MCP Threat Intel Server MCP Server

1

Add it to Claude Code

Run this in a terminal.

Run in terminal
claude mcp add threat-intel-60eb -- npx mcp-threatintel-server
README.md

Unified access to multiple threat intelligence sources for security research

MCP Threat Intel Server

MCP server providing unified access to multiple threat intelligence sources for security research and analysis.

Why Use This?

If you're doing security research, incident response, or threat analysis, this MCP server lets you:

  • Unified lookups - Query IPs, domains, hashes, and URLs across multiple sources simultaneously
  • Reduce context switching - No need to open multiple browser tabs for different intel sources
  • Correlate intelligence - See results from all configured sources in one response
  • Free tier friendly - Works with free API tiers, gracefully degrades when sources unavailable
  • Works without keys - Feodo Tracker (botnet C2s) works without any API keys

Features

Category Capabilities
Unified Lookups Query IPs, domains, file hashes, URLs across all sources
AlienVault OTX Threat pulses, indicators of compromise, community intelligence
AbuseIPDB IP reputation, abuse reports, confidence scores
GreyNoise Internet noise vs targeted attacks, scanner identification
abuse.ch URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker

Prerequisites

  • Node.js 18+
  • API keys for your preferred threat intelligence sources (see below)

Installation

Using npm (Recommended)

npx mcp-threatintel-server

Or install globally:

npm install -g mcp-threatintel-server

From Source

git clone https://github.com/aplaceforallmystuff/mcp-threatintel.git
cd mcp-threatintel
npm install
npm run build

Configuration

For Claude Desktop

Add to your Claude Desktop config file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "threatintel": {
      "command": "npx",
      "args": ["-y", "mcp-threatintel-server"],
      "env": {
        "OTX_API_KEY": "your-otx-api-key",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
        "GREYNOISE_API_KEY": "your-greynoise-api-key",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key"
      }
    }
  }
}

For Claude Code

Add to ~/.claude.json:

{
  "mcpServers": {
    "threatintel": {
      "command": "npx",
      "args": ["-y", "mcp-threatintel-server"],
      "env": {
        "OTX_API_KEY": "your-otx-api-key",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
        "GREYNOISE_API_KEY": "your-greynoise-api-key",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key"
      }
    }
  }
}

API Keys

Service Required Free Tier Get Key
AlienVault OTX Optional Yes (unlimited) otx.alienvault.com
AbuseIPDB Optional Yes (1,000/day) abuseipdb.com
GreyNoise Optional Yes (limited) greynoise.io
abuse.ch Optional Yes auth.abuse.ch
Feodo Tracker No Yes Public JSON feeds

Note: Tools are dynamically enabled based on which API keys you provide. Feodo Tracker works without authentication (public JSON feeds).

Usage Examples

Check Available Sources

"What threat intel sources are configured?"

"Show me threatintel status"

IP Investigation

"Check if 185.220.101.1 is malicious"

"Look up this IP across all threat intel sources"

Domain Analysis

"Is evil-domain.com known to be malicious?"

"Check domain reputation"

Malware Hash Lookup

"Look up this SHA256 hash in threat intel"

"Is this file hash known malware?"

URL Analysis

"Check if this URL is in any blocklists"

Botnet Tracking (No API Key Required)

"Show me active botnet C2 servers"

"Get Feodo tracker data for Emotet"

Threat Pulses

"Search OTX for recent ransomware pulses"

"Get latest threat intelligence pulses"

Available Tools

Status

Tool Description
threatintel_status Check which threat intelligence sources are configured

Unified Lookups

Tool Description
threatintel_lookup_ip Look up IP across all configured sources
threatintel_lookup_domain Look up domain across all configured sources
threatintel_lookup_hash Look up file hash (MD5/SHA1/SHA256) across sources
threatintel_lookup_url Look up URL across sources

AbuseIPDB (re

Tools (5)

threatintel_statusCheck which threat intelligence sources are configured
threatintel_lookup_ipLook up IP across all configured sources
threatintel_lookup_domainLook up domain across all configured sources
threatintel_lookup_hashLook up file hash (MD5/SHA1/SHA256) across sources
threatintel_lookup_urlLook up URL across sources

Environment Variables

OTX_API_KEYAPI key for AlienVault OTX
ABUSEIPDB_API_KEYAPI key for AbuseIPDB
GREYNOISE_API_KEYAPI key for GreyNoise
ABUSECH_AUTH_KEYAPI key for abuse.ch

Configuration

claude_desktop_config.json
{"mcpServers": {"threatintel": {"command": "npx", "args": ["-y", "mcp-threatintel-server"], "env": {"OTX_API_KEY": "your-otx-api-key", "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key", "GREYNOISE_API_KEY": "your-greynoise-api-key", "ABUSECH_AUTH_KEY": "your-abusech-auth-key"}}}}

Try it

Check if 185.220.101.1 is malicious
Is evil-domain.com known to be malicious?
Look up this SHA256 hash in threat intel
Show me active botnet C2 servers
Search OTX for recent ransomware pulses

Frequently Asked Questions

What are the key features of MCP Threat Intel Server?

Unified lookups for IPs, domains, hashes, and URLs. Integration with AlienVault OTX, AbuseIPDB, GreyNoise, and abuse.ch. Graceful degradation when sources are unavailable. Botnet tracking via Feodo Tracker without API keys. Correlates intelligence from multiple sources in one response.

What can I use MCP Threat Intel Server for?

Security researchers investigating suspicious IP addresses. Incident responders verifying file hashes against malware databases. Threat analysts monitoring for recent ransomware pulses. Security teams checking domain reputation during phishing investigations.

How do I install MCP Threat Intel Server?

Install MCP Threat Intel Server by running: npx mcp-threatintel-server

What MCP clients work with MCP Threat Intel Server?

MCP Threat Intel Server works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep MCP Threat Intel Server docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.
Open Conare
View all monitoring servers →

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars
Wireshark MCP
Give your AI assistant a packet analyzer.
monitoring55 stars
RenderDoc MCP
Analyze GPU frame captures for graphics debugging and performance analysis.
monitoring42 stars