Google Threat Intelligence MCP Server
The Google Threat Intelligence MCP Server provides access to Google Threat Intelligence (VirusTotal + Mandiant) for searching, analyzing, and managing threat data. Key capabilities include:
Threat & Collection Intelligence
Search across threats, campaigns, threat actors, malware families, software toolkits, reports, and vulnerabilities
Retrieve full collection reports, related entities, MITRE ATT&CK trees, timelines, YARA/Sigma/IDS rules, and IOC commonalities
Create, update, and manage threat collections (attributes and IOCs)
File & Artifact Analysis
Analyze files by hash (MD5/SHA-1/SHA-256) for detections and classifications
Retrieve sandbox behavior reports and summaries
Upload files for multi-engine VirusTotal scanning
Pivot from files to contacted domains/IPs/URLs, dropped files, malware families, and more
Domain, IP & URL Intelligence
Analyze domains (passive DNS, registrar, reputation), IPs (geolocation, ASN), and URLs (maliciousness, classifications)
Pivot to related files, resolutions, SSL certificates, WHOIS, threat actors, and campaigns
Search IOCs using advanced search modifiers
Threat Profiles
List and retrieve organizational threat profiles (targeted industries, regions, actor motivations)
Get ML-recommended threats and association timelines for a profile
Digital Threat Monitoring (DTM)
Search historical documents from surface, deep, and dark web sources (forums, Telegram, paste sites, shop listings, emails, tweets) using Lucene syntax
Hunting Rulesets
Retrieve YARA hunting rulesets and find files that matched them
Allows AI agents to access Google Threat Intelligence (VirusTotal) data including IOC search, file/domain/IP/URL reports, and threat hunting rulesets.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Google Threat Intelligence MCP Serverget report for IP 8.8.8.8"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Google Threat Intelligence MCP Server
A production-ready, highly optimized Model Context Protocol (MCP) server for Google Threat Intelligence (GTI) (incorporating VirusTotal and Mandiant threat analytics). This server supports both local desktop integration via stdio and cloud-native network deployments via Server-Sent Events (SSE), making it fully compatible with Google Cloud Run or any other container-native environment.
Project Origin & Deployment Philosophy
This repository is 100% based on the official Google open-source implementation hosted in the google/mcp-security repository.
While the official project is designed as a broad, developer-focused, multi-tool mono-repo, this project was created specifically to empower non-technical users, security analysts, and IT administrators to deploy a secure, enterprise-grade Google Threat Intelligence (GTI) MCP server in minutes with zero friction.
🔍 How This Repository Differs from the Official Mono-Repo
Feature / Aspect | Official Google | This Dedicated GTI Project |
Project Focus | Multi-server (SCC, SecOps, SOAR, GTI) developers workspace. | 100% focused on Google Threat Intelligence (GTI). Completely stripped of unrelated bloat. |
Nesting Structure | Nested deeply under | Flattened to the root. Clean git clone and run. |
Secrets Security | Basic environment variables (risk of plaintext leak). | Strictly Enforced Google Secret Manager. |
Cloud Deployment | Minimal developer deployment scaffolding. | Production-ready Google Cloud Run templates. |
User Onboarding | Targeted at software developers and engineers. | Designed for non-technical users, complete with beginner-friendly command guides. |
No-Agent Verification | Requires setting up and connecting an LLM desktop client. | Instant, zero-agent verification via a dynamic, automated |
Production Security Mandate: To ensure enterprise compliance and prevent credential leakage, this deployment strictly requires the use of Google Secret Manager to store and load your API key. Direct injection of plaintext credentials via environment variables is disabled/prohibited for cloud deployments.
Related MCP server: CrowdStrike Falcon MCP Server
Table of Contents
Core Features
This MCP server exposes high-performance threat intelligence endpoints to any compatible LLM agent.
🔍 Intelligence & Hunting
search_iocs(query, limit): Queries Indicators of Compromise (IOCs) using advanced search filters.get_hunting_ruleset&get_entities_related_to_a_hunting_ruleset: Accesses and maps structured threat detection signatures.
📁 Files & Artifacts
get_file_report(hash): Inspects MD5, SHA1, or SHA256 hashes to check multi-engine detections and threat actor classifications.get_file_behavior_report(id)&get_file_behavior_summary(hash): Retreives deep sandbox execution data.
🌐 Domains, IPs, and URLs
get_domain_report(domain)&get_entities_related_to_a_domain: Resolves passive DNS mappings, registrar details, and reputational classifications.get_ip_address_report(ip_address): Retrieves geolocations, Autonomous System Numbers (ASN), and detections.get_url_report(url)&get_entities_related_to_an_url: Inspects specific URLs.
Configuration & Customization (Optional)
This project is pre-configured and completely ready to run out-of-the-box. You do not need to modify any of these files to deploy. However, if you have specific network or architectural requirements, you can customize these configuration files:
File Path | Purpose | Modification Details |
| Local Container Config | Change the container port mappings or local environment references if needed. |
| Image Build Spec | Customize the base Python version or update build-stage packages. |
Zero-Credential File Design: No secrets or API keys are written to disk in this repository. Local development utilizes memory-only shell environment variables, and production environments strictly load keys from cloud-managed secret vaults.
