misp-mcp
This server connects to a MISP (Malware Information Sharing Platform) instance, enabling you to query threat intelligence, investigate indicators, explore the knowledge base, and submit new indicators — all in plain language through any MCP-compatible client. It exposes 18 tools across the following areas:
Indicator Lookups
misp_lookup_ioc: Search MISP for sightings of a single IPv4/IPv6, domain, URL, or hash (defanged forms accepted). Returns a verdict with event hits, threat level, and detection-flag status.misp_lookup_iocs: Batch triage up to 20 indicators in one call with a compact per-IOC summary.misp_correlate_ioc: Pivot from an IOC to find other indicators appearing in the same MISP event(s) — useful for discovering related infrastructure.
Event Investigation
misp_get_event: Fetch full details of a MISP event by ID (metadata, tags, attributes).misp_search_events: Search events by title keyword, tag, and/or date range.
Attribute & Object Access
misp_get_attribute: Fetch a single attribute by ID along with its parent event.misp_get_object: Retrieve a MISP object (group of related attributes) by ID.misp_search_attributes: Search attributes by type, category, tag,to_idsstatus, or event ID.
Threat Intelligence Knowledge Base
misp_lookup_galaxy: Look up threat actors, malware families, tools, and ATT&CK techniques by name or synonym.misp_list_galaxies: List all galaxy types available on the instance.misp_list_taxonomies: View all taxonomies (TLP, kill-chain, PAP, etc.) and their enabled status.misp_get_taxonomy: Retrieve a specific taxonomy's tags and their meanings.misp_search_tags: Find tag definitions by name.
Feed & Instance Monitoring
misp_feed_stats: See feed counts and which are enabled.misp_instance_status: Verify connectivity, authentication, and retrieve MISP/server versions.
Audit & Review
misp_review_submissions: Audit recent IOC submissions — what was added, by whom, when, and which are detection-flagged.
Indicator Submission (requires write-capable API key)
misp_submit_ioc: Add a single, fully attributed indicator with required fields (reporter, justification, last-seen date, tags, detection flag). Guardrails block private/reserved IPs and first-party infrastructure.misp_submit_iocs: Bulk validate and add up to 50 indicators; defaults todry_run=trueso you can preview before committing.
All operations automatically clean defanged indicators (e.g., hxxp://evil[.]com, 1.2.3[.]4), and write operations enforce rate limiting and security guardrails.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@misp-mcplook up 102.130.113.9 in MISP"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
misp-mcp connects MISP to any MCP client (Claude Desktop, Claude Code, Cursor, and others). You ask in plain language, the client calls MISP, you get the answer. No MISP UI, no REST calls by hand. Sixteen tools read from MISP - indicators, events, feeds, plus the galaxy / taxonomy / tag knowledge base - and two add indicators (single + bulk), all under your own MISP key.
Connect to the hosted server
The server runs at
https://misp.example.com/mcp. There is nothing to install; point your MCP client at it with your own MISP key. You must be on the your corporate network or VPN (the endpoint is not on the public internet).
1. Get your MISP key (one time)
Open
https://misp.example.comand log in.Top-right menu → My Profile → Auth Keys → Add authentication key.
Comment it
misp-mcp <your-name>, then copy the key - MISP shows it once. A read-only key is enough for lookups.
Keep the key private - every query runs as you.
2. Connect your MCP client
This is a standard remote MCP server over streamable HTTP, so any MCP-capable client works - Claude Desktop, Claude Code, Cursor, Windsurf, Cline, Continue, Zed, VS Code (Copilot/MCP), Goose, and others. Whatever the client, it needs the same three things:
Transport: HTTP (streamable HTTP / remote MCP)
URL:
https://misp.example.com/mcpTwo headers:
X-MISP-Key: YOUR_KEY_HEREandX-MISP-User: you@example.com
Generic config - most clients read a JSON block like this (the key names
vary slightly by client - mcpServers, servers, or mcp.servers; check your
client's docs, the values are identical):
{
"mcpServers": {
"misp": {
"type": "http",
"url": "https://misp.example.com/mcp",
"headers": {
"X-MISP-Key": "YOUR_KEY_HERE",
"X-MISP-User": "you@example.com"
}
}
}
}Claude Code (one command in a terminal):
claude mcp add --transport http misp https://misp.example.com/mcp \
--scope user \
--header "X-MISP-Key: YOUR_KEY_HERE" \
--header "X-MISP-User: you@example.com"Claude Desktop / Cursor / Windsurf - add the generic mcpServers block
above to the client's MCP JSON config, then fully restart the app.
VS Code (Copilot MCP) - in .vscode/mcp.json or user settings, under
"servers":
{
"servers": {
"misp": {
"type": "http",
"url": "https://misp.example.com/mcp",
"headers": {
"X-MISP-Key": "YOUR_KEY_HERE",
"X-MISP-User": "you@example.com"
}
}
}
}Cline / Continue / Zed / Goose and other clients - use the same URL,
http transport, and the two headers, in whatever config format the client
uses. Anything that speaks remote MCP over HTTP and can send custom headers
will work; the two X-MISP-* headers are the only server-specific part.
