Google Threat Intelligence MCP Server

get_threat_profile

Retrieve detailed threat actor profiles from Google Threat Intelligence to analyze motivations, targets, and activity patterns for security assessments.

Instructions

Get Threat Profile object.

A threat profile object contains the following attributes:

enable_recommendations (bool): whether or not Recommendations automatically generated by our ML are enabled.
interests (dict): Threat Profile's configured interests such as industries, target regions, source regions, malware roles and actor motivations to recommend the most relevant threats.
- INTEREST_TYPE_TARGETED_INDUSTRY (list[str]): List of targeted industries.
- INTEREST_TYPE_TARGETED_REGION (list[str]): list of targeted regions (ISO-3166 country code).
- INTEREST_TYPE_SOURCE_REGION (list[str]): list of source regions (ISO-3166 country code).
- INTEREST_TYPE_MALWARE_ROLE (list[str]): list of malware roles.
- INTEREST_TYPE_ACTOR_MOTIVATION: (list[str]): list of threat actors motivations.
last_modification_date: Threat Profile's last modification date (UTC timestamp).
name (str): Threat Profile's name.
creation_date (int): Threat Profile's creation date (UTC timestamp).
aliases (list[str]): alternative names by which the threat actor is known.
description (str): description / context about the threat actor.
first_seen_date (int): estimated threat actor's first seen date of activity (UTC timestamp).
last_seen_date (int): estimated threat actor's last seen date of activity (UTC timestamp).
last_modification_date (int): last time when the threat actor was updated (UTC timestamp).
related_entities_count (int): estimated number of related IOCs to the threat actor.
source_region (str): threat actor's source region.
sponsor_region (str): region sponsoring the threat actor.
targeted_industries (list[str]): list of industries the threat actor has targeted.
targeted_regions (list[str]): list of regions the threat actor has targeted.

Args: profile_id (str): Threat Profile identifier at Google Threat Intelligence.

Returns: Threat Profile object.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`profile_id`	Yes
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/threat_profiles.py:54-99 (handler)

The main implementation of the get_threat_profile tool. This async function fetches a Threat Profile object from Google Threat Intelligence API using a profile_id. It uses the vt_client context manager and utils.fetch_object helper to make the API call, then sanitizes the response.

@server.tool()
async def get_threat_profile(
    profile_id: str, ctx: Context, api_key: str = None
) -> typing.Dict[str, typing.Any]:
  """Get Threat Profile object.

  A threat profile object contains the following attributes:

    - enable_recommendations (bool): whether or not Recommendations automatically
                                      generated by our ML are enabled.
    - interests (dict): Threat Profile's configured interests such as industries, target regions,
                        source regions, malware roles and actor motivations 
                        to recommend the most relevant threats.
      - INTEREST_TYPE_TARGETED_INDUSTRY (list[str]): List of targeted industries. 
      - INTEREST_TYPE_TARGETED_REGION (list[str]): list of targeted regions (ISO-3166 country code).
      - INTEREST_TYPE_SOURCE_REGION (list[str]): list of source regions (ISO-3166 country code).
      - INTEREST_TYPE_MALWARE_ROLE (list[str]): list of malware roles. 
      - INTEREST_TYPE_ACTOR_MOTIVATION: (list[str]): list of threat actors motivations.
    - last_modification_date: <integer> Threat Profile's last modification date (UTC timestamp).
    - name (str): Threat Profile's name.
    - creation_date (int): Threat Profile's creation date (UTC timestamp).
    - aliases (list[str]): alternative names by which the threat actor is known.
    - description (str): description / context about the threat actor.
    - first_seen_date (int): estimated threat actor's first seen date of activity (UTC timestamp).
    - last_seen_date (int): estimated threat actor's last seen date of activity (UTC timestamp).
    - last_modification_date (int): last time when the threat actor was updated (UTC timestamp).
    - related_entities_count (int): estimated number of related IOCs to the threat actor.
    - source_region (str): threat actor's source region.
    - sponsor_region (str): region sponsoring the threat actor.
    - targeted_industries (list[str]): list of industries the threat actor has targeted.
    - targeted_regions (list[str]): list of regions the threat actor has targeted.

  Args:
    profile_id (str): Threat Profile identifier at Google Threat Intelligence.

