Integrates with abuse.ch services including URLhaus, ThreatFox, and MalwareBazaar for malware URL tracking, IOC sharing, and malware sample intelligence.
Analyzes Composer dependencies for PHP projects, detecting security vulnerabilities and providing risk assessment.
Analyzes Dockerfile configurations for security best practices, identifying security misconfigurations and providing hardening recommendations.
Scans Kubernetes manifests for security issues, identifying policy violations, privilege escalation risks, and network security issues.
Scans NPM dependencies for security vulnerabilities, identifying known malicious packages and outdated dependencies.
Incorporates OWASP security best practices and vulnerability patterns for comprehensive security analysis of code and configurations.
Aggregates IP, domain, hash, and URL analysis data from VirusTotal v3 API, providing comprehensive malware analysis and reputation scoring.
🛡️ Cyber Sentinel MCP Server
A comprehensive threat intelligence aggregation MCP (Model Context Protocol) server that provides unified access to multiple threat intelligence sources for security analysis.
🎯 Overview
Cyber Sentinel eliminates the tedious manual process of querying multiple threat intelligence sources by providing a single, unified interface. Security analysts can now analyze indicators (IPs, domains, hashes, URLs) across multiple sources with a single command, getting aggregated results with confidence scoring.
✨ Features
🔍 Threat Intelligence
Multi-Source Intelligence: Aggregates data from VirusTotal v3, AbuseIPDB, URLhaus, Shodan, ThreatFox, and MalwareBazaar
Smart Indicator Detection: Automatically detects IP addresses, domains, file hashes, and URLs
Intelligent Aggregation: Combines results from multiple sources with confidence scoring
Async Performance: High-performance concurrent processing
Smart Caching: Reduces API calls and improves response times (1-hour TTL)
Rate Limiting: Respects API limits across all sources (60 req/min default)
Error Recovery: Graceful handling of API failures and timeouts
🛡️ Code Security Analysis
Multi-Language Support: Analyzes Python, JavaScript, Java, C#, PHP, Go, Rust, C++, and SQL code
Vulnerability Detection: Identifies hardcoded secrets, SQL injection, XSS, path traversal, and more
Network Indicator Analysis: Extracts and analyzes IPs, domains, and URLs found in code
Secure Alternatives: Provides secure coding recommendations and alternatives
Risk Scoring: Calculates comprehensive security risk scores
📦 Dependency Security
Multi-Platform Support: Scans NPM, Python, Maven, Cargo, Go, and Composer dependencies
Vulnerability Detection: Identifies known malicious packages and outdated dependencies
Security Recommendations: Provides actionable security improvement suggestions
Risk Assessment: Comprehensive dependency risk scoring
🐳 Infrastructure Security
Docker Security: Analyzes Dockerfile configurations for security best practices
Kubernetes Security: Scans K8s manifests for security misconfigurations
CI/CD Integration: Provides security analysis for DevOps pipelines
📊 Reporting & Visualization
Rich Reports: Generates comprehensive security analysis reports
Visual Dashboards: Creates security metrics and trend visualizations
Export Options: Supports multiple output formats (JSON, HTML, PDF)
MCP Protocol: Full compatibility with MCP-enabled AI assistants
🚀 Quick Start
Prerequisites
Python 3.8 or higher
MCP-compatible client (Claude Desktop, Cursor, etc.)
Installation
Clone the repository:
Install dependencies:
配置API密钥:
Verify installation:
API Key Setup
VirusTotal (Highly Recommended)
Free Tier: 1,000 requests/day
Capabilities: IP, domain, hash, and URL analysis
Visit VirusTotal
Create a free account
Get your API key from the API section
Add to
.env
:VIRUSTOTAL_API_KEY=your_key_here
AbuseIPDB (Highly Recommended)
Free Tier: 1,000 requests/day
Capabilities: IP address reputation and abuse reporting
Visit AbuseIPDB
Create a free account
Get your API key from the account settings
Add to
.env
:ABUSEIPDB_API_KEY=your_key_here
Shodan (Optional)
Free Tier: 100 results/month
Capabilities: Internet-connected device intelligence
Visit Shodan
Create an account and get your API key
Add to
.env
:SHODAN_API_KEY=your_key_here
URLhaus (No API Key Required)
Free: Works without API key for basic usage
Capabilities: Malware URL and payload tracking
🔧 MCP Client Configuration
Claude Desktop
Add to your claude_desktop_config.json
:
Cursor/VS Code
Add to your MCP configuration:
📖 Usage Examples
Once configured in your MCP client, you can use natural language to analyze security indicators:
🔍 Threat Intelligence Analysis
🛡️ Code Security Analysis
📦 Dependency Security Scanning
🐳 Infrastructure Security
📊 Security Reporting
🛠️ Available MCP Tools
🔍 Threat Intelligence Tools
analyze_indicator
Analyzes security indicators across multiple threat intelligence sources.
Supported Indicators:
IP Addresses: IPv4 addresses (e.g.,
8.8.8.8
)Domain Names: Any domain (e.g.,
google.com
)File Hashes: MD5, SHA1, SHA256 hashes
URLs: Complete URLs (e.g.,
https://example.com
)
Returns:
Overall reputation (clean/malicious/unknown)
Confidence score (0-100%)
Results from individual threat intelligence sources
Geographic and ISP information (for IPs)
Detailed analysis data
check_api_status
Checks the configuration and status of all threat intelligence sources.
