If you are a new ThreatSTOP user, the Guided Setup will walk you through a test configuration. Unlike a normal implementation, you will not need to deploy a ThreatSTOP agent on your firewall or DNS server.

Following the Guided setup will take about 15 minutes and you can resume at any step if you are interrupted. If you have a non-production device handy, you can choose to setup the ThreatSTOP integration directly by following the instructions for the device model.

The Guided Setup is available via the main menu (Note: once you have created a regular device or custom policy, the Guided Setup link will be removed but you can still create test devices from the Device page).

After clicking the menu entry, you will be presented with three options:

  • Roaming: Run ThreatSTOP’s DNS protection on your laptop/desktop.
  • Corporate Network: Protect selected machines on your corporate network by deploying a virtual machine from a ThreatSTOP Live ISO (Firewall + DNS Server implementing a ThreatSTOP policy). This will require you to generate or simulate network traffic (using included tools) to the ThreatSTOP VM.
  • Sample Data: Populate your Portal account with sample data. This will allow you to run reports without setting up a test environment or sending network traffic.

Roaming Devices

This option requires a supported laptop or desktop system:

  • Windows: Windows 7 (32bit or 64bit), Windows 8, Windows 8.1 and Windows 10 (64 bit).
  • OS X: Mountain Lion or Later.

Admin privileges are required to install the software.

A typical policy will consume less than 250 MB of RAM.

The test (Trial) version of the Roaming agent differs from the ‘full’ version in two ways:

  • Limited selection of policies (see below).
  • The advanced configuration options are not available. They are not required for a test deployment.

The complete documentation of the Roaming Agent is available here. For the Guided Setup, you will simply need to download and install the software and load the product key provided in the last step of the configuration wizard.

Corporate Network (Live ISO)

This option will provide a link to a Live ISO image which can be booted on common Hypervisors (tested with ESXi, HyperV and VirtualBox). The image requires 1 GB of RAM to boot and filter traffic.

The Live ISO image runs a Linux image preloaded with a DNS Firewall (BIND) and an IPTables firewall. You can send either IP traffic or DNS traffic (or both) to the machine:

  • IP Traffic: change the default gateway of a test client to route IP traffic via Live ISO virtual machine; this is for testing filtering of outbound connections only.
  • DNS Traffic: change the DNS server configuration of a test client to use the Live ISO virtual machine as the DNS server.

Additionally, the Live ISO includes a menu to generate test traffic to IP addresses and DNS FQDNs added to targets built for testing purposes. No traffic is sent to actual malicious IOCs.

As traffic is blocked (real traffic or synthetic traffic), the Live ISO will generate logs, automatically upload them to ThreatSTOP. Reports will become available in the ThreatSTOP portal within a couple of minutes.

The detailed instructions for deploying the Live ISO are available here.

Policy selection

If you select the Roaming or the Corporate Network option, the next step of the Guided Setup will help you select a policy by asking three questions:

  • Whether the policy should block and log traffic to IOCs, or log it only (for reporting).
  • How broad the policy should be, i.e. should it include IOCs from legitimate sites that are currently hosting malicious content.
  • Your industry, to include IOCs specifically targetted at it.

Note that unlike policies defined for full-fledged devices, the policy assigned to a test device is not customizable and cannot contain User-Defined Lists.


After selecting a policy, the Guided Setup will:

  • Provide links to download the Roaming agent or Live ISO image.
  • Provide the keyfile needed to complete the configuration of the agent.
  • Provide instructions to complete the deployment.

The Guided Setup will pause until the ThreatSTOP test device is configured. If you are short on time, you can suspend the deployment process and resume the Guided Setup later by clicking on its menu entry.