  Returns:
    Threat Profile object.
  """
  async with vt_client(ctx, api_key=api_key) as client:
    res = await utils.fetch_object(
        client,
        "threat_profiles",
        "threat_profile",
        profile_id,
    )
  return utils.sanitize_response(res)

gti_mcp/tools/threat_profiles.py:54-54 (registration)
The @server.tool() decorator registers the get_threat_profile function as an MCP tool. The decorator comes from FastMCP and makes the function discoverable as an available tool in the MCP server.
```
@server.tool()
```

gti_mcp/utils.py:29-84 (helper)

Helper function fetch_object that handles API requests to VirusTotal/Google Threat Intelligence. It fetches objects by resource type and ID, handles errors, and returns the response as a dictionary with the id included.

async def fetch_object(
    vt_client: vt.Client,
    resource_collection_type: str,
    resource_type: str,
    resource_id: str,
    attributes: list[str] | None = None,
    relationships: list[str] | None = None,
    params: dict[str, typing.Any] | None = None):
  """Fetches objects from Google Threat Intelligence API."""
  logging.info(
      f"Fetching comprehensive {resource_collection_type} "
      f"report for id: {resource_id}")
  
  params = {k: v for k, v in params.items()} if params else {}

  # Retrieve a selection of object attributes and/or relationships.
  if attributes:
    params["attributes"] = ",".join(attributes)
  if relationships:
    params["relationships"] = ",".join(relationships)

  try:
    obj = await vt_client.get_object_async(
        f"/{resource_collection_type}/{resource_id}", params=params)

    if obj.error:
      logging.error(
          f"Error fetching main {resource_type} report for {resource_id}: {obj.error}"
      )
      return {
          "error": f"Failed to get main {resource_type} report: {obj.error}",
          # "details": report.get("details"),
      }
  except vt.error.APIError as e:
    logging.warning(
        f"VirusTotal API Error fetching {resource_type} {resource_id}: {e.code} - {e.message}"
    )
    return {
        "error": f"VirusTotal API Error: {e.code} - {e.message}",
        "details": f"The requested {resource_type} '{resource_id}' could not be found or there was an issue with the API request."
    }
  except Exception as e:
    logging.exception(
        f"Unexpected error fetching {resource_type} {resource_id}: {e}"
    )
    return {"error": "An unexpected internal error occurred."}

  # Build response.
  obj_dict = obj.to_dict()
  obj_dict['id'] = obj.id
  if 'aggregations' in obj_dict['attributes']:
    del obj_dict['attributes']['aggregations']

  logging.info(
      f"Successfully generated concise threat summary for id: {resource_id}")
  return obj_dict

gti_mcp/utils.py:119-138 (helper)

Helper function sanitize_response that recursively removes empty dictionaries and lists from API responses to clean up the output returned to the client.

def sanitize_response(data: typing.Any) -> typing.Any:
  """Removes empty dictionaries and lists recursively from a response."""
  if isinstance(data, dict):
    sanitized_dict = {}
    for key, value in data.items():
      sanitized_value = sanitize_response(value)
      if sanitized_value is not None:
        sanitized_dict[key] = sanitized_value
    return sanitized_dict
  elif isinstance(data, list):
    sanitized_list = []
    for item in data:
      sanitized_item = sanitize_response(item)
      if sanitized_item is not None:
        sanitized_list.append(sanitized_item)
    return sanitized_list
  elif isinstance(data, str):
    return data if data else None
  else:
    return data

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden. It mentions the tool returns a Threat Profile object with detailed attributes, which helps understand output structure. However, it lacks critical behavioral details: authentication requirements (api_key parameter is undocumented), rate limits, error handling, or whether it's a read-only operation. The description adds some context but misses key operational traits.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the core purpose but becomes verbose by listing all object attributes in detail—many of which could be inferred from an output schema (which exists). The Args and Returns sections are clear, but the attribute listing adds bulk without proportional value, reducing efficiency. Structure is logical but not optimally concise.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given 2 parameters with 0% schema coverage and no annotations, the description is moderately complete. It explains the primary parameter and output structure well, and an output schema exists to handle return values. However, it misses documentation for the 'api_key' parameter and lacks behavioral context like authentication or errors, leaving gaps for a tool with authentication needs.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate. It documents 'profile_id' in the Args section, explaining it's a 'Threat Profile identifier at Google Threat Intelligence', which adds meaningful context beyond the schema's generic 'Profile Id'. However, it completely omits the 'api_key' parameter, leaving half of the parameters undocumented. The description partially compensates but not fully.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Get Threat Profile object' with a verb ('Get') and resource ('Threat Profile object'). It distinguishes from siblings like 'list_threat_profiles' (which lists multiple profiles) by focusing on retrieving a single specific profile. However, it doesn't explicitly contrast with other threat profile tools like 'get_threat_profile_associations_timeline' or 'get_threat_profile_recommendations'.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance is provided on when to use this tool versus alternatives. The description doesn't mention prerequisites (e.g., needing a valid profile_id), compare it to 'list_threat_profiles' for browsing, or explain when to choose sibling tools like 'get_threat_profile_associations_timeline' for related data. Usage is implied but not explicitly stated.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server