Integrates with abuse.ch services including URLhaus, ThreatFox, and MalwareBazaar for malware URL tracking, IOC sharing, and malware sample intelligence.
Analyzes Composer dependencies for PHP projects, detecting security vulnerabilities and providing risk assessment.
Analyzes Dockerfile configurations for security best practices, identifying security misconfigurations and providing hardening recommendations.
Scans Kubernetes manifests for security issues, identifying policy violations, privilege escalation risks, and network security issues.
Scans NPM dependencies for security vulnerabilities, identifying known malicious packages and outdated dependencies.
Incorporates OWASP security best practices and vulnerability patterns for comprehensive security analysis of code and configurations.
Aggregates IP, domain, hash, and URL analysis data from VirusTotal v3 API, providing comprehensive malware analysis and reputation scoring.
A comprehensive threat intelligence aggregation MCP (Model Context Protocol) server that provides unified access to multiple threat intelligence sources for security analysis.
Cyber Sentinel eliminates the tedious manual process of querying multiple threat intelligence sources by providing a single, unified interface. Security analysts can now analyze indicators (IPs, domains, hashes, URLs) across multiple sources with a single command, getting aggregated results with confidence scoring.
Multi-Source Intelligence: Aggregates data from VirusTotal v3, AbuseIPDB, URLhaus, Shodan, ThreatFox, and MalwareBazaar
Smart Indicator Detection: Automatically detects IP addresses, domains, file hashes, and URLs
Intelligent Aggregation: Combines results from multiple sources with confidence scoring
Async Performance: High-performance concurrent processing
Smart Caching: Reduces API calls and improves response times (1-hour TTL)
Rate Limiting: Respects API limits across all sources (60 req/min default)
Error Recovery: Graceful handling of API failures and timeouts
Multi-Language Support: Analyzes Python, JavaScript, Java, C#, PHP, Go, Rust, C++, and SQL code
Vulnerability Detection: Identifies hardcoded secrets, SQL injection, XSS, path traversal, and more
Network Indicator Analysis: Extracts and analyzes IPs, domains, and URLs found in code
Secure Alternatives: Provides secure coding recommendations and alternatives
Risk Scoring: Calculates comprehensive security risk scores
Multi-Platform Support: Scans NPM, Python, Maven, Cargo, Go, and Composer dependencies
Vulnerability Detection: Identifies known malicious packages and outdated dependencies
Security Recommendations: Provides actionable security improvement suggestions
Risk Assessment: Comprehensive dependency risk scoring
Docker Security: Analyzes Dockerfile configurations for security best practices
Kubernetes Security: Scans K8s manifests for security misconfigurations
CI/CD Integration: Provides security analysis for DevOps pipelines
Rich Reports: Generates comprehensive security analysis reports
Visual Dashboards: Creates security metrics and trend visualizations
Export Options: Supports multiple output formats (JSON, HTML, PDF)
MCP Protocol: Full compatibility with MCP-enabled AI assistants
Python 3.8 or higher
MCP-compatible client (Claude Desktop, Cursor, etc.)
Clone the repository:
Install dependencies:
配置API密钥:
Verify installation:
Free Tier: 1,000 requests/day
Capabilities: IP, domain, hash, and URL analysis
Visit VirusTotal
Create a free account
Get your API key from the API section
Add to .env: VIRUSTOTAL_API_KEY=your_key_here
Free Tier: 1,000 requests/day
Capabilities: IP address reputation and abuse reporting
Visit AbuseIPDB
Create a free account
Get your API key from the account settings
Add to .env: ABUSEIPDB_API_KEY=your_key_here
Free Tier: 100 results/month
Capabilities: Internet-connected device intelligence
Visit Shodan
Create an account and get your API key
Add to .env: SHODAN_API_KEY=your_key_here
Free: Works without API key for basic usage
Capabilities: Malware URL and payload tracking
Add to your claude_desktop_config.json:
Add to your MCP configuration:
Once configured in your MCP client, you can use natural language to analyze security indicators:
analyze_indicatorAnalyzes security indicators across multiple threat intelligence sources.
