FastMCP ThreatIntel MCP Server

How to use

You use an MCP client to connect to the ThreatIntel server and ask questions in plain language. Start the server, then configure your MCP client (such as an editor-integrated assistant or an enterprise AI tool) to point to your local ThreatIntel MCP endpoint. You can ask it to analyze IOCs, map outputs to MITRE ATT&CK, and generate HTML or JSON threat reports. Use button prompts or natural language queries like: analyze an IP, check a domain for malicious associations, or generate a complete incident report for a set of IOCs.

You can run an interactive session or execute batch analyses. The system integrates multiple sources (VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo) and returns structured results, including geolocation, reputation scores, and attribution context. If you want a visual map of IOC relationships, request the network graph view; you can export results as HTML, JSON, STIX, or PDF for inspection and sharing.

How to install

Prerequisites: you need Python installed or, alternatively, the project can be run via a developer toolchain compatible with the MCP ecosystem. You will also need API keys for VirusTotal and AlienVault OTX at minimum.

Choose your preferred installation method and follow the steps.

Optionally, you can run the server in a container or via a development toolchain for rapid iteration.

MCP server configuration and usage

The ThreatIntel MCP server exposes a local runtime that you start from the command line. You then connect using an MCP client with a configuration that points to the local process and provides your API keys.

Environment variables you’ll commonly set include keys for VirusTotal, OTX, AbuseIPDB, and IPinfo to enable richer analysis.

Start the server on a dedicated host and port so your MCP client can reach it securely, for example on port 8000.

Example MCP integration configuration

{
  "mcpServers": {
    "threatintel": {
      "command": "threatintel",
      "args": ["server", "--host", "0.0.0.0", "--port", "8000"],
      "env": {
        "VIRUSTOTAL_API_KEY": "YOUR_VIRUSTOTAL_API_KEY",
        "OTX_API_KEY": "YOUR_OTX_API_KEY",
        "ABUSEIPDB_API_KEY": "YOUR_ABUSEIPDB_API_KEY",
        "IPINFO_API_KEY": "YOUR_IPINFO_API_KEY"
      }
    }
  }
}

Security and best practices

Use separate API keys for development and production, rotate keys regularly, and keep your MCP endpoint accessible only from trusted clients. Enable rate limiting and monitor usage to prevent abuse. Store API keys securely in your environment and avoid embedding them directly in prompts or reports.

Troubleshooting

If the MCP client cannot reach the ThreatIntel server, verify the host and port, confirm the server is running, and check that API keys are valid. Review logs for any authentication errors or rate limit notices from the upstream threat intelligence sources.

Notes

The server supports interactive HTML reports, JSON exports, and STIX-compatible outputs. You can generate reports with a focus on completeness or depth, depending on the prompt and IOC set.

Tools and capabilities

- Natural language threat queries with IOC auto-detection. - Multi-source enrichment from VirusTotal, OTX, AbuseIPDB, and IPinfo. - Advanced attribution with MITRE ATT&CK mapping. - Interactive HTML reports and D3.js network graphs. - Export formats including Markdown, JSON, HTML, STIX, PDF, and CSV.

IOC analysis

Auto-detects IPs, domains, URLs, and file hashes from input and runs multi-source threat intelligence enrichment.

AP T attribution

Maps findings to MITRE ATT&CK with confidence scoring.

Report generation

Creates interactive HTML reports and supports JSON/STIX/PDF exports.