Threat.Zone MCP server

The Threat.Zone MCP server provides LLMs with access to powerful malware analysis capabilities through a standardized Model Context Protocol (MCP). This server enables AI assistants to analyze files and URLs for threats, retrieve detailed analysis results, and generate security reports.

Installation

Installing with Package Managers

You can install the Threat.Zone MCP server using pip or uv:

# Using pip
pip install threatzone-mcp

# Using uv (recommended)
uv add threatzone-mcp

Configuration

Set your Threat.Zone API credentials as environment variables:

export THREATZONE_API_KEY="your_api_key_here"
# Optional: For private tenants or on-premise deployments
export THREATZONE_API_URL="https://your-tenant.threat.zone"

Alternatively, create a .env file:

THREATZONE_API_KEY=your_api_key_here
# Optional: Custom API URL (defaults to https://app.threat.zone)
THREATZONE_API_URL=https://your-tenant.threat.zone

Supported Deployment Types

• Public Cloud: https://app.threat.zone (default)
• Private Tenant: https://your-tenant.threat.zone
• On-Premise: https://your-server.company.com

Connecting to Claude Desktop

Prerequisites

1. Claude Desktop installed
2. UV installed
3. Threat.Zone API Key

Setup Steps

1. Configure Claude Desktop

Find your Claude Desktop configuration directory:

• macOS: ~/Library/Application Support/Claude/
• Windows: %APPDATA%\Claude\
• Linux: ~/.config/Claude/

Create or edit claude_desktop_config.json:

{
  "mcpServers": {
    "threatzone": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/full/path/to/your/threatzonemcp",
        "threatzone-mcp"
      ],
      "env": {
        "THREATZONE_API_KEY": "your_actual_api_key_here",
        "THREATZONE_API_URL": "https://your-tenant.threat.zone"
      }
    }
  }
}

2. Restart Claude Desktop

After saving the configuration:

1. Quit Claude Desktop completely
2. Restart Claude Desktop
3. Look for the 🔌 icon in a new chat to confirm MCP servers are connected

3. Test the Connection

In Claude Desktop, try asking:

"Can you get my Threat.Zone user information?"

Running the Server

You can run the server directly with:

# Using the installed script
threatzone-mcp

# Or directly with Python
python -m threatzone_mcp.server

Available Tools

Analysis Tools

• URL Analysis: Analyze URLs for threats with scan_url
• File Analysis:
  • scan_file_sandbox - Advanced sandbox analysis with full configuration
  • scan_file_sandbox_simple - Simple sandbox analysis with default settings
  • scan_file_static - Static file analysis
  • scan_file_cdr - Content Disarm and Reconstruction

Results & Monitoring

• Submission Details: get_submission, get_submission_status_summary
• Threat Intelligence: get_submission_indicators, get_submission_iocs
• Detection Rules: get_submission_yara_rules, get_submission_varist_results
• Network Activity: get_submission_dns, get_submission_http, get_submission_tcp, get_submission_udp, get_submission_network_threats
• Artifacts: get_submission_artifacts, get_submission_config_extractor

Helper Functions

• Status Interpretation: interpret_status, interpret_threat_level
• Constants: get_metafields, get_levels, get_statuses, get_sample_metafield

User Management

• Account Info: get_user_info
• Submission History: get_my_submissions, get_public_submissions
• Search: search_by_hash

Downloads

• Files: download_sanitized_file (CDR-cleaned files)
• Reports: download_html_report (detailed analysis reports)

Advanced Sandbox Analysis

The scan_file_sandbox tool supports comprehensive configuration options:

Environment Options

• Windows: w7_x64, w10_x64, w11_x64
• macOS: macos
• Android: android
• Linux: linux

Analysis Configuration

• Timeout: 60, 120, 180, 240, or 300 seconds
• Work Path: desktop, root, %AppData%, windows, temp
• Mouse Simulation: Enable/disable user interaction simulation
• Internet Connection: Allow/block network access
• HTTPS Inspection: Monitor encrypted traffic
• Raw Logs: Include detailed execution logs

Usage Examples

Simple Analysis:

# Use default settings
await client.call_tool("scan_file_sandbox_simple", {
    "file_path": "/path/to/file.exe"
})

Advanced Analysis:

# Full configuration control
await client.call_tool("scan_file_sandbox", {
    "file_path": "/path/to/file.exe",
    "environment": "w11_x64",
    "timeout": 300,
    "internet_connection": True,
    "https_inspection": True,
    "raw_logs": True,
    "modules": ["csi", "cdr"]
})

Understanding Results

Submission Status Values

Value	Status	Description
1	File received	File has been uploaded and queued for analysis
2	Submission failed	Analysis failed due to error or timeout
3	Submission running	Analysis is currently in progress
4	Submission VM ready	Virtual machine is prepared and starting analysis
5	Submission finished	Analysis completed successfully

Threat Level Values

Value	Level	Description
0	Unknown	Unable to determine threat level
1	Informative	File appears benign with some notable behaviors
2	Suspicious	File exhibits potentially malicious characteristics
3	Malicious	File confirmed as malware or highly dangerous

Troubleshooting

Common Issues

1. "Server not found" error:

   • Check the full path is correct
   • Verify UV is installed and in PATH
   • Test the command manually

2. "API key required" error:

   • Verify the API key is set correctly in the env section
   • Test the API key works with curl

3. "Permission denied" error:

   • Make sure the script is executable
   • Check file permissions

4. Python import errors:

   • Verify the virtual environment is properly set up
   • Check PYTHONPATH includes the src directory

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "threatzone" '{"command":"python","args":["-m","threatzone_mcp.server"],"env":{"THREATZONE_API_KEY":"your_api_key_here"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "threatzone": {
            "command": "python",
            "args": [
                "-m",
                "threatzone_mcp.server"
            ],
            "env": {
                "THREATZONE_API_KEY": "your_api_key_here"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json
• Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "threatzone": {
            "command": "python",
            "args": [
                "-m",
                "threatzone_mcp.server"
            ],
            "env": {
                "THREATZONE_API_KEY": "your_api_key_here"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect