MISP MCP Server

A Model Context Protocol (MCP) server for MISP — the Open Source Threat Intelligence Platform used by NATO, CERTs, and 6000+ organizations worldwide.

Connect your AI assistant to your MISP instance for threat intelligence search, IOC lookup, and event analysis through natural conversation.

Tools

Quick Start

Environment Variables

Docker

# Clone and run
git clone https://github.com/DarkAngel-agents/misp-mcp.git
cd misp-mcp

# Set your MISP credentials
export MISP_URL=https://your-misp-instance.com
export MISP_API_KEY=your-api-key

# Run with Docker Compose
docker compose up -d

The MCP endpoint will be available at http://localhost:8000/mcp.

Local (without Docker)

pip install -r requirements.txt

export MISP_URL=https://your-misp-instance.com
export MISP_API_KEY=your-api-key

# stdio mode (for Claude Desktop, Claude Code, etc.)
python server.py

# http mode (for remote access)
MCP_TRANSPORT=http python server.py

Claude Desktop

Add to your Claude Desktop config (~/.config/Claude/claude_desktop_config.json):

{
  "mcpServers": {
    "misp": {
      "command": "python",
      "args": ["/path/to/misp-mcp/server.py"],
      "env": {
        "MISP_URL": "https://your-misp-instance.com",
        "MISP_API_KEY": "your-api-key"
      }
    }
  }
}

Claude Code

claude mcp add misp -- python /path/to/misp-mcp/server.py

VS Code

Add to .vscode/mcp.json:

{
  "servers": {
    "misp": {
      "url": "http://localhost:8000/mcp",
      "type": "http"
    }
  }
}

Example Prompts

• "Search MISP for any events related to ransomware from the last month"

• "Look up this hash in MISP: abc123def456..."

• "Show me the details of MISP event 1234"

• "What are the statistics of our MISP instance?"

• "Submit this IP as an IOC to event 5678: 192.168.1.100"

• "List all configured MISP feeds"

Requirements

• Python 3.10+

• A running MISP instance with API access

• MISP automation API key (found in MISP → Administration → Auth Keys)

License

MIT