Google Threat Intelligence MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add -e "VT_APIKEY=${VT_APIKEY}" google-threat-intelligence -- npx -y @google-sandy/gti-mcp-standalone
Required:VT_APIKEY+ 1 optional
README.md

Access Google's Threat Intelligence suite for file analysis and IOC searches.

Google Threat Intelligence MCP Server (Standalone)

This is a standalone MCP (Model Context Protocol) server for interacting with Google's Threat Intelligence suite. It provides AI assistants like Claude with access to comprehensive threat intelligence capabilities through both local development and production cloud deployment modes.

GTI MCP Server Screenshot

Key Capabilities:

  • 🔍 Threat intelligence search (campaigns, threat actors, malware families)
  • 📁 File analysis and behavior reports
  • 🌐 Domain, IP, and URL reputation checking
  • 🎯 IOC (Indicator of Compromise) search
  • 📊 Threat profiles and hunting rulesets

Learn more about MCP

Architecture

Understanding how GTI MCP Server works in different deployment modes:

Component Overview

graph TB
    subgraph "MCP Clients"
        A1[Claude Desktop]
        A2[Cline]
        A3[Cursor]
        A4[Custom Frontend]
    end

    subgraph "Transport Layer"
        B1[stdio - Local]
        B2[SSE/HTTP - Remote]
    end

    subgraph "GTI MCP Server"
        C1[MCP Tools]
        C2[VT API Client]
    end

    D[VirusTotal/GTI API]

    A1 --> B1
    A2 --> B1
    A3 --> B1
    A4 --> B2

    B1 --> C1
    B2 --> C1

    C1 --> C2
    C2 --> D

    style C1 fill:#e1f5ff
    style C2 fill:#e1f5ff

Local Deployment Flow

For individual developers running the MCP server locally:

sequenceDiagram
    participant Client as MCP Client
    participant Server as GTI MCP Server
    participant Env as Environment
    participant VT as VirusTotal API

    Client->>Server: Launch via stdio
    Server->>Env: Read VT_APIKEY
    Env-->>Server: API Key
    Client->>Server: Call tool (e.g., get_file_report)
    Server->>VT: API Request with VT_APIKEY
    VT-->>Server: Response
    Server-->>Client: Tool Result

API Key Management: Server reads VT_APIKEY from environment variables at startup.

Cloud Deployment Flow

For teams deploying a centralized service:

sequenceDiagram
    participant Frontend as Frontend Client
    participant CloudRun as Cloud Run (SSE)
    participant Auth as Auth Middleware
    participant Server as GTI MCP Server
    participant VT as VirusTotal API

    Frontend->>CloudRun: Connect to /sse endpoint
    CloudRun->>Auth: Validate X-Mcp-Authorization header
    Auth-->>CloudRun: Authorized
    CloudRun-->>Frontend: SSE Connection Established

    Frontend->>CloudRun: Call tool with api_key parameter
    CloudRun->>Server: Execute tool
    Server->>VT: API Request with client-provided api_key
    VT-->>Server: Response
    Server-->>CloudRun: Tool Result
    CloudRun-->>Frontend: SSE Event with Result

API Key Management: Clients pass api_key parameter with each tool call. Server authenticates connection via MCP_AUTH_TOKEN but uses client-provided API keys for VirusTotal requests.

Security Note: This architecture allows teams to deploy a shared MCP server while maintaining individual user API quotas and access controls.

Features

Collections (Threats)

  • get_collection_report(id): Retrieves a specific collection report by its ID (e.g., report--<hash>, threat-actor--<hash>).
  • get_entities_related_to_a_collection(id, relationship_name, limit=10): Gets related entities (domains, files, IPs, URLs, other collections) for a given collection ID.
  • get_collection_timeline_events(id): Retrieves curated timeline events for a collection.
  • get_collection_rules(id): Gets detection rules (YARA and Sigma) associated with a collection.
  • get_collection_feature_matches(id): Retrieves feature matches for a collection.
  • get_collection_mitre_tree(id): Gets the MITRE ATT&CK framework tree for a collection.
  • get_collections_commonalities(ids): Finds commonalities between multiple collections.
  • create_collection(name, description): Creates a new threat collection.
  • update_collection_attributes(id, attributes): Updates metadata and attributes for a collection.
  • update_iocs_in_collection(id, iocs): Updates indicators of compromise in a collection.
  • search_threats(query, limit=5, order_by="relevance-"): Performs a general search for threats (collections) using GTI query syntax.
  • search_campaigns(query, limit=10, order_by="relevance-"): Searches specifically for collections of type campaign.
  • search_threat_actors(query, limit=10, order_by="relevance-"): Searches specifically for collections of type threat-actor.
  • search_malware_families(query, limit=10, order_by="relevance-"): Searches specifically for collections of type malware-family.
  • search_software_toolkits(query, limit=10, order_by="relevance-"): Searches specifically for collections of type software-toolkit.
  • search_threat_reports(query, limit=10, order_by="relevance-"): Searches specifically for collections of type `

Tools (5)

get_collection_reportRetrieves a specific collection report by its ID.
get_entities_related_to_a_collectionGets related entities for a given collection ID.
search_threatsPerforms a general search for threats using GTI query syntax.
search_threat_actorsSearches specifically for collections of type threat-actor.
search_malware_familiesSearches specifically for collections of type malware-family.

Environment Variables

VT_APIKEYrequiredAPI key for VirusTotal/GTI access
MCP_AUTH_TOKENAuthentication token for cloud deployment

Configuration

claude_desktop_config.json
{"mcpServers": {"gti": {"command": "npx", "args": ["-y", "@google-sandy/gti-mcp-standalone"], "env": {"VT_APIKEY": "YOUR_API_KEY"}}}}

Try it

Search for recent threat actor activity related to ransomware.
Get a detailed report for the malware family with ID report--12345.
Find all domains and IPs related to the threat actor identified as APT29.
Retrieve the MITRE ATT&CK framework tree for the latest campaign report.

Frequently Asked Questions

What are the key features of Google Threat Intelligence?

Threat intelligence search for campaigns, threat actors, and malware families. File analysis and behavior reporting. Domain, IP, and URL reputation checking. Indicator of Compromise (IOC) search. Retrieval of detection rules like YARA and Sigma.

What can I use Google Threat Intelligence for?

Security analysts investigating specific threat actor campaigns. Incident responders checking the reputation of suspicious domains or IPs. Threat hunters gathering detection rules for new malware families. Security teams automating the enrichment of threat intelligence reports.

How do I install Google Threat Intelligence?

Install Google Threat Intelligence by running: npx -y @google-sandy/gti-mcp-standalone

What MCP clients work with Google Threat Intelligence?

Google Threat Intelligence works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep Google Threat Intelligence docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all other servers →

Related MCP Servers

Nuclear
Free, open-source music player without ads or tracking.
other17.1K stars
Domain Check
Fast domain availability checker with RDAP/WHOIS lookup and batch checking.
other253 stars
US Government Open Data MCP
MCP Server + TypeScript SDK for 40+ U.S. Government APIs
other90 stars
Garmin Connect
Access your fitness, health, and training data from MCP clients.
other71 stars
BinjaLattice MCP
Secure communication protocol for Binary Ninja and MCP servers
other61 stars
Ghidra Headless MCP
Headless Ghidra server for AI-driven reverse engineering and analysis
other46 stars