Threat Intel MCP Server

How to use

Use an MCP client to connect to the Threat Intel MCP server and run lookups across all configured sources. You can perform IP, domain, hash, and URL lookups to see cross-source results in one response. If a source is offline or you lack an API key for it, you’ll still receive results from the available sources without breaking your workflow.

How to install

Prerequisites You need Node.js version 18 or newer.

Using npm (recommended) Create a quick start by running the server directly with npx.

npx mcp-threatintel-server

Or install the package globally for easy access from any shell.

npm install -g mcp-threatintel-server

From source clone the repository, install dependencies, and build the project.

git clone https://github.com/aplaceforallmystuff/mcp-threatintel.git
cd mcp-threatintel
npm install
npm run build

Configuration

Configure the MCP server for your client. Below are example configurations for a client that runs the server via npx and exposes API keys for the supported threat intelligence sources.

{
  "mcpServers": {
    "threatintel": {
      "command": "npx",
      "args": ["-y", "mcp-threatintel-server"],
      "env": {
        "OTX_API_KEY": "your-otx-api-key",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
        "GREYNOISE_API_KEY": "your-greynoise-api-key",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key"
      }
    }
  }
}

API keys and sources

You can enable tools from several threat intel sources by providing the corresponding API keys. Feodo Tracker does not require a key and remains available with its public feeds.

// Example keys you may supply
OTX_API_KEY=your-otx-api-key
ABUSEIPDB_API_KEY=your-abuseipdb-api-key
GREYNOISE_API_KEY=your-greynoise-api-key
ABUSECH_AUTH_KEY=your-abusech-auth-key

Troubleshooting

If you see any of the following messages, follow the guidance to resolve the issue.

No threat intel sources configured means you need to add API keys for at least some sources to activate lookups.

API error: 401 Unauthorized means an API key is invalid or expired. Generate a new key from the provider.

API error: 429 Too Many Requests means you’ve hit a rate limit. Wait or upgrade your plan.

Data sources

The MCP server integrates AlienVault OTX pulses, AbuseIPDB reputations, GreyNoise signals, and abuse.ch projects like URLhaus, MalwareBazaar, ThreatFox, and Feodo Tracker.

threatintel_status

Check which threat intelligence sources are configured and active in your MCP server setup.

threatintel_lookup_ip

Perform a unified lookup for an IP across all configured threat intelligence sources.

threatintel_lookup_domain

Perform a unified lookup for a domain across all configured threat intelligence sources.

threatintel_lookup_hash

Perform a unified lookup for a file hash (MD5/SHA1/SHA256) across configured sources.

threatintel_lookup_url

Perform a unified lookup for a URL across configured sources.

abuseipdb_check

Check IP reputation and abuse history via AbuseIPDB (requires API key).

otx_get_pulses

Retrieve recent Threat Pulses from AlienVault OTX (requires API key).

otx_search_pulses

Search OTX pulses by keyword (requires API key).

greynoise_ip

Check if an IP is internet noise or part of a targeted threat (requires API key).

urlhaus_lookup

Look up a URL, domain, or IP in URLhaus (requires abuse.ch auth key).

urlhaus_recent

Get recent malware URLs from URLhaus (requires abuse.ch auth key).

malwarebazaar_hash

Look up a malware sample by hash in MalwareBazaar (requires abuse.ch auth key).

malwarebazaar_recent

Get recent malware samples from MalwareBazaar (requires abuse.ch auth key).

malwarebazaar_tag

Search MalwareBazaar samples by tag (requires abuse.ch auth key).

threatfox_iocs

Get recent IOCs from ThreatFox (requires abuse.ch auth key).

threatfox_search

Search ThreatFox IOCs (requires abuse.ch auth key).

feodo_tracker

Get active Feodo Tracker botnet C2 servers (no key required).