What can you do with this server?

This server provides defense-contractor-grade threat intelligence with multi-source feed aggregation, reputation checking, and compliance with major security standards. Core Threat Intelligence * Multi-source feed aggregation: Collect IOCs from 10+ sources including Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, and CINSscore * IP reputation (check_ip_reputation): Evaluate a single IP against VirusTotal, AbuseIPDB, and Shodan, returning a threat level (clean/low/medium/high/critical) * Hash reputation (check_hash_reputation): Look up MD5, SHA1, or SHA256 hashes against threat intelligence databases * Bulk IP checking (check_bulk_ips): Check up to 100 IPs in a single request * CISA KEV (get_cisa_kev): Retrieve known exploited vulnerabilities, filterable by days and vendor * Recent IOCs (get_recent_iocs): Fetch from ThreatFox by type (ip:port, domain, url, md5, sha256), up to 500 results * Network threat analysis (check_network_against_threats): Cross-reference network scan results against threat lists * Dashboard & stats: Aggregated data for visualization, cache statistics, and API key status * Cache management (clear_threat_cache): Force a fresh data fetch Defense & Intelligence Standards * STIX/TAXII 2.1: Export OASIS-compliant STIX bundles and fetch from TAXII 2.1 servers * MITRE ATT\&CK: Map IOCs to techniques across all 14 Enterprise tactics and export ATT\&CK Navigator layers * TLP 2.0: Classify and enforce Traffic Light Protocol sharing rules * Tamper-evident provenance: SHA-256 hash chain tracking for IOC lifecycle (NIST SP 800-86 compliant) * Defense feeds: Aggregate CISA, ICS-CERT, NSA, and DISA IAVA feeds with ICD 203 confidence scoring * NIST compliance: Map to 25+ NIST SP 800-53 Rev. 5 controls and NIST CSF 2.0 functions * DoD Impact Levels: Classification mapping to IL2–IL6 per CNSSI 1253

Which integrations are available for this server?

Enables checking file hash (MD5/SHA1/SHA256) and IP reputation with detection ratios and vendor verdicts from VirusTotal's threat intelligence database.

How do I use Threat Intelligence MCP Server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Threat Intelligence MCP Server check the reputation of IP 192.0.2.102" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

threat_intel_mcp

Threat Intelligence MCP Server

MCP Python-3.10+ License STIX 2.1 MITRE ATT&CK NIST 800-53 Part of Agentic System

Defense-contractor-grade threat intelligence with STIX/TAXII 2.1, MITRE ATT&CK mapping, TLP enforcement, tamper-evident provenance chains, and NIST SP 800-53 compliance.

Part of the Agentic System - a 24/7 autonomous AI framework with persistent memory.

Version: 0.3.0

Features

Core Threat Intelligence

Multi-source threat feeds: Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, CINSscore
IP/Hash reputation checking: VirusTotal, AbuseIPDB, Shodan integration
Bulk IP checking: Check up to 100 IPs in a single request
Network scanning integration: Check scanned devices against threat lists
Thread-safe caching: Intelligent caching with TTL and size limits
Dashboard API: Aggregated data for visualization (Flask-based)

Defense & Intelligence Standards (v0.3.0)

STIX/TAXII 2.1 Protocol: Full OASIS-compliant STIX 2.1 object creation (indicators, malware, attack-patterns, threat-actors, relationships, sightings) and TAXII 2.1 client for publishing/consuming
MITRE ATT&CK Framework: Context-aware IOC-to-technique mapping across the Enterprise matrix with ATT&CK Navigator layer export (v4.5 format)
Traffic Light Protocol (TLP 2.0): Classification and enforcement of TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:AMBER+STRICT, TLP:RED with sharing rule validation
Chain of Custody / Provenance: Tamper-evident SHA-256 hash chain tracking for IOC lifecycle, suitable for federal evidence handling (NIST SP 800-86)
Defense Feed Integration: CISA alerts/advisories, ICS-CERT, NSA advisory parsing framework, DISA IAVA format support
NIST SP 800-53 Rev. 5 Mapping: Control alignment (RA-5, SI-5, PM-16, IR-6, SA-11, CA-7, and 15+ more) with compliance evidence reports
NIST CSF 2.0 Coverage: Mapping to all six functions (Govern, Identify, Protect, Detect, Respond, Recover)
ICD 203 Confidence Scoring: Intelligence Community Analytic Standards with NATO/IC source reliability codes (A-F) and information credibility ratings (1-6)
DoD Impact Level Classification: IL2-IL6 mapping per CNSSI 1253 and DoD CC SRG

