Enables checking file hash (MD5/SHA1/SHA256) and IP reputation with detection ratios and vendor verdicts from VirusTotal's threat intelligence database.
Threat Intelligence MCP Server
Threat intelligence aggregation from multiple sources for security monitoring.
Part of the Agentic System - a 24/7 autonomous AI framework with persistent memory.
Real-time threat intelligence aggregation for the AGI agentic cluster.
Version: 0.2.0
Features
Multi-source threat feeds: Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, CINSscore
IP/Hash reputation checking: VirusTotal, AbuseIPDB, Shodan integration
Bulk IP checking: Check up to 100 IPs in a single request
Network scanning integration: Check scanned devices against threat lists
Thread-safe caching: Intelligent caching with TTL and size limits
Dashboard API: Aggregated data for visualization (Flask-based)
Installation
Configuration
Add to ~/.claude.json:
API Keys (Optional)
Set environment variables for enhanced capabilities:
Variable | Service | Purpose |
| VirusTotal | Hash and IP lookups |
| AbuseIPDB | IP reputation and abuse reports |
| Shodan | IP intelligence and port scanning |
| AlienVault OTX | Threat pulse feeds |
MCP Tools
Tool | Description |
| List all available threat intelligence feeds with status |
| Fetch IOCs from a specific feed by name |
| Check IP against multiple threat sources (VT, AbuseIPDB, Shodan) |
| Check file hash (MD5/SHA1/SHA256) reputation |
| NEW Check up to 100 IPs in a single request |
| Get CISA Known Exploited Vulnerabilities catalog |
| Aggregated threat data for dashboards |
| Recent IOCs from ThreatFox (filterable by type) |
| Check network scan results for threats |
| NEW Get cache statistics and API key status |
| NEW Clear the threat intelligence cache |
Threat Feeds
Free (No API Key Required)
Feed | Type | Description |
| IP List | Botnet C&C IPs (Dridex, Emotet, TrickBot) |
| URL List | Recent malware distribution URLs |
| IP List | SSL Blacklist malicious IPs |
| IP List | Compromised host IPs |
| IP List | Known Tor exit node IPs |
| JSON | Known Exploited Vulnerabilities catalog |
| JSON | Recent malware IOCs |
| IP List | All attackers from blocklist.de |
| IP List | CINSscore malicious IPs |
| CIDR List | Spamhaus Don't Route Or Peer |
API-Enhanced
Feed | API Key | Enhanced Data |
VirusTotal |
| Detection ratios, vendor verdicts |
AbuseIPDB |
| Abuse confidence score, report counts |
Shodan |
| Open ports, services, vulnerabilities |
AlienVault OTX |
| Threat pulses, related IOCs |
Usage Examples
Check IP Reputation
Bulk IP Check
Network Scanner Integration
Get Recent IOCs
Running the Dashboard
Dashboard provides REST API endpoints for visualization tools.
Development
Running Tests
Project Structure
Changelog
v0.2.0
New Features:
Bulk IP checking (up to 100 IPs)
Shodan integration for IP intelligence
Cache statistics and management tools
3 additional threat feeds (blocklist.de, CINSscore, Spamhaus DROP)
Improvements:
Shared configuration module eliminates code duplication
Thread-safe caching with TTL and size limits
Proper input validation for all IOC types
Type hints throughout codebase
Bug Fixes:
Fixed all bare except clauses with proper exception handling
Removed unused imports and dependencies
Fixed variable scope issues
Developer Experience:
Comprehensive test suite (67 tests)
pytest-asyncio for async testing
Optional dependency groups (dashboard, dev)
v0.1.0
Initial release with basic threat feed aggregation
Part of the MCP Ecosystem
This server integrates with other MCP servers for comprehensive AGI capabilities:
Server | Purpose |
4-tier persistent memory with semantic search | |
Persistent task queues and goal decomposition | |
Full AGI orchestration with 21 tools | |
Distributed task routing across nodes | |
Inter-node AI communication | |
Production-only policy enforcement |
See agentic-system-oss for the complete framework.