Skip to main content

Threat Intelligence MCP Server

Overview Schema Related Servers Score Discussions

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`OTX_API_KEY`	No	AlienVault OTX API key for threat pulse feeds
`SHODAN_API_KEY`	No	Shodan API key for IP intelligence and port scanning
`ABUSEIPDB_API_KEY`	No	AbuseIPDB API key for IP reputation and abuse reports
`VIRUSTOTAL_API_KEY`	No	VirusTotal API key for hash and IP lookups

Tools

Functions exposed to the LLM to take actions

Name	Description
get_threat_feeds	Get list of all available threat intelligence feeds. Returns: JSON with available feeds and their descriptions
fetch_threat_feed	Fetch and parse a specific threat intelligence feed. Args: feed_name: Name of the feed (feodo_tracker, urlhaus_recent, etc.) Returns: JSON with IOCs from the feed
check_ip_reputation	Check an IP address against multiple threat intelligence sources. Args: ip: IP address to check Returns: JSON with reputation data from multiple sources
check_hash_reputation	Check a file hash (MD5/SHA1/SHA256) against threat intelligence. Args: file_hash: File hash to check Returns: JSON with reputation data
check_bulk_ips	Check multiple IP addresses against threat feeds in bulk. Args: ips: JSON array of IP addresses or comma-separated list Returns: JSON with reputation results for all IPs
get_cisa_kev	Get CISA Known Exploited Vulnerabilities. Args: days: Get vulnerabilities added in last N days (default: 30) vendor: Filter by vendor name (optional) Returns: JSON with recent KEVs
get_dashboard_summary	Get a summary of all threat intelligence for dashboard display. Returns: JSON with aggregated threat data for visualization
get_recent_iocs	Get recent IOCs (Indicators of Compromise) from ThreatFox. Args: ioc_type: Filter by type (ip:port, domain, url, md5, sha256) limit: Maximum IOCs to return (default: 100, max: 500) Returns: JSON with recent IOCs
check_network_against_threats	Check network scan results against threat intelligence. Args: scan_results: JSON string from network scanner with device IPs Returns: JSON with any matched threats
get_threat_stats	Get statistics about loaded threat data and cache status. Returns: JSON with threat intelligence statistics
clear_threat_cache	Clear the threat intelligence cache to force fresh data fetch. Returns: JSON confirmation

Prompts

Interactive templates invoked by user choice

Name	Description
No prompts

Resources

Contextual data attached and managed by the client

Name	Description
No resources

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/marc-shade/threat-intel-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server