Installation

cd ${AGENTIC_SYSTEM_PATH:-/opt/agentic}/mcp-servers/threat-intel-mcp pip install -e . # For dashboard support: pip install -e ".[dashboard]" # For development: pip install -e ".[dev]"

Configuration

Add to ~/.claude.json:

{ "mcpServers": { "threat-intel": { "command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3", "args": ["-m", "threat_intel_mcp.server"] } } }

API Keys (Optional)

Set environment variables for enhanced capabilities:

Variable	Service	Purpose
`VIRUSTOTAL_API_KEY`	VirusTotal	Hash and IP lookups
`ABUSEIPDB_API_KEY`	AbuseIPDB	IP reputation and abuse reports
`SHODAN_API_KEY`	Shodan	IP intelligence and port scanning
`OTX_API_KEY`	AlienVault OTX	Threat pulse feeds

MCP Tools

Core Tools

Tool	Description
`get_threat_feeds`	List all available threat intelligence feeds with status
`fetch_threat_feed`	Fetch IOCs from a specific feed by name
`check_ip_reputation`	Check IP against multiple threat sources (VT, AbuseIPDB, Shodan)
`check_hash_reputation`	Check file hash (MD5/SHA1/SHA256) reputation
`check_bulk_ips`	Check up to 100 IPs in a single request
`get_cisa_kev`	Get CISA Known Exploited Vulnerabilities catalog
`get_dashboard_summary`	Aggregated threat data for dashboards
`get_recent_iocs`	Recent IOCs from ThreatFox (filterable by type)
`check_network_against_threats`	Check network scan results for threats
`get_threat_stats`	Get cache statistics and API key status
`clear_threat_cache`	Clear the threat intelligence cache

Defense Compliance Tools (v0.3.0)

Tool	Description
`threat_stix_export`	Export indicators as STIX 2.1 bundle with TLP marking
`threat_attack_map`	Map IOCs to MITRE ATT&CK techniques with context-aware matching
`threat_attack_navigator`	Generate ATT&CK Navigator layer (v4.5 JSON format)
`threat_provenance`	Record, verify, query, or export IOC provenance chain
`threat_compliance_report`	NIST SP 800-53 Rev. 5 compliance posture assessment
`threat_tlp_classify`	Classify and enforce TLP 2.0 sharing rules
`threat_taxii_fetch`	Fetch intelligence from TAXII 2.1 servers with auth support
`threat_defense_feeds`	Aggregate defense feeds with ICD 203 confidence scoring

Defense & Intelligence Standards

STIX/TAXII 2.1 Protocol Support

Full implementation of the OASIS Structured Threat Information Expression (STIX) 2.1 specification for standardized threat intelligence exchange.

STIX Object Types:

indicator - IOC patterns using STIX Patterning Language
malware - Malware family/instance descriptions
attack-pattern - MITRE ATT&CK technique mappings
threat-actor - Adversary profiles
relationship - Links between objects (indicates, uses, attributed-to)
sighting - Confirmed observations of indicators
bundle - Container for multiple STIX objects

TAXII 2.1 Client:

Server discovery and API root enumeration
Collection listing and management
Object retrieval with filtering (type, date, ID)
Object publication to TAXII servers
HTTP Basic and Bearer token authentication

# Export all recent IOCs as STIX 2.1 bundle result = await threat_stix_export(tlp_level="TLP:AMBER", limit=100) # Export specific feed result = await threat_stix_export(feed_name="feodo_tracker", tlp_level="TLP:GREEN")

MITRE ATT&CK Framework Integration

Context-aware mapping of IOCs to MITRE ATT&CK Enterprise techniques with 50+ techniques across all 14 tactics.

