Threat.Zone MCP server for AI agents

The Threat.Zone MCP server provides LLMs with access to powerful malware analysis capabilities through a standardized Model Context Protocol (MCP). This server enables AI assistants to analyze files and URLs for threats, retrieve detailed analysis results, and generate security reports.

Installation

Installing with Package Managers

You can install the Threat.Zone MCP server using pip or uv:

# Using pip
pip install threatzone-mcp

# Using uv (recommended)
uv add threatzone-mcp

Configuration

Set your Threat.Zone API credentials as environment variables:

export THREATZONE_API_KEY="your_api_key_here"
# Optional: For private tenants or on-premise deployments
export THREATZONE_API_URL="https://your-tenant.threat.zone"

Alternatively, create a .env file:

THREATZONE_API_KEY=your_api_key_here
# Optional: Custom API URL (defaults to https://app.threat.zone)
THREATZONE_API_URL=https://your-tenant.threat.zone

Supported Deployment Types

Public Cloud: https://app.threat.zone (default)
Private Tenant: https://your-tenant.threat.zone
On-Premise: https://your-server.company.com

Connecting to Claude Desktop

Prerequisites

Claude Desktop installed
UV installed
Threat.Zone API Key

Setup Steps

1. Configure Claude Desktop

Find your Claude Desktop configuration directory:

macOS: ~/Library/Application Support/Claude/
Windows: %APPDATA%\Claude\
Linux: ~/.config/Claude/

Create or edit claude_desktop_config.json:

{
  "mcpServers": {
    "threatzone": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/full/path/to/your/threatzonemcp",
        "threatzone-mcp"
      ],
      "env": {
        "THREATZONE_API_KEY": "your_actual_api_key_here",
        "THREATZONE_API_URL": "https://your-tenant.threat.zone"
      }
    }
  }
}

2. Restart Claude Desktop

After saving the configuration:

Quit Claude Desktop completely
Restart Claude Desktop
Look for the 🔌 icon in a new chat to confirm MCP servers are connected

3. Test the Connection

In Claude Desktop, try asking:

"Can you get my Threat.Zone user information?"

Running the Server

You can run the server directly with:

# Using the installed script
threatzone-mcp

# Or directly with Python
python -m threatzone_mcp.server

Available Tools

Analysis Tools

URL Analysis: Analyze URLs for threats with scan_url
File Analysis:
- scan_file_sandbox - Advanced sandbox analysis with full configuration
- scan_file_sandbox_simple - Simple sandbox analysis with default settings
- scan_file_static - Static file analysis
- scan_file_cdr - Content Disarm and Reconstruction

Results & Monitoring

Submission Details: get_submission, get_submission_status_summary
Threat Intelligence: get_submission_indicators, get_submission_iocs
Detection Rules: get_submission_yara_rules, get_submission_varist_results
Network Activity: get_submission_dns, get_submission_http, get_submission_tcp, get_submission_udp, get_submission_network_threats
Artifacts: get_submission_artifacts, get_submission_config_extractor

Helper Functions

Status Interpretation: interpret_status, interpret_threat_level
Constants: get_metafields, get_levels, get_statuses, get_sample_metafield

User Management

Account Info: get_user_info
Submission History: get_my_submissions, get_public_submissions
Search: search_by_hash

Downloads

Files: download_sanitized_file (CDR-cleaned files)
Reports: download_html_report (detailed analysis reports)

Advanced Sandbox Analysis

The scan_file_sandbox tool supports comprehensive configuration options:

Environment Options

Windows: w7_x64, w10_x64, w11_x64
macOS: macos
Android: android
Linux: linux

Analysis Configuration

Timeout: 60, 120, 180, 240, or 300 seconds
Work Path: desktop, root, %AppData%, windows, temp
Mouse Simulation: Enable/disable user interaction simulation
Internet Connection: Allow/block network access
HTTPS Inspection: Monitor encrypted traffic
Raw Logs: Include detailed execution logs

Usage Examples

Simple Analysis:

# Use default settings
await client.call_tool("scan_file_sandbox_simple", {
    "file_path": "/path/to/file.exe"
})

Advanced Analysis:

# Full configuration control
await client.call_tool("scan_file_sandbox", {
    "file_path": "/path/to/file.exe",
    "environment": "w11_x64",
    "timeout": 300,
    "internet_connection": True,
    "https_inspection": True,
    "raw_logs": True,
    "modules": ["csi", "cdr"]
})

Understanding Results

Submission Status Values

Value	Status	Description
1	File received	File has been uploaded and queued for analysis
2	Submission failed	Analysis failed due to error or timeout
3	Submission running	Analysis is currently in progress
4	Submission VM ready	Virtual machine is prepared and starting analysis
5	Submission finished	Analysis completed successfully

Threat Level Values

Value	Level	Description
0	Unknown	Unable to determine threat level
1	Informative	File appears benign with some notable behaviors
2	Suspicious	File exhibits potentially malicious characteristics
3	Malicious	File confirmed as malware or highly dangerous

Troubleshooting

Common Issues

"Server not found" error:
- Check the full path is correct
- Verify UV is installed and in PATH
- Test the command manually
"API key required" error:
- Verify the API key is set correctly in the env section
- Test the API key works with curl
"Permission denied" error:
- Make sure the script is executable
- Check file permissions
Python import errors:
- Verify the virtual environment is properly set up
- Check PYTHONPATH includes the src directory

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "threatzone" '{"command":"python","args":["-m","threatzone_mcp.server"],"env":{"THREATZONE_API_KEY":"your_api_key_here"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "threatzone": {
            "command": "python",
            "args": [
                "-m",
                "threatzone_mcp.server"
            ],
            "env": {
                "THREATZONE_API_KEY": "your_api_key_here"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "threatzone": {
            "command": "python",
            "args": [
                "-m",
                "threatzone_mcp.server"
            ],
            "env": {
                "THREATZONE_API_KEY": "your_api_key_here"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect