Threat Intelligence MCP Server
Aggregates real-time threat intelligence from multiple sources including Feodo Tracker, URLhaus, CISA KEV, and ThreatFox, with IP/hash reputation checking via VirusTotal, AbuseIPDB, and Shodan for comprehensive security monitoring.
README
Threat Intelligence MCP Server
Threat intelligence aggregation from multiple sources for security monitoring.
Part of the Agentic System - a 24/7 autonomous AI framework with persistent memory.
Real-time threat intelligence aggregation for the AGI agentic cluster.
Version: 0.2.0
Features
- Multi-source threat feeds: Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, CINSscore
- IP/Hash reputation checking: VirusTotal, AbuseIPDB, Shodan integration
- Bulk IP checking: Check up to 100 IPs in a single request
- Network scanning integration: Check scanned devices against threat lists
- Thread-safe caching: Intelligent caching with TTL and size limits
- Dashboard API: Aggregated data for visualization (Flask-based)
Installation
cd ${AGENTIC_SYSTEM_PATH:-/opt/agentic}/mcp-servers/threat-intel-mcp
pip install -e .
# For dashboard support:
pip install -e ".[dashboard]"
# For development:
pip install -e ".[dev]"
Configuration
Add to ~/.claude.json:
{
"mcpServers": {
"threat-intel": {
"command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3",
"args": ["-m", "threat_intel_mcp.server"]
}
}
}
API Keys (Optional)
Set environment variables for enhanced capabilities:
| Variable | Service | Purpose |
|---|---|---|
VIRUSTOTAL_API_KEY |
VirusTotal | Hash and IP lookups |
ABUSEIPDB_API_KEY |
AbuseIPDB | IP reputation and abuse reports |
SHODAN_API_KEY |
Shodan | IP intelligence and port scanning |
OTX_API_KEY |
AlienVault OTX | Threat pulse feeds |
MCP Tools
| Tool | Description |
|---|---|
get_threat_feeds |
List all available threat intelligence feeds with status |
fetch_threat_feed |
Fetch IOCs from a specific feed by name |
check_ip_reputation |
Check IP against multiple threat sources (VT, AbuseIPDB, Shodan) |
check_hash_reputation |
Check file hash (MD5/SHA1/SHA256) reputation |
check_bulk_ips |
NEW Check up to 100 IPs in a single request |
get_cisa_kev |
Get CISA Known Exploited Vulnerabilities catalog |
get_dashboard_summary |
Aggregated threat data for dashboards |
get_recent_iocs |
Recent IOCs from ThreatFox (filterable by type) |
check_network_against_threats |
Check network scan results for threats |
get_threat_stats |
NEW Get cache statistics and API key status |
clear_threat_cache |
NEW Clear the threat intelligence cache |
Threat Feeds
Free (No API Key Required)
| Feed | Type | Description |
|---|---|---|
feodo_tracker |
IP List | Botnet C&C IPs (Dridex, Emotet, TrickBot) |
urlhaus_recent |
URL List | Recent malware distribution URLs |
sslbl_ip |
IP List | SSL Blacklist malicious IPs |
emerging_threats_compromised |
IP List | Compromised host IPs |
tor_exit_nodes |
IP List | Known Tor exit node IPs |
cisa_kev |
JSON | Known Exploited Vulnerabilities catalog |
threatfox_recent |
JSON | Recent malware IOCs |
blocklist_de_all |
IP List | All attackers from blocklist.de |
cinsscore_badguys |
IP List | CINSscore malicious IPs |
spamhaus_drop |
CIDR List | Spamhaus Don't Route Or Peer |
API-Enhanced
| Feed | API Key | Enhanced Data |
|---|---|---|
| VirusTotal | VIRUSTOTAL_API_KEY |
Detection ratios, vendor verdicts |
| AbuseIPDB | ABUSEIPDB_API_KEY |
Abuse confidence score, report counts |
| Shodan | SHODAN_API_KEY |
Open ports, services, vulnerabilities |
| AlienVault OTX | OTX_API_KEY |
Threat pulses, related IOCs |
Usage Examples
Check IP Reputation
# Returns threat level: clean/low/medium/high/critical
result = await check_ip_reputation("192.0.2.102")
Bulk IP Check
# Comma-separated
result = await check_bulk_ips("8.8.8.8, 1.1.1.1, 192.0.2.102")
# JSON array
result = await check_bulk_ips('["8.8.8.8", "1.1.1.1"]')
Network Scanner Integration
# Check network scan results against threats
scan_results = '{"devices": [{"ip": "192.0.2.217"}, {"ip": "192.0.2.25"}]}'
threat_check = await check_network_against_threats(scan_results)
Get Recent IOCs
# All recent IOCs
result = await get_recent_iocs()
# Filter by type: ip, ip:port, domain, url, md5, sha1, sha256
result = await get_recent_iocs(ioc_type="ip:port", limit=50)
Running the Dashboard
# Start the Flask dashboard server
threat-intel-dashboard
# Or directly:
python -m threat_intel_mcp.dashboard
Dashboard provides REST API endpoints for visualization tools.
Development
Running Tests
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# With coverage
pytest tests/ --cov=threat_intel_mcp --cov-report=html
Project Structure
threat-intel-mcp/
├── src/threat_intel_mcp/
│ ├── __init__.py # Package exports
│ ├── config.py # Configuration, validation, caching
│ ├── server.py # FastMCP server and tools
│ └── dashboard.py # Flask dashboard API
├── tests/
│ ├── conftest.py # Pytest fixtures
│ ├── test_config.py # Config module tests
│ └── test_server.py # Server and tool tests
└── pyproject.toml # Package configuration
Changelog
v0.2.0
-
New Features:
- Bulk IP checking (up to 100 IPs)
- Shodan integration for IP intelligence
- Cache statistics and management tools
- 3 additional threat feeds (blocklist.de, CINSscore, Spamhaus DROP)
-
Improvements:
- Shared configuration module eliminates code duplication
- Thread-safe caching with TTL and size limits
- Proper input validation for all IOC types
- Type hints throughout codebase
-
Bug Fixes:
- Fixed all bare except clauses with proper exception handling
- Removed unused imports and dependencies
- Fixed variable scope issues
-
Developer Experience:
- Comprehensive test suite (67 tests)
- pytest-asyncio for async testing
- Optional dependency groups (dashboard, dev)
v0.1.0
- Initial release with basic threat feed aggregation
Part of the MCP Ecosystem
This server integrates with other MCP servers for comprehensive AGI capabilities:
| Server | Purpose |
|---|---|
| enhanced-memory-mcp | 4-tier persistent memory with semantic search |
| agent-runtime-mcp | Persistent task queues and goal decomposition |
| agi-mcp | Full AGI orchestration with 21 tools |
| cluster-execution-mcp | Distributed task routing across nodes |
| node-chat-mcp | Inter-node AI communication |
| ember-mcp | Production-only policy enforcement |
See agentic-system-oss for the complete framework.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.