Coverage:

Tactic	Example Techniques
Initial Access	T1566 Phishing, T1190 Exploit Public-Facing App, T1078 Valid Accounts
Execution	T1059 Command Scripting, T1053 Scheduled Task, T1047 WMI
Persistence	T1547 Boot Autostart, T1136 Create Account, T1543 System Process
Privilege Escalation	T1055 Process Injection, T1068 Exploitation
Defense Evasion	T1070 Indicator Removal, T1027 Obfuscated Files, T1036 Masquerading
Credential Access	T1003 Credential Dumping, T1110 Brute Force
Lateral Movement	T1021 Remote Services, T1570 Lateral Tool Transfer
C2	T1071 App Layer Protocol, T1572 Protocol Tunneling, T1573 Encrypted Channel
Exfiltration	T1041 Over C2, T1048 Alternative Protocol, T1567 Web Service
Impact	T1486 Data Encrypted (Ransomware), T1489 Service Stop, T1498 Network DoS

ATT&CK Navigator Export: Generates Navigator-compatible JSON layers (v4.5) with heatmap scoring based on indicator volume.

# Map a single IOC with context result = await threat_attack_map( ioc_type="ip:port", ioc_value="192.0.2.102:4444", context="Cobalt Strike beacon C2" ) # Generate Navigator layer from all recent IOCs layer = await threat_attack_navigator(layer_name="Current Threat Coverage")

Traffic Light Protocol (TLP 2.0) Enforcement

Implements FIRST TLP 2.0 standard with programmatic sharing rule enforcement.

Level	Sharing Scope	Enforcement
`TLP:CLEAR`	Public	No restrictions
`TLP:GREEN`	Community	Not via public channels
`TLP:AMBER`	Organization + clients	Need-to-know basis
`TLP:AMBER+STRICT`	Organization only	No client sharing
`TLP:RED`	Named recipients only	No further distribution

# Check if sharing is permitted result = await threat_tlp_classify( tlp_level="TLP:RED", target_scope="community" ) # Returns: sharing_permitted = False, violation_warning = "..."

Chain of Custody / Provenance Tracking

Tamper-evident SHA-256 hash chain for IOC lifecycle tracking. Each record links to the previous via cryptographic hash, ensuring any modification is detectable.

Tracked Actions: ingestion, enrichment, analysis, correlation, classification, sharing, TLP assignment/change, validation, deduplication, expiration, retraction, export, sighting, false positive, confidence update, ATT&CK mapping

Standards Compliance:

NIST SP 800-86: Guide to Integrating Forensic Techniques
Federal Rules of Evidence, Rule 901 (Authentication)

# Record IOC ingestion await threat_provenance( action="record", ioc_id="ioc-001", actor="feodo_tracker", details='{"provenance_action": "ingestion", "source": "feodo_tracker", "confidence": 85}', ioc_type="ip", ioc_value="192.0.2.102" ) # Verify chain integrity result = await threat_provenance(action="verify", ioc_id="ioc-001") # Export legal/audit report report = await threat_provenance(action="report", ioc_id="ioc-001")

ICD 203 Confidence Scoring

Intelligence Community Directive 203 (Analytic Standards) aligned confidence scoring using NATO/IC source reliability (A-F) and information credibility (1-6) codes.

Source Type	Reliability Grade	Examples
Government (CISA, NSA, DISA)	A - Completely Reliable	cisa_kev, nsa_advisories
Commercial Threat Intel	B - Usually Reliable	virustotal, abuseipdb, feodo_tracker
Community Feeds	C - Fairly Reliable	blocklist_de, cinsscore

Confidence Factors: Source reliability, corroboration count, intelligence age, contextual information availability, targeted vs. commodity intelligence.

