Threat Intelligence MCP Server
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| OTX_API_KEY | No | AlienVault OTX API key for threat pulse feeds | |
| SHODAN_API_KEY | No | Shodan API key for IP intelligence and port scanning | |
| ABUSEIPDB_API_KEY | No | AbuseIPDB API key for IP reputation and abuse reports | |
| VIRUSTOTAL_API_KEY | No | VirusTotal API key for hash and IP lookups |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tasks | {
"list": {},
"cancel": {},
"requests": {
"tools": {
"call": {}
},
"prompts": {
"get": {}
},
"resources": {
"read": {}
}
}
} |
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| get_threat_feedsB | Get list of all available threat intelligence feeds. Returns: JSON with available feeds and their descriptions |
| fetch_threat_feedB | Fetch and parse a specific threat intelligence feed. Args: feed_name: Name of the feed (feodo_tracker, urlhaus_recent, etc.) Returns: JSON with IOCs from the feed |
| check_ip_reputationC | Check an IP address against multiple threat intelligence sources. Args: ip: IP address to check Returns: JSON with reputation data from multiple sources |
| check_hash_reputationA | Check a file hash (MD5/SHA1/SHA256) against threat intelligence. Args: file_hash: File hash to check Returns: JSON with reputation data |
| check_bulk_ipsC | Check multiple IP addresses against threat feeds in bulk. Args: ips: JSON array of IP addresses or comma-separated list Returns: JSON with reputation results for all IPs |
| get_cisa_kevA | Get CISA Known Exploited Vulnerabilities. Args: days: Get vulnerabilities added in last N days (default: 30) vendor: Filter by vendor name (optional) Returns: JSON with recent KEVs |
| get_dashboard_summaryB | Get a summary of all threat intelligence for dashboard display. Returns: JSON with aggregated threat data for visualization |
| get_recent_iocsB | Get recent IOCs (Indicators of Compromise) from ThreatFox. Args: ioc_type: Filter by type (ip:port, domain, url, md5, sha256) limit: Maximum IOCs to return (default: 100, max: 500) Returns: JSON with recent IOCs |
| check_network_against_threatsC | Check network scan results against threat intelligence. Args: scan_results: JSON string from network scanner with device IPs Returns: JSON with any matched threats |
| get_threat_statsB | Get statistics about loaded threat data and cache status. Returns: JSON with threat intelligence statistics |
| clear_threat_cacheB | Clear the threat intelligence cache to force fresh data fetch. Returns: JSON confirmation |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/marc-shade/threat-intel-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server