Local Development & Setup
Prerequisites
Python 3.11 or higher.
A valid Google Threat Intelligence (VirusTotal) API key.
Quick Start (Local Python)
Clone the repository & enter the directory:
git clone <your-repository-url> cd gti-mcp-serverConfigure your API Key (In-Memory Only): Export your Google Threat Intelligence API key directly in your terminal session. This key resides only in your shell's temporary RAM and is never written to disk:
export VT_APIKEY="your_actual_gti_api_key_here"Install the package and dependencies:
python3 -m venv .venv source .venv/bin/activate pip install --upgrade pip pip install -e .Run the server locally:
# Run in stdio mode (default, for local Desktop agents): gti-mcp-server # Run in SSE/HTTP network mode (for cloud simulation or container testing): TRANSPORT=sse PORT=8080 gti-mcp-server
Containerization & Docker
This server is packaged with a high-performance, secure multi-stage Docker build. The builder stage packages the application into a Python wheel, and the runner stage installs it into a slim environment running as a restricted, non-root system user (mcpuser with UID 10001).
1. Build the Docker Image
docker build -t gti-mcp-server:latest .2. Run with Docker Compose
Using Docker Compose binds the container to port 8080 and loads configuration from your .env file:
docker compose up -dProduction Google Cloud Run Deployment (Strict Secret Manager)
This section provides a secure-by-default, step-by-step walkthrough for deploying to Google Cloud Run. It uses Google Secret Manager for credential storage and restricts invocations using GCP IAM OIDC Authentication (disallowing unauthenticated access).
Step 1: Set Your Deployment Variables
Replace the placeholder values below with your GCP details:
PROJECT_ID="your-gcp-project-id" # Your GCP Project ID
REGION="us-central1" # GCP Region to deploy to
REPO="mcp-servers" # Artifact Registry Repository name
IMAGE="gti-mcp-server" # Container Image nameStep 2: Authenticate and Enable Required GCP Services
Authenticate your local shell session with Google Cloud and enable the APIs required for container hosting and secure secret storage:
# Authenticate your local shell session with Google Cloud
gcloud auth login
# Set your active gcloud project context
gcloud config set project ${PROJECT_ID}
# Enable Secret Manager, Artifact Registry, and Cloud Run APIs
gcloud services enable \
secretmanager.googleapis.com \
artifactregistry.googleapis.com \
run.googleapis.comStep 3: Secure your API Key in Google Secret Manager
Create a managed secret to host your Google Threat Intelligence (VirusTotal) API key securely:
Create the Secret container:
gcloud secrets create VT_APIKEY --replication-policy="automatic"Add your API key value as version 1 of the secret: Replace
YOUR_ACTUAL_GTI_API_KEYwith your actual token:echo -n "YOUR_ACTUAL_GTI_API_KEY" | gcloud secrets versions add VT_APIKEY --data-file=-
Step 4: Grant Access to the Cloud Run Service Account
Cloud Run services run under a designated service account. By default, Cloud Run uses the Compute Engine default service account to call other GCP APIs.
Get your Project Number:
PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} --format="value(projectNumber)") echo "Your Project Number is: ${PROJECT_NUMBER}"Determine the Default Service Account Email: The default service account email follows the pattern:
${PROJECT_NUMBER}-compute@developer.gserviceaccount.comGrant Secret Accessor permission to this service account: This authorizes the Cloud Run container to fetch and decrypt the secret at startup:
gcloud secrets add-iam-policy-binding VT_APIKEY \ --member="serviceAccount:${PROJECT_NUMBER}-compute@developer.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor"
Step 5: Deploy to Cloud Run (Choose Your Path)
You can choose either of these two paths to compile and deploy your server. Option A is highly recommended for non-technical users as it does not require Docker or manual registry configurations!
🚀 Option A: Direct Source-to-Cloud Deployment (No Local Docker Required)
This is the fastest, simplest method. Google Cloud will securely package your source directory, upload it, run Google Cloud Build in the background using your Dockerfile, automatically provision a private Artifact Registry under the hood, and deploy the service.
