home / mcp / threat intelligence mcp server
Aggregates multi-source threat feeds, checks IP/hash reputations, bulk IP lookups, and dashboard visualization for security monitoring.
Configuration
View docs{
"mcpServers": {
"marc-shade-threat-intel-mcp": {
"command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3",
"args": [
"-m",
"threat_intel_mcp.server"
],
"env": {
"OTX_API_KEY": "YOUR_OTX_API_KEY",
"SHODAN_API_KEY": "YOUR_SHODAN_API_KEY",
"ABUSEIPDB_API_KEY": "YOUR_ABUSEIPDB_API_KEY",
"VIRUSTOTAL_API_KEY": "YOUR_VIRUSTOTAL_API_KEY"
}
}
}
}Threat Intelligence MCP Server aggregates threat feeds from multiple sources, performs reputation checks for IPs and file hashes, and exposes data through a dashboard API for security monitoring and visualization. It enables bulk lookups, network scan integration, and intelligent caching to keep responses fast and up-to-date across your Agentic System cluster.
You interact with the Threat Intelligence MCP Server through an MCP client to perform a variety of threat data tasks. Use it to list available threat feeds, fetch IOCs (indicators of compromise) from a specific feed, check the reputation of IPs and file hashes, and validate networks against known threats. You can bulk-check up to 100 IPs in a single request and tie in results with your network scans for proactive defense. The server exposes a dashboard API for visualization so you can monitor aggregated threat intelligence in real time.
cd ${AGENTIC_SYSTEM_PATH:-/opt/agentic}/mcp-servers/threat-intel-mcp
pip install -e .
# For dashboard support:
pip install -e ".[dashboard]"
# For development:
pip install -e ".[dev]"{
"mcpServers": {
"threat-intel": {
"command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3",
"args": ["-m", "threat_intel_mcp.server"]
}
}
}Optional API keys can be provided to enable enhanced data from feeds and services. Set environment variables for VirusTotal, AbuseIPDB, Shodan, and AlienVault OTX to enable richer data when performing lookups.
Key features include multi-source threat feeds (such as Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, and CINSscore), IP and hash reputation checks, bulk IP lookups, and a Flask-based dashboard for visualization. The server uses a thread-safe cache with TTL and size limits to keep responses fast and reduce redundant lookups.
The MCP provides a suite of commands to interact with threat data. You can list feeds, fetch IOCs by feed name, check IP and hash reputations, perform bulk IP checks, retrieve known exploited vulnerabilities, and access dashboard data.
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# With coverage
pytest tests/ --cov=threat_intel_mcp --cov-report=htmlList all available threat intelligence feeds with their status to understand what sources are connected and actively providing data.
Fetch indicators of compromise (IOCs) from a specific feed by its name to populate your monitoring dashboards.
Check a single IP against multiple threat sources to determine its risk level (clean, low, medium, high, critical).
Check a file hash (MD5/SHA1/SHA256) reputation against threat intelligence sources.
Check up to 100 IPs in a single request to assess overall exposure across a network segment.
Retrieve the CISA Known Exploited Vulnerabilities catalog for asset risk assessment.
Get aggregated threat data suitable for visual dashboards and monitoring tools.
Fetch recent IOCs from ThreatFox, with optional filtering by type (ip, domain, url, etc.).
Evaluate network scan results against threat intelligence feeds to identify compromised devices.
Retrieve cache statistics and API key status to monitor the health and configuration of the MCP.
Clear the threat intelligence cache to ensure fresh data is retrieved on next lookups.