricks that disguise where a link really goes.

05

Documents, attachments & QR

Inspects what's hidden inside files and images — PDFs, Office documents, smuggled HTML, and QR codes that move the attack off the page.

06

BEC & social engineering

Weighs payment-change, urgency, and pretext patterns in context — the attacks that carry no link or attachment for a volume filter to detonate.

Security teams can request the full detection brief.

Trust & posture

Built so the sensitive thing never moves.

The most sensitive thing a security tool can ask for is the contents of your inbox. ThreadScanner is architected so it never has to leave the building — and so every action it takes is accountable.

Email never leaves the device

Bodies, attachments, and raw MIME are processed on your machine. The raw body isn't stored by default, and nothing about a message is sent anywhere unless you explicitly opt into a cloud step.

Bring your own AI keys

AI is an optional second opinion, off by default. Run fully local with Ollama, add a cloud reviewer with your own key, or neither — and when cloud AI is enabled it only ever receives a redacted prompt, never the raw email.

Roles, ingestion & audit

Role-based access from reporter to org admin, optional read-only mail-flow ingestion (with remediation actions rolling out), and a hash-chained, exportable audit log for your SIEM.

RBACRead-only Graph / GmailHash-chained auditSSO (OIDC)Remediation · rolling out

Native, single-tenant & accountable

A native desktop app with a signature-verified update channel you choose to install. No remote shell, no telemetry pings, no vendor key on your data. Developer ID code-signing and Apple notarization are being finalized ahead of general availability.

For platforms & OEMs

Embed the engine in your product.

The same deterministic detection engine ships as an embeddable SDK and a self-hostable service — so security vendors, MSSPs, and platforms can add explainable, on-device email-threat detection without a single message leaving the customer’s environment.

Drop-in SDK

A dependency-free TypeScript engine with a stable analyzeEmail contract and bring-your-own backends for DNS, OCR, and reputation. Runs in Node or the browser.

Self-host the service

A stateless, Dockerized HTTP API (POST /v1/analyze) with Bearer auth, Prometheus metrics, and Kubernetes / Helm / Terraform deploy artifacts. No database required.

On-device & zero-egress

Analysis runs in your process or on your infrastructure. Message content never leaves the environment — a direct answer to data-residency and regulated-industry requirements.

Explainable, not a black box

Every verdict is a set of typed, scored findings — evidence you can show a customer, an auditor, or an EU AI Act reviewer. Signed content packs refresh detection without shipping a new build.

Platform & OEM teams can request the OEM brief & a pilot.

Design partner program

Request access.

We're onboarding a small group of design partners through 2026 — MSP owners, SMB finance and IT leads, and security-aware founders. Tell us about your environment and we'll reach out when your slot opens.

No marketing automation · No list selling · A real conversation

We won’t share your info. No marketing automation, no list selling.