Simply run this single command from your repository root:
gcloud run deploy gti-mcp-server \
--source . \
--region=${REGION} \
--platform=managed \
--no-allow-unauthenticated \
--set-secrets="VT_APIKEY=VT_APIKEY:latest" \
--set-env-vars="TRANSPORT=sse" \
--port=8080🐳 Option B: Traditional Docker Build, Push, & Deploy
Choose this path if you prefer to compile, tag, and push your container image using Docker running locally on your laptop:
Create the Docker repository in Artifact Registry:
gcloud artifacts repositories create ${REPO} \ --repository-format=docker \ --location=${REGION} \ --description="MCP Servers Repository"Authenticate Docker to push to your GCP registry:
gcloud auth configure-docker ${REGION}-docker.pkg.devBuild and Tag the image (Intel/AMD64 target format):
docker build --platform linux/amd64 -t ${REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO}/${IMAGE}:latest .Push the image to GCP:
docker push ${REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO}/${IMAGE}:latestDeploy the pushed image to Cloud Run:
gcloud run deploy gti-mcp-server \ --image=${REGION}-docker.pkg.dev/${PROJECT_ID}/${REPO}/${IMAGE}:latest \ --region=${REGION} \ --platform=managed \ --no-allow-unauthenticated \ --set-secrets="VT_APIKEY=VT_APIKEY:latest" \ --set-env-vars="TRANSPORT=sse" \ --port=8080
[!SUCCESS] Your secure GTI MCP server is now running! It will print a Service URL (e.g.,
https://gti-mcp-server-xxxxxx-uc.a.run.app). Write this URL down as you will need it to connect your agents.
Verification Without an Agent
Because the cloud server has unauthenticated access disabled (--no-allow-unauthenticated), standard public requests will be blocked. To verify that it's working, your request must include an Authorization OIDC Bearer Token.
Option A: Automatic Local Verification Script
Make sure you are logged in to your GCP account locally via gcloud, then run the local verification script which automatically handles the OIDC token generation and queries the remote server:
# Make sure the script is executable
chmod +x verify.sh
# Run against your remote Cloud Run URL
HOST="gti-mcp-server-xxxxxx-uc.a.run.app" PORT="443" ./verify.shOption B: Manual Verification with Curl
Generate a Google ID Token matching your Cloud Run service URL:
TARGET_URL="https://gti-mcp-server-xxxxxx-uc.a.run.app" ID_TOKEN=$(gcloud auth print-identity-token --audiences="${TARGET_URL}")Establish the SSE Connection (include the token):
curl -i -H "Authorization: Bearer ${ID_TOKEN}" "${TARGET_URL}/sse"Expected Response:
HTTP/1.1 200 OK Content-Type: text/event-stream ... event: endpoint data: /messages/?session_id=da831f24d35e40a0bb5c3da42903e670Send a JSON-RPC Post request (include the token):
curl -s -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${ID_TOKEN}" \ -d '{"jsonrpc": "2.0", "method": "tools/list", "params": {}, "id": 1}' \ "${TARGET_URL}/messages/?session_id=da831f24d35e40a0bb5c3da42903e670"
MCP Client Configurations
To connect this secure cloud-deployed server to your local desktop agents or cloud workflows, you must provide your Google OIDC Bearer Token.
Claude Desktop (Connecting to Secure Cloud Run)
Update your Claude Desktop settings (~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"gti-secure-cloud": {
"url": "https://gti-mcp-server-xxxxxx-uc.a.run.app/sse",
"headers": {
"Authorization": "Bearer YOUR_GOOGLE_OIDC_ID_TOKEN_HERE"
}
}
}
}Google OIDC tokens typically expire after 1 hour. In high-throughput orchestrators, use a local helper script to dynamically generate and refresh OIDC tokens via the GCP metadata server or gcloud context.
Gemini Enterprise Integration (Optional)
You can easily register this secure Cloud Run MCP server with Gemini Enterprise (Gemini for Google Workspace) using Google Cloud's centralized Agent Registry (Preview). This allows your enterprise AI agents, chat assistants, and Workspace environments to discover and securely invoke your Google Threat Intelligence tools.
Follow these command-driven steps to register your server:
Step 1: Enable the Agent Registry API
Enable the required central services in your active Google Cloud project:
gcloud services enable agentregistry.googleapis.comStep 2: Install GCloud Alpha Components
Ensure you have the alpha components installed locally:
gcloud components install alphaStep 3: Register the Service in the Agent Registry
Register your Cloud Run MCP service. Make sure to replace https://gti-mcp-server-xxxxxx-uc.a.run.app with your actual Cloud Run Service URL:
gcloud alpha agent-registry services create gti-mcp-service \
--project=${PROJECT_ID} \
--location=${REGION} \
--display-name="Google Threat Intelligence" \
--description="Exposes Google Threat Intelligence (VirusTotal) capabilities for analyzing files, URLs, netlocs, and threat profiles." \
--interfaces="url=https://gti-mcp-server-xxxxxx-uc.a.run.app/sse,protocolBinding=JSONRPC"Step 4: Verify Your Registered Server
List and describe your registered server from the CLI to verify it was created successfully:
# List all registered MCP servers
gcloud alpha agent-registry mcp-servers list \
--project=${PROJECT_ID} \
--location=${REGION}
# Describe your new GTI service
gcloud alpha agent-registry mcp-servers describe gti-mcp-service \
--project=${PROJECT_ID} \
--location=${REGION}Once registered, your Google Threat Intelligence tools are securely logged in Google's enterprise registry plane and ready for integration with your Workspace and generative AI apps!
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmaciasc-google/gti-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server