Google Threat Intelligence MCP Server

search_threats

Search Google Threat Intelligence for threat actors, malware families, campaigns, vulnerabilities, and reports to investigate cybersecurity threats.

Instructions

Search threats in the Google Threat Intelligence platform.

Threats are modeled as collections. Once you get collections from this tool, you can use get_collection_report to fetch the full reports and their relationships.

IMPORTANT CONTEXT CLUE: Pay close attention to the user's request. If their request mentions specific kinds of threats such as "threat actor", "malware family", "campaign", "report", or "vulnerability", treat this as a strong signal that you must use the collection_type filter in your query to ensure relevant results. Using this filter significantly improves search precision.

Filtering by Type: To filter your search results to a specific type of threat, include the collection_type modifier within your query string. Syntax: collection_type:"<type>" Available <type> values:

"threat-actor": Use when the user asks about specific actors, groups, or APTs.
"malware-family": Use when the user asks about malware, trojans, viruses, ransomware families.
"software-toolkit": Use when the user asks about legit tools usually related to malware.
"campaign": Use when the user asks about specific attack campaigns.
"report": Use when the user is looking for analysis reports.
"vulnerability": Use when the user asks about specific CVEs or vulnerabilities.
"collection": A generic type, use only if no other type fits or if the user explicitly asks for generic "collections".

You can use order_by to sort the results by: "relevance", "creation_date". You can use the sign "+" to make it order ascending, or "-" to make it descending. By default is "relevance-"

When asked for latest threats, prioritize campaigns or vulnerabilities over reports.

Args: query (required): Search query to find threats. collection_type: Filter your search results to a specific type of threat limit: Limit the number of threats to retrieve. 5 by default. order_by: Order results by the given order key. "relevance-" by default.

Returns: List of collections, aka threats. They are full collection objects, you do not need to retrieve themusing the get_collection_reporttool. You may need to extend with relationships usingget_entities_related_to_a_collection` tool.

Input Schema

TableJSON Schema

Name	Required	Default
`query`	Yes
`collection_type`	No
`limit`	No
`order_by`	No	relevance-
`api_key`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Tool Definition Quality

A4.7/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It effectively describes key behaviors: it's a search operation (implying read-only, though not explicitly stated), explains that results are collections (threats) and how to handle them with other tools, mentions default values (e.g., limit=5, order_by='relevance-'), and provides context on filtering and sorting. However, it doesn't explicitly address permissions, rate limits, or error handling, leaving some gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections (e.g., 'IMPORTANT CONTEXT CLUE', 'Filtering by Type', 'Args', 'Returns'), making it easy to scan. It is appropriately sized for a complex tool with 5 parameters and no schema coverage, though some parts (like the detailed type list) are necessary but slightly verbose. Every sentence adds value, such as usage tips and sibling tool integration.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (5 parameters, 0% schema coverage, no annotations, but with output schema), the description is highly complete. It explains the tool's purpose, usage guidelines, parameter semantics, behavioral context (e.g., how results relate to other tools), and output handling. The output schema exists, so the description correctly focuses on explaining the return value's nature (list of collections) and next steps without redundancy.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The schema description coverage is 0%, so the description must compensate fully. It adds significant meaning beyond the input schema by detailing each parameter: `query` is explained with filtering syntax and examples, `collection_type` includes a list of available values and usage contexts, `limit` specifies the default, and `order_by` describes sorting options and syntax. This comprehensively covers all 5 parameters, providing essential semantics not in the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose as 'Search threats in the Google Threat Intelligence platform' with specific verb ('Search') and resource ('threats'), and distinguishes it from siblings by explaining that threats are modeled as collections and mentioning related tools like `get_collection_report` for further actions. It avoids tautology by providing meaningful context beyond the tool name.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit guidance on when to use this tool vs. alternatives, including a strong signal to use the `collection_type` filter for specific threat kinds (e.g., 'threat actor', 'malware family'), and mentions sibling tools like `search_threat_actors` or `search_vulnerabilities` implicitly as alternatives. It also advises on prioritizing campaigns or vulnerabilities for 'latest threats' and includes usage syntax and examples.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/googleSandy/gti-mcp-standalone'

If you have feedback or need assistance with the MCP directory API, please join our Discord server