NIST SP 800-53 Rev. 5 Control Mapping

Maps threat intelligence capabilities to 25+ NIST security controls across 8 control families:

Family	Key Controls	Relevance
Risk Assessment (RA)	RA-3, RA-5, RA-5(2), RA-5(5)	Vulnerability monitoring, risk assessment
System Integrity (SI)	SI-2, SI-4, SI-4(4), SI-5, SI-5(1)	Monitoring, alerts, flaw remediation
Incident Response (IR)	IR-4, IR-5, IR-6, IR-6(1)	Incident handling, reporting
Program Management (PM)	PM-15, PM-16, PM-16(1)	Threat awareness program
Assessment (CA)	CA-2, CA-7	Continuous monitoring
Supply Chain (SR)	SR-6	Supply chain risk
Acquisition (SA)	SA-11	Security testing

# Generate compliance posture report result = await threat_compliance_report(baseline="MODERATE", include_details=True)

Defense Feed Integration

Feed Source	Type	Frequency
CISA Known Exploited Vulnerabilities (KEV)	JSON API	On-demand
CISA Cybersecurity Alerts	RSS	On-demand
CISA Cybersecurity Advisories	RSS	On-demand
ICS-CERT Advisories	RSS	On-demand
NSA Cybersecurity Advisories	Parsing framework	Manual
DISA IAVA/IAVB/IAVT	Format parser	Manual

Threat Feeds

Free (No API Key Required)

Feed	Type	Description
`feodo_tracker`	IP List	Botnet C&C IPs (Dridex, Emotet, TrickBot)
`urlhaus_recent`	URL List	Recent malware distribution URLs
`sslbl_ip`	IP List	SSL Blacklist malicious IPs
`emerging_threats_compromised`	IP List	Compromised host IPs
`tor_exit_nodes`	IP List	Known Tor exit node IPs
`cisa_kev`	JSON	Known Exploited Vulnerabilities catalog
`threatfox_recent`	JSON	Recent malware IOCs
`blocklist_de_all`	IP List	All attackers from blocklist.de
`cinsscore_badguys`	IP List	CINSscore malicious IPs
`spamhaus_drop`	CIDR List	Spamhaus Don't Route Or Peer

API-Enhanced

Feed	API Key	Enhanced Data
VirusTotal	`VIRUSTOTAL_API_KEY`	Detection ratios, vendor verdicts
AbuseIPDB	`ABUSEIPDB_API_KEY`	Abuse confidence score, report counts
Shodan	`SHODAN_API_KEY`	Open ports, services, vulnerabilities
AlienVault OTX	`OTX_API_KEY`	Threat pulses, related IOCs

Usage Examples

Check IP Reputation

# Returns threat level: clean/low/medium/high/critical result = await check_ip_reputation("192.0.2.102")

Bulk IP Check

# Comma-separated result = await check_bulk_ips("8.8.8.8, 1.1.1.1, 192.0.2.102") # JSON array result = await check_bulk_ips('["8.8.8.8", "1.1.1.1"]')

Export STIX 2.1 Bundle

# Export recent IOCs with TLP marking bundle = await threat_stix_export(tlp_level="TLP:AMBER", limit=50) # Export specific feed as STIX bundle = await threat_stix_export(feed_name="feodo_tracker", tlp_level="TLP:GREEN")

Map IOCs to MITRE ATT&CK

# Map with context for better accuracy result = await threat_attack_map( ioc_type="sha256", ioc_value="e3b0c44298fc...", context="Emotet trojan loader" ) # Generate Navigator layer layer = await threat_attack_navigator(limit=200)

Track IOC Provenance

# Record ingestion await threat_provenance( action="record", ioc_id="ioc-001", actor="feodo_tracker", details='{"provenance_action": "ingestion", "source": "feodo_tracker"}', ioc_type="ip", ioc_value="192.0.2.102" ) # Verify integrity result = await threat_provenance(action="verify", ioc_id="ioc-001")

NIST Compliance Report

# Full compliance posture assessment report = await threat_compliance_report(baseline="HIGH", include_details=True)

Running the Dashboard

# Start the Flask dashboard server threat-intel-dashboard # Or directly: python -m threat_intel_mcp.dashboard

Dashboard provides REST API endpoints for visualization tools.

