Google Threat Intelligence MCP Server

list_threat_profiles

Retrieve a list of Threat Profiles to filter Google's threat intelligence by target industry or region, focusing on threats relevant to your organization.

Instructions

List your Threat Profiles at Google Threat Intelligence.

Threat Profiles filter all of Google TI's threat intelligence so you can focus only on the threats that matter most to your organization.

Threat Profiles let you apply top-level filters for Target Industries and Target Regions to immediately provide a more focused view of relevant threats.

When searching for threats, we must use this tool first to check if there is any Threat Profile that matches the user query before peforming a general search using the search_threats tool.

Recommendations from Threat Profiles are more relevants to users than generic search threats. Use them as long as they match user's query.

Returns: List of Threat Profiles.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`limit`	No
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

gti_mcp/tools/threat_profiles.py:22-51 (handler)

Handler function for the 'list_threat_profiles' tool. Decorated with @server.tool(), it uses the VirusTotal client to fetch threat profiles from the /threat_profiles endpoint via consume_vt_iterator, then sanitizes the response.

@server.tool()
async def list_threat_profiles(
    ctx: Context, limit: int = 10, api_key: str = None
) -> typing.List[typing.Dict[str, typing.Any]]:
  """List your Threat Profiles at Google Threat Intelligence.

  Threat Profiles filter all of Google TI's threat intelligence
  so you can focus only on the threats that matter most
  to your organization.

  Threat Profiles let you apply top-level filters
  for Target Industries and Target Regions to immediately provide
  a more focused view of relevant threats.

  When searching for threats, we must use this tool first to check
  if there is any Threat Profile that matches the user query
  before peforming a general search using the `search_threats` tool.

  Recommendations from Threat Profiles are more relevants to users
  than generic search threats. Use them as long as
  they match user's query.

  Returns:
    List of Threat Profiles.
  """
  async with vt_client(ctx, api_key=api_key) as client:
    res = await utils.consume_vt_iterator(
        client, "/threat_profiles", limit=limit
    )
  return utils.sanitize_response([o.to_dict() for o in res])

gti_mcp/tools/threat_profiles.py:22-22 (registration)
Registration via the @server.tool() decorator on the list_threat_profiles async function. The 'server' is a FastMCP instance defined in gti_mcp/server.py. Registration is triggered by the import chain: server.py imports gti_mcp.tools, and __init__.py imports threat_profiles, which causes the decorator to execute.
```
@server.tool()
```
gti_mcp/server.py:73-73 (registration)
Top-level registration trigger: 'from gti_mcp.tools import *' causes all tool modules (including threat_profiles) to be imported, executing the @server.tool() decorators.
```
from gti_mcp.tools import *
```
gti_mcp/tools/__init__.py:18-19 (registration)
Imports threat_profiles module, causing its @server.tool() decorators to register tools on the FastMCP server instance.
```
from .threat_profiles import *
from .urls import *
```

gti_mcp/utils.py:20-26 (helper)

consume_vt_iterator helper: iterates over a VirusTotal API endpoint with a limit and returns objects. Used by list_threat_profiles to fetch /threat_profiles.

async def consume_vt_iterator(
    vt_client: vt.Client, endpoint: str, params: dict | None = None, limit: int = 10):
  """Consumes a vt.Iterator iterator and return the list of objects."""
  res = []
  async for obj in vt_client.iterator(endpoint, params=params, limit=limit):
    res.append(obj)
  return res

Tool Definition Quality

B3.4/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description bears full responsibility. It does not disclose any behavioral traits such as idempotency, rate limits, authentication requirements beyond implying API key, or side effects. Only says 'Returns: List of Threat Profiles'. Lacks transparency for an unannotated tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness3/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is somewhat verbose with multiple paragraphs and explanatory text. The purpose is front-loaded in the first sentence, but there is redundant content (e.g., repeating 'Threat Profiles' multiple times). Could be more concise without losing clarity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given an output schema exists (though not provided) and no annotations, the description adequately explains the tool's purpose and usage order relative to siblings. However, it lacks parameter documentation and behavioral details, leaving gaps for a complete understanding.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters1/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Two parameters (limit, api_key) exist with 0% schema description coverage. The description adds no explanation about what 'limit' controls or how to use 'api_key'. The agent gets no additional meaning beyond parameter names and types.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states 'List your Threat Profiles' and explains what threat profiles are, including top-level filters. It distinguishes from sibling tool 'search_threats' by specifying that this tool should be used first.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicitly instructs to use this tool before 'search_threats' to check for matching threat profiles, and states that recommendations from profiles are more relevant. Provides clear when-to-use guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server