Check anything suspicious, in one place.
ClearThreat tells you whether a file, link, domain or IP address is dangerous. You submit it once; we run it past dozens of security engines, analyse the file ourselves, and detonate it in a sandbox to watch what it does. The findings come back as a single report that is detailed enough for an analyst and clear enough for someone checking an attachment for the first time.
Checking one thing should not take ten tools.
Looking into something suspicious has usually meant pasting the same hash or URL into several different sites and piecing the answers together yourself. ClearThreat does that work for you. A single submission goes out to every source we support, the responses are put into one consistent format, and the things that matter are shown first.
It is meant to be useful in both directions: quick enough to settle a small doubt before you open a file, and thorough enough to lean on when you are actually working an incident.
Answers in seconds
Results are cached and requested in parallel, so a full report comes back quickly instead of after a long wait.
No single point of trust
One engine is never the final word. We combine many independent sources with our own analysis before showing a verdict.
Careful with your data
We keep only what is needed to analyse a submission. Passwords are hashed, sessions are signed, and connections are encrypted.
Five tabs, in plain English
Every report is laid out the same way, so you always know where to look.
Detection
Over seventy antivirus engines and reputation services give their verdict on the same item, side by side, along with our own static engine. You see who flagged it, what they called it, and who considers it safe, without trusting any single vendor.
Details
The full technical fingerprint of a file: every hash, its real type, the structure of the executable, the libraries and functions it imports, embedded resources, and any code-signing certificate. This is the information you use to identify a sample and tie it to others.
Behavior
What the file actually does when it runs, captured in an isolated sandbox: the processes it starts, the files and registry keys it changes, the servers it talks to, and how each action maps to a known attacker technique.
Relations
The infrastructure an item is connected to. The domains a file reaches out to, the addresses a domain resolves to, the files dropped along the way. Following these links is how one indicator turns into the full scope of an incident.
Community
Context that automation cannot provide. Anyone can read what other people have noted about an indicator; a free account lets you add what you have seen.
The terms, explained
Reports use precise language. Here is what the most common terms actually mean.
Hash (MD5 / SHA-1 / SHA-256)
A short fingerprint calculated from a file's contents. Two files with the same hash are identical, which makes it the quickest way to recognise something you have seen before.
SSDEEP / TLSH
Fuzzy hashes. Unlike a normal hash these stay similar when a file changes slightly, so they help you spot variants of the same malware family.
Imphash
A fingerprint of the libraries and functions a Windows program imports. Programs built with the same toolkit often share one.
Entropy
A measure of randomness from 0 to 8. Unusually high entropy often means the data is compressed or encrypted, which is a common way to hide code.
PE sections
The parts of a Windows program (code, data, resources). Their names, sizes and entropy help reveal packing or tampering.
MITRE ATT&CK
A widely used catalogue of attacker techniques. Mapping behaviour to it describes, in plain terms, what a sample is trying to achieve.
JARM
A fingerprint of how a server negotiates encrypted connections. Servers set up the same way share a JARM, which helps group related infrastructure.
Passive DNS
A historical record of which domains pointed to which addresses over time, useful for finding connected infrastructure.
Reputation score
A community trust signal. Negative values mean the item has been reported as harmful by others.
Free to use, and meant to stay that way.
There are no paywalls and we do not sell your data. The running costs are covered by people who find it useful. If that is you, you are welcome to help.