Returns:
API key validation status
Available capabilities per source
Rate limiting configuration
Overall system health
🛡️ Security Analysis Tools
analyze_code_security
Performs comprehensive security analysis of source code.
Parameters:
code_content
: Source code to analyzelanguage
: Programming language (auto-detected if not specified)locale
: Output language (zh/en)
Returns:
Security vulnerabilities and their severity
Hardcoded secrets and credentials
Network indicators found in code
Secure coding recommendations
Risk score and remediation guidance
scan_project_dependencies
Scans project dependencies for security vulnerabilities.
Parameters:
project_files
: Dictionary of dependency files (package.json, requirements.txt, etc.)
Returns:
Known malicious packages
Outdated dependencies with vulnerabilities
Security recommendations
Risk assessment and scoring
analyze_docker_security
Analyzes Docker configurations for security best practices.
Parameters:
dockerfile_content
: Dockerfile content to analyze
Returns:
Security misconfigurations
Best practice violations
Hardening recommendations
Risk assessment
scan_kubernetes_config
Scans Kubernetes manifests for security issues.
Parameters:
k8s_manifests
: Dictionary of Kubernetes YAML files
Returns:
Security policy violations
Privilege escalation risks
Network security issues
Compliance recommendations
generate_security_report
Generates comprehensive security reports with visualizations.
Parameters:
analysis_results
: Combined results from security analysesreport_format
: Output format (json/html/markdown)
Returns:
Formatted security report
Executive summary
Detailed findings
Remediation roadmap
📊 Example Response
⚡ Performance & Reliability
🚀 High Performance
Async Architecture: High-performance concurrent processing across all analysis tools
Smart Caching: 1-hour TTL reduces API calls and improves response times
Parallel Processing: Simultaneous analysis across multiple threat intelligence sources
Optimized Algorithms: Efficient pattern matching and vulnerability detection
🛡️ Reliability & Resilience
Rate Limiting: Configurable limits (default: 60 requests/minute) with intelligent throttling
Timeout Handling: 30-second request timeouts prevent hanging operations
Error Recovery: Graceful handling of API failures and network issues
Fallback Mechanisms: Continues analysis even when some sources are unavailable
Retry Logic: Automatic retry with exponential backoff for transient failures
🔒 Security & Privacy
🛡️ Data Protection
Zero Data Storage: No indicators, code, or analysis results are permanently stored
Memory-Only Processing: All analysis happens in memory with automatic cleanup
API Key Security: Keys managed securely through environment variables and encrypted storage
Source Isolation: Each threat intelligence source operates independently with isolated credentials
🔐 Privacy Safeguards
Local Processing: Code analysis happens locally without external transmission
Error Isolation: Sensitive information is never exposed in error messages or logs
Audit Trail: Optional security event logging for compliance requirements
Data Minimization: Only necessary data is processed and immediately discarded
🧪 Testing
Run the test suite to verify functionality:
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🤝 Contributing
Fork the repository
Create a feature branch (
git checkout -b feature/amazing-feature
)Make your changes and add tests
Commit your changes (
git commit -m 'Add amazing feature'
)Push to the branch (
git push origin feature/amazing-feature
)Open a Pull Request
🆘 Support
Issues: GitHub Issues
Documentation: See llms-install.md for detailed setup
MCP Protocol: Model Context Protocol Documentation
🙏 Acknowledgments
Anthropic for the MCP protocol and Claude AI
VirusTotal for comprehensive malware analysis
AbuseIPDB for IP reputation intelligence
URLhaus for malware URL tracking
Shodan for internet device intelligence
ThreatFox for IOC sharing platform
MalwareBazaar for malware sample intelligence
OWASP for security best practices and vulnerability patterns
Open source security community for continuous threat intelligence sharing
🛡️ Threat Intelligence, Simplified.
This server cannot be installed
A threat intelligence aggregation server that provides unified access to multiple security sources for analyzing indicators (IPs, domains, hashes, URLs) with confidence scoring.
Related MCP Servers
- -securityAlicense-qualityProvides comprehensive security analysis tools for querying the VirusTotal API, enabling detailed security reports on URLs, files, IP addresses, and domains with automatic relationship data fetching.Last updated -3Apache 2.0
- -securityAlicense-qualityA comprehensive system that helps organizations track, manage, and respond to security vulnerabilities effectively through features like vulnerability tracking, user management, support tickets, API key management, and SSL certificate management.Last updated -MIT License
Mallory MCP Serverofficial
AsecurityAlicenseAqualityA robust Model Control Protocol server that enables AI agents to access real-time cyber threat intelligence and detailed information about vulnerabilities, threat actors, malware, and other cyber-security entities.Last updated -105MIT License- -securityFlicense-qualityA Model Context Protocol server that performs third-party threat intelligence enrichment for various observables (IP addresses, domains, URLs, emails) using services like VirusTotal, Shodan, and AbuseIPDB.Last updated -