OpenCTI MCP Server provides seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform. It enables you to query and retrieve threat intelligence data through a standardized Model Context Protocol (MCP) interface, allowing easy access to critical cybersecurity information.
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude
# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run build
Copy .env.example to .env and update with your OpenCTI credentials:
cp .env.example .env
Required environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API tokenCreate a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}",
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
}
}
}
}
Retrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10
}
}
Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid"
}
}
Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10
}
}
Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10
}
}
Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10
}
}
Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid"
}
}
Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}
Lists all groups with their members.
{
"name": "list_groups",
"arguments": {}
}
Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {}
}
Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name"
}
}
Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}
Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}
Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid"
}
}
Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}
Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}
Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"cursor-rules-mcp": {
"command": "npx",
"args": [
"-y",
"cursor-rules-mcp"
]
}
}
}
To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.