OpenCTI MCP Server
Supports deployment and containerization of the OpenCTI MCP server using Docker and Docker Compose for simplified setup and management.
Enables version control and repository management for the OpenCTI MCP server codebase through Git.
Provides access to the OpenCTI MCP server source code repository and related projects hosted on GitHub.
Provides integration with NixOS through related hardening modules for security configuration and system management.
Enables execution and development of the OpenCTI MCP server using Python as the primary programming language.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@OpenCTI MCP Serversearch for recent ransomware reports from the last month"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
OpenCTI MCP Server
A Model Context Protocol (MCP) server for OpenCTI — the Open Cyber Threat Intelligence Platform developed by Filigran.
Connect your AI assistant to your OpenCTI instance for threat intelligence search, indicator lookup, report analysis, and connector monitoring through natural conversation.
Tools
Tool | Description |
| Search any STIX entity type (reports, malware, threat actors, etc) |
| Get full report details by STIX ID |
| Search IOCs by value, pattern type, or keyword |
| Create new indicator with STIX/YARA/Sigma pattern |
| List all connectors with status and queue depth |
Quick Start
Environment Variables
Variable | Required | Default | Description |
| Yes | — | URL of your OpenCTI instance |
| Yes | — | OpenCTI API token |
| No |
| Verify SSL certificates |
| No |
| Transport: |
| No |
| Host to bind (http mode) |
| No |
| Port to bind (http mode) |
Docker
git clone https://github.com/DarkAngel-agents/opencti-mcp.git
cd opencti-mcp
export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token
docker compose up -dLocal
pip install -r requirements.txt
export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token
# stdio mode
python server.py
# http mode
MCP_TRANSPORT=http python server.pyClaude Desktop
{
"mcpServers": {
"opencti": {
"command": "python",
"args": ["/path/to/opencti-mcp/server.py"],
"env": {
"OPENCTI_URL": "https://your-opencti-instance.com",
"OPENCTI_TOKEN": "your-api-token"
}
}
}
}Example Prompts
"Search OpenCTI for threat actors related to APT28"
"Show me the latest reports about ransomware"
"Look up indicators matching this IP: 192.168.1.100"
"Create a STIX indicator for domain evil.example.com"
"What connectors are active and what's their queue status?"
Related Projects
misp-mcp — MCP server for MISP
nixos-anssi-bp028 — NixOS ANSSI hardening module
License
MIT
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/DarkAngel-agents/opencti-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server