threatspan.org

What It Is

ThreatSpan is a local-first SOC investigation workbench built for SOC analysts, incident responders, and home-lab defenders. After a user pastes an IP address, domain, URL, or file hash, it queries 14 reputation, threat intelligence, and infrastructure sources in parallel and presents the evidence in a keyboard-first interface. It is not positioned as endpoint protection or gateway blocking, but rather as a tool for post-alert IOC triage and forensic assistance.

Core Capabilities and Deployment

The product emphasizes “no account, no telemetry, no cloud backend.” API keys are encrypted and stored locally under ~/.threatspan/, and data does not leave the machine except when calling the data providers configured by the user. It is launched via npx threatspan@latest, runs locally at 127.0.0.1:3000, and supports Node 14+ as well as Mac, Linux, and Windows. Data sources include VirusTotal, AbuseIPDB, URLhaus, OTX, ThreatFox, MalwareBazaar, Shodan, GreyNoise, urlscan.io, DNS, WHOIS/RDAP, and others. Results are also correlated with CISA KEV, NIST NVD, and MITRE ATT&CK technique tags.

Pricing and Compliance

The main content does not disclose any pricing for ThreatSpan itself, nor does it mention a commercial edition, SLA, or payment methods; the page emphasizes that no account is required. Note that some sources, such as VirusTotal, Shodan, and GreyNoise, require users to bring their own API keys, so actual usage costs and quotas depend on third parties. No information is provided about compliance certifications such as SOC 2, ISO 27001, or GDPR.

Pros and Cons

Its strengths are privacy-friendly design, lightweight deployment, cross-platform support, and aggregation of evidence from multiple sources. It is well suited to fast triage and reduces the need for analysts to switch back and forth between different intelligence websites. The drawbacks are a lack of information about enterprise-grade capabilities: permissions management, auditing, team collaboration, centralized alerting, SIEM/SOAR integrations, and official support are not clearly specified. It also depends on a local Node environment and third-party API keys, which creates some friction for non-technical users.

Who It’s For and Access from China

ThreatSpan is suitable for analysts in small and midsize teams, incident responders, threat hunters, and security enthusiasts. Common use cases include initial IOC screening, C2 infrastructure investigation, and analysis of phishing or ransomware-related leads. The source text does not state how well it works from China, and because its effectiveness depends on multiple overseas intelligence sources, real-world usability may be affected by network connectivity and the availability of third-party APIs. Alternative or complementary tools include VirusTotal, OTX, GreyNoise, Shodan, urlscan.io, MalwareBazaar, and others.