Get started

ClearScreen

Endpoint web blocks
without the black box.

Blocks risky domains locally, shows the reason on device, and logs it for admin review.

Get started Book a demo

ISO 27001 · DORA · GDPR

no tls decrypt · doh

Capabilities

Signed feeds, local enforcement, visible reasons

Capabilities

The policy loop is visible from device to admin.

  • Category policies

    Block UT1 content categories per policy group — adult, gambling, malware, AI chat tools, and more.

  • Allow and block lists

    Tenant-wide allowlists override category blocks; blocklists add domains on top of threat feeds.

  • Threat indicator feeds

    URLhaus, OpenPhish, and PhishTank domains ship in an ed25519-signed bundle refreshed every 15 minutes.

  • Local block page

    Blocked DNS queries sinkhole to 127.0.0.1 with the domain, category, source feed, and policy group on screen.

  • False-positive review

    Users submit a review request from the block page; admins decide with the original policy reason attached.

  • Device reporting

    Every block writes a JSONL audit record on the endpoint and posts to the admin block feed in managed mode.

In the product

The admin console, as shipped.

Real product screens — dashboard, policy, reviews, devices, audit, and sign-in.

ClearScreen dashboard
ClearScreen policy screen
ClearScreen reviews screen
ClearScreen devices screen
ClearScreen audit screen
ClearScreen sign-in screen

Dashboard — devices, blocks, and open reviews

How it works.

  1. Deploy the agent

    Install on Windows, Linux, or macOS. The agent binds 127.0.0.1:53 and sets system DNS so every app gets the same verdict.

  2. Set policy per group

    Choose blocked UT1 categories, add tenant allowlists and blocklists, and assign policy groups from the admin console.

  3. Review on device and in admin

    Blocked domains show a branded block page with the reason. False-positive reports land in the admin queue with device context.

Pricing.

Team at €149/month for up to 100 endpoints. Business from €499/month for larger fleets. Every plan starts with a 90-day trial — no credit card.

Team

€149 per month

Starts with a 90-day trial — no credit card.

Devices
25
Policies
1
DNS decisions
1M / mo
Log retention
30 days
  • Central management plane for up to 100 endpoints
  • Policy, live block reporting, audit export, and managed enrollment
Start the 90-day trial

Business

from €499 per month

Starts with a 90-day trial — no credit card.

Devices
250
Policies
5
DNS decisions
10M / mo
Log retention
1 year
  • Unlimited endpoints, Intune deployment, and Entra SSO
  • Custom categories, SLA, and compliance-grade audit exports
Book a demo

Questions.

  • Where is tenant data stored?

    Policy, block events, and enrollment records live in your Spot Suite Customer Environment on Cloudflare Workers and D1. Threat indicator bundles are signed at the edge and pulled by agents — no third-party DNS proxy in the path.

  • Does ClearScreen support SSO?

    Yes. Admin sign-in uses Microsoft Entra ID through Spot Suite OIDC at spot-cloud.spot-suite.com. Device agents authenticate with per-device enrollment credentials, not user passwords.

  • Do you decrypt TLS traffic?

    No. ClearScreen enforces at DNS only. Blocked domains resolve to a local sinkhole and show a block page — there is no TLS inspection, PAC file, or network gateway in the policy path.

  • How does the 90-day trial work?

    Sign up without a credit card and run managed mode for up to 100 endpoints. Category policy, block reporting, and audit export are included. Convert to Team when you are ready.

Start with one policy group.

Deploy the agent to a pilot fleet, set UT1 categories, and review blocks on device before a wider rollout.

Get started Book a demo