Digital Forensics and Incident Response License Packs

Improve your services with a license pack that fits your needs

DFIR in Focus

The license packs are designed to cover the typical Digital Forensics and Incident Response needs. Each license unlocks our enormous signature database that can be used with THOR (Win) or SPARK (Linux, OSX).



After a purchase, you can issue a license precisely when it is needed using our new customer portal. The validity period of each license begins at the issue date.

Free Extras

Most license packs include several short-term trial licenses for you and your customer, access to additional tools such as “THOR-Remote”, the “APT Simulator”, documentation and cheat sheets.

The Incident Response License Pack is meant for urgent cases in which a quick and flexible solution is crucial for the success of your operations.

The unrestricted license gives you the necessary flexibility to act quickly without knowing the hostnames of the systems to be analyzed.

The five host based licenses are meant for you and your team or the customer’s administrators to do some testing before you issue the license that runs for 30 days counting from the day of the creation.

The Compromise Assessment License Pack is meant for planned short-term assessments in which a flexible solution saves you a lot of time.

Therefore, the package also includes an unrestricted license that gives you the necessary flexibility to act without knowing the hostnames of the systems to be analyzed.

This package also includes five host based licenses that are meant for testing purposes.

The SOC Toolkit License Pack boosts the effectivity of your Security Operation Center by providing an additional check that fits perfectly in every host-related playbook.

Scans with our products cover all the cases which do not provide enough evidence to shut off the system and take a forensic image and at the same time are too suspicious to just check them off.

With the purchase of this pack, you’ll receive 250 licenses with a validity of 1 day that can be issued in the customer portal precisely when you need them.

The Forensic Engagement license is meant for short-term on-site operations.
The single host based license allows a single forensic workstation to scan as many mounted images as needed, even simultaneously.

The short-term and host restriction allows us to offer a full-featured scanner solution at an attractive price.

The Forensic Lab license is perfect for a forensic workstation that processes many images over the course of a year.

It works only on the workstation for which it was issued and allows you to process as many mounted images as needed, also simultaneously.

Customers also use it to run THOR in “dropzone” mode, in which THOR monitors an input directory for new contents, scans them and reports suspicious or malicious files.


An “unrestricted” license is an “Enterprise” license type that runs on any system with the full signature set and does not apply any hostname restrictions.

Host based Endpoint

Host based licenses can be generated in the customer portal. Each host based license will only work on the host for which it was generated.


We grant attractive discounts on the purchase of 10 or more packs.

Possible Upgrades

Analysis Cockpit

THOR’s log files can be reviewed manually or in professional log analysis platforms such as ELK or Splunk (see the free App and Add-on).
However, the best way to filter, group, evaluate, and track THOR’s findings is our ASGARD Analysis Cockpit. (see our products section for details)

Professional Analysis Support

Our incident response professionals and security analysists have processed the reports of thousands of systems over the last few years. If you want us to help you with the analysis, add one or more days of support to your request.