ThreatWatch MCP
Provides tools for analyzing IPs, domains, URLs, and hashes using VirusTotal's threat intelligence data.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ThreatWatch MCPAnalyze IP 185.220.101.1 for threats"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
๐ก๏ธ ThreatWatch MCP
AI-Powered Threat Intelligence with Real-Time Alert Monitoring
A Model Context Protocol (MCP) server that brings multi-source threat intelligence directly into Claude Desktop and any MCP-compatible AI assistant.
โจ What Makes ThreatWatch Different
Feature | ThreatWatch | fastmcp-threatintel |
Real-time watch-list & alerts | โ | โ |
Persistent alert history | โ | โ |
Shodan InternetDB (free, no key needed) | โ | โ |
Status-change detection | โ | โ |
IOC extraction from freeform text | โ | โ |
Works with zero API keys | โ | โ |
Related MCP server: FastMCP ThreatIntel
๐ Available MCP Tools
Tool | Description |
| Analyse a single IP / domain / URL / hash |
| Analyse up to 50 IOCs concurrently |
| Extract IOCs from log files, reports, pastes |
| Add an IOC to the real-time watch-list |
| Remove an IOC from the watch-list |
| Show all monitored IOCs and their status |
| Retrieve alerts from monitored IOCs |
| Manually trigger a re-scan of all watches |
| Show configured sources and monitor state |
๐ Installation
Prerequisites
Python 3.11 or higher
API keys (see below โ all free tier)
Step 1 โ Clone the repo
git clone https://github.com/YOUR_USERNAME/threatwatch-mcp.git
cd threatwatch-mcpStep 2 โ Install
pip3 install fastmcp httpx python-dotenv
pip3 install -e .Step 3 โ Verify installation
which threatwatchYou should see a path like /usr/local/bin/threatwatch or
/Library/Frameworks/Python.framework/Versions/3.x/bin/threatwatch.
Copy this path โ you'll need it in Step 5.
๐ API Keys (All Free)
Source | Required | Free Limit | Sign Up |
VirusTotal | Recommended | 1,000 req/day | |
AlienVault OTX | Recommended | Unlimited | |
AbuseIPDB | Optional | 1,000 req/day | |
IPinfo | Optional | 50,000 req/month | |
Shodan InternetDB | None needed | Always free | Built-in |
ThreatWatch works with zero API keys โ Shodan InternetDB is always available and returns open ports, CVEs, and hostnames for any IP for free.
โ๏ธ Connect to Claude Desktop
Step 4 โ Open the Claude Desktop config
macOS:
open -e ~/Library/Application\ Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.jsonStep 5 โ Add ThreatWatch
Add the threatwatch entry to your mcpServers block.
Replace the command path with the output of which threatwatch from Step 3,
and fill in your API keys:
{
"mcpServers": {
"threatwatch": {
"command": "/Library/Frameworks/Python.framework/Versions/3.13/bin/threatwatch",
"env": {
"VIRUSTOTAL_API_KEY": "your_virustotal_key_here",
"OTX_API_KEY": "your_otx_key_here",
"ABUSEIPDB_API_KEY": "your_abuseipdb_key_here",
"IPINFO_API_KEY": "your_ipinfo_key_here"
}
}
}
}If you already have other MCP servers configured, just add the
threatwatchblock inside your existingmcpServersobject โ don't replace the whole file.
Step 6 โ Restart Claude Desktop
Fully quit Claude Desktop (Cmd + Q on Mac, system tray โ Exit on Windows)
and reopen it.
Step 7 โ Verify
Click the "+" button at the bottom of the Claude chat โ Connectors. You should see ThreatWatch listed with all 9 tools.
Then test it:
Run server_status๐ฌ Example Prompts
Analyse IP 185.220.101.1 for threats
Check if domain update-adobe-flash.ru is malicious
Is this hash dangerous: d41d8cd98f00b204e9800998ecf8427e
Extract all IOCs from this log and analyse them:
[paste your firewall log, SIEM alert, or email header]
Add a watch on 185.220.101.1 and alert me if it becomes malicious
Get all alerts from the last hour
Run a full monitor cycle now๐ How Real-Time Monitoring Works
add_watch("185.220.101.1", alert_on=["malicious", "suspicious"])
โ
โผ
Watch-list saved to ~/.threatwatch/watchlist.json
โ
โผ
run_monitor_cycle() โ trigger manually or on a schedule
โ
โผ
Re-queries all sources for each watched IOC
โ
โผ
Status changed or threshold crossed?
โ
Yes โ No
โผ โผ
Alert (no-op)
โ
โผ
get_alerts(since_minutes=60)๐๏ธ Project Structure
threatwatch-mcp/
โโโ src/
โ โโโ threatwatch/
โ โโโ __init__.py โ package definition
โ โโโ server.py โ FastMCP server + all 9 MCP tools
โ โโโ config.py โ settings from environment variables
โ โโโ ioc_detector.py โ IOC type detection (IP/domain/URL/hash)
โ โโโ intel_sources.py โ API adapters (VT, OTX, AbuseIPDB, IPinfo, Shodan)
โ โโโ alert_monitor.py โ real-time watch-list + alert engine
โ โโโ reporter.py โ Markdown report builder
โโโ tests/
โ โโโ test_core.py โ unit tests
โโโ pyproject.toml โ package config + dependencies
โโโ .env.example โ environment variable template
โโโ README.md๐ Security Notes
Never commit your
.envfile โ it is in.gitignoreby defaultRestrict config file permissions on your machine:
chmod 600 ~/Library/Application\ Support/Claude/claude_desktop_config.jsonAll API keys used are read-only โ they can query data but cannot modify anything
If a key is ever leaked, regenerate it instantly from each service's dashboard
๐งช Running Tests
pip3 install pytest pytest-asyncio
pytest tests/ -v๐ License
Apache 2.0 โ see LICENSE for details.
๐ Acknowledgments
FastMCP โ the MCP framework that powers ThreatWatch
fastmcp-threatintel โ original inspiration
VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo, Shodan โ threat intelligence sources
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Abraar02/threatwatch-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server