Supported Indicators:
IP Addresses: IPv4 addresses (e.g., 8.8.8.8)
Domain Names: Any domain (e.g., google.com)
File Hashes: MD5, SHA1, SHA256 hashes
URLs: Complete URLs (e.g., https://example.com)
Returns:
Overall reputation (clean/malicious/unknown)
Confidence score (0-100%)
Results from individual threat intelligence sources
Geographic and ISP information (for IPs)
Detailed analysis data
check_api_statusChecks the configuration and status of all threat intelligence sources.
Returns:
API key validation status
Available capabilities per source
Rate limiting configuration
Overall system health
analyze_code_securityPerforms comprehensive security analysis of source code.
Parameters:
code_content: Source code to analyze
language: Programming language (auto-detected if not specified)
locale: Output language (zh/en)
Returns:
Security vulnerabilities and their severity
Hardcoded secrets and credentials
Network indicators found in code
Secure coding recommendations
Risk score and remediation guidance
scan_project_dependenciesScans project dependencies for security vulnerabilities.
Parameters:
project_files: Dictionary of dependency files (package.json, requirements.txt, etc.)
Returns:
Known malicious packages
Outdated dependencies with vulnerabilities
Security recommendations
Risk assessment and scoring
analyze_docker_securityAnalyzes Docker configurations for security best practices.
Parameters:
dockerfile_content: Dockerfile content to analyze
Returns:
Security misconfigurations
Best practice violations
Hardening recommendations
Risk assessment
scan_kubernetes_configScans Kubernetes manifests for security issues.
Parameters:
k8s_manifests: Dictionary of Kubernetes YAML files
Returns:
Security policy violations
Privilege escalation risks
Network security issues
Compliance recommendations
generate_security_reportGenerates comprehensive security reports with visualizations.
Parameters:
analysis_results: Combined results from security analyses
report_format: Output format (json/html/markdown)
Returns:
Formatted security report
Executive summary
Detailed findings
Remediation roadmap
Async Architecture: High-performance concurrent processing across all analysis tools
Smart Caching: 1-hour TTL reduces API calls and improves response times
Parallel Processing: Simultaneous analysis across multiple threat intelligence sources
Optimized Algorithms: Efficient pattern matching and vulnerability detection
Rate Limiting: Configurable limits (default: 60 requests/minute) with intelligent throttling
Timeout Handling: 30-second request timeouts prevent hanging operations
Error Recovery: Graceful handling of API failures and network issues
Fallback Mechanisms: Continues analysis even when some sources are unavailable
Retry Logic: Automatic retry with exponential backoff for transient failures
Zero Data Storage: No indicators, code, or analysis results are permanently stored
Memory-Only Processing: All analysis happens in memory with automatic cleanup
API Key Security: Keys managed securely through environment variables and encrypted storage
Source Isolation: Each threat intelligence source operates independently with isolated credentials
Local Processing: Code analysis happens locally without external transmission
Error Isolation: Sensitive information is never exposed in error messages or logs
Audit Trail: Optional security event logging for compliance requirements
Data Minimization: Only necessary data is processed and immediately discarded
Run the test suite to verify functionality:
This project is licensed under the MIT License - see the LICENSE file for details.
Fork the repository
Create a feature branch (git checkout -b feature/amazing-feature)
Make your changes and add tests
Commit your changes (git commit -m 'Add amazing feature')
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request
Issues: GitHub Issues
Documentation: See llms-install.md for detailed setup
MCP Protocol: Model Context Protocol Documentation
Anthropic for the MCP protocol and Claude AI
VirusTotal for comprehensive malware analysis
AbuseIPDB for IP reputation intelligence
URLhaus for malware URL tracking
Shodan for internet device intelligence
ThreatFox for IOC sharing platform
MalwareBazaar for malware sample intelligence
OWASP for security best practices and vulnerability patterns
Open source security community for continuous threat intelligence sharing
🛡️ Threat Intelligence, Simplified.
This server cannot be installed
A threat intelligence aggregation server that provides unified access to multiple security sources for analyzing indicators (IPs, domains, hashes, URLs) with confidence scoring.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jx888-max/cyber-sentinel-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server