Development

Running Tests

# Install dev dependencies pip install -e ".[dev]" # Run tests pytest tests/ -v # With coverage pytest tests/ --cov=threat_intel_mcp --cov-report=html

Project Structure

threat-intel-mcp/ ├── src/threat_intel_mcp/ │ ├── __init__.py # Package exports │ ├── config.py # Configuration, validation, caching │ ├── server.py # FastMCP server and tools (19 tools) │ ├── dashboard.py # Flask dashboard API │ ├── data_fetcher.py # Background data fetcher service │ └── compliance/ │ ├── __init__.py # Compliance module exports │ ├── stix_taxii.py # STIX 2.1 objects + TAXII 2.1 client │ ├── mitre_attack.py # ATT&CK mapping + Navigator layers │ ├── provenance.py # SHA-256 hash chain provenance │ ├── defense_feeds.py # CISA/NSA/DISA feed integration │ └── nist_mapping.py # NIST 800-53 + CSF mapping ├── tests/ │ ├── conftest.py # Pytest fixtures │ └── test_*.py # Test modules └── pyproject.toml # Package configuration

Changelog

v0.3.0

Defense & Intelligence Standards:
- STIX/TAXII 2.1 protocol support (OASIS specification)
- MITRE ATT&CK Enterprise mapping (50+ techniques, all 14 tactics)
- ATT&CK Navigator layer export (v4.5 format)
- Traffic Light Protocol 2.0 classification and enforcement
- Tamper-evident IOC provenance chain (SHA-256 hash chain)
- Defense feed integration (CISA alerts/advisories, ICS-CERT, DISA IAVA)
- NIST SP 800-53 Rev. 5 control mapping (25+ controls, 8 families)
- NIST CSF 2.0 function coverage mapping
- ICD 203 confidence scoring with NATO/IC reliability codes
- DoD Impact Level classification (IL2-IL6)
New MCP Tools (8 tools, 19 total):
- threat_stix_export - Export indicators as STIX 2.1 bundle
- threat_attack_map - Map IOCs to ATT&CK techniques
- threat_attack_navigator - Generate Navigator layers
- threat_provenance - Chain-of-custody tracking
- threat_compliance_report - NIST compliance posture
- threat_tlp_classify - TLP classification and enforcement
- threat_taxii_fetch - Fetch from TAXII 2.1 servers
- threat_defense_feeds - Aggregate defense feeds with ICD 203 scoring
Code Quality:
- Comprehensive test suite (121 tests, all passing)
- Removed duplicate code in data_fetcher.py (uses shared config)
- Fixed broken imports in dashboard.py
- Cleaned up unused imports across all modules

v0.2.0

New Features:
- Bulk IP checking (up to 100 IPs)
- Shodan integration for IP intelligence
- Cache statistics and management tools
- 3 additional threat feeds (blocklist.de, CINSscore, Spamhaus DROP)
Improvements:
- Shared configuration module eliminates code duplication
- Thread-safe caching with TTL and size limits
- Proper input validation for all IOC types
- Type hints throughout codebase
Bug Fixes:
- Fixed all bare except clauses with proper exception handling
- Removed unused imports and dependencies
- Fixed variable scope issues
Developer Experience:
- Comprehensive test suite (67 tests)
- pytest-asyncio for async testing
- Optional dependency groups (dashboard, dev)

v0.1.0

Initial release with basic threat feed aggregation

Part of the MCP Ecosystem

This server integrates with other MCP servers for comprehensive AGI capabilities:

Server	Purpose
enhanced-memory-mcp	4-tier persistent memory with semantic search
agent-runtime-mcp	Persistent task queues and goal decomposition
agi-mcp	Full AGI orchestration with 21 tools
cluster-execution-mcp	Distributed task routing across nodes
node-chat-mcp	Inter-node AI communication
ember-mcp	Production-only policy enforcement

See agentic-system-oss for the complete framework.

Install Server

security – no known vulnerabilities

license - not found

quality - confirmed to work

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Report Issue

Related Servers

Tools

View all tools