Any client that cannot send custom HTTP headers is not supported (the key must
ride in X-MISP-Key).
3. Check it works
Reachability check (client-agnostic) - should print 401, which proves you can
reach the endpoint and that auth is required:
curl -s -o /dev/null -w '%{http_code}\n' -X POST https://misp.example.com/mcpIf your client has a way to list MCP servers, confirm misp shows connected
(Claude Code: claude mcp list → misp ... ✓ Connected; other clients show it
in their MCP/tools panel).
Then ask your assistant these - if they answer from MISP, you're set:
Ask this | You should get |
| reachable, MISP + server version |
| hits (Tor / DDoS), detection-flagged |
| "not seen in MISP" (not "safe") |
| per-indicator verdicts |
Not working?
401 / timeout when asking → you're not on your network / VPN.
claude mcp listnot "Connected" → re-check the key and headers.Tools missing, stale, or the assistant says "no such tool" → reconnect (below).
Reconnect / restart it
MCP clients cache the tool list when they connect. If the server stops
responding, shows the wrong tools, or was updated, the fix in every client is
the same: fully quit and reopen the app (not just the conversation or
window - an in-app /mcp reconnect or a new chat is often not enough). If tools
are still stale, remove the misp server from the config, save, reopen, add it
back, and reopen again.
New tools added on the server only appear after this full restart.
claude mcp remove misp
claude mcp add --transport http misp https://misp.example.com/mcp \
--scope user \
--header "X-MISP-Key: YOUR_KEY_HERE" \
--header "X-MISP-User: you@example.com"Then quit Claude Code completely and reopen it. Check with claude mcp list →
misp ... ✓ Connected, and /mcp shows the current tools.
Related MCP server: MISP MCP Server
What you can ask
"Look up 102.130.113.9 in MISP."
"Triage these 30 IOCs from the report."
"What else showed up in the same event as evil[.]com?"
"Review the last 30 days of IOC submissions - who added what."
"Is MISP healthy? How many feeds are on?"Behind the scenes the client calls a tool and gets structured JSON, e.g. for a lookup:
{
"ioc": "102.130.113.9",
"ioc_type": "ipv4",
"total_hits": 6,
"summary": {
"seen_in_misp": true,
"event_count": 6,
"detection_flagged": true,
"max_threat_level": "Medium",
"restricted_hits": 0
},
"hits": [
{ "event_id": "16989", "event_info": "Tor exit nodes feed",
"attribute_type": "ip-dst", "value": "102.130.113.9",
"to_ids": true, "restricted": false }
]
}Tools
Tool | What it does | |
| read | Sightings of one IPv4/IPv6, domain, URL, or hash, with a verdict |
| read | Triage many indicators in one call |
| read | Other indicators in the same event, for pivoting |
| read | One event: info, tags, attributes |
| read | Search events by title, tag, or date |
| read | How many feeds exist and which are on |
| read | Reachability + auth check; run first when a tool fails |
| read | Audit recent submissions: what was added, by whom, what's detection-flagged |
| read | Threat actors, malware, tools, ATT&CK techniques by name or synonym |
| read | Galaxy types available on the instance |
| read | Taxonomies (TLP, kill-chain, PAP) and whether each is enabled |
| read | One taxonomy's tags and their meanings |
| read | Find tag definitions by name |
| read | One MISP object (grouped attributes, e.g. a file object) |
| read | One attribute by id, with its event |
| read | Search attributes by type, category, tag, to_ids, or event |
| write | Add a new indicator (needs a write-capable key) |
| write | Bulk: validate + add many indicators (dry-run preview first) |
Paste indicators however you have them - defanged forms (1.2.3[.]4,
hxxp://evil[.]com) are cleaned up automatically. Private/reserved IPs are
rejected (not routable, can't identify an external threat).
Security
Your key is the authorization. MISP checks it on every call and attributes the action to you. A read-only key cannot write; only write-capable keys (the security team) can add indicators.
Guarded write path. Submissions are rate-limited, well-known / first-party infrastructure can never be submitted, and the submitter is read from MISP itself - not a value the caller sets (so
misp_review_submissionsshows who actually added each IOC).MISP content is data, not instructions. Don't submit an indicator from a lookup without checking it yourself.
Keys stay private. No shared key on the server; the key rides in a header over TLS. Logs never contain keys or IOC values.
Architecture
The shape is the same on any host: callers reach misp-mcp over HTTPS through a
TLS-terminating load balancer (or the process's own cert), and misp-mcp calls
your MISP. It holds no credential of its own - every request carries the
caller's own X-MISP-Key, which MISP validates and attributes to that user.
MCP client (any client, on an allowed network / VPN)
│
│ HTTPS + header X-MISP-Key: <your key>
▼
Load balancer TLS termination · ingress limited to allowed CIDRs
│ HTTP :8080 (private)
▼
misp-mcp container / VM, no stored secret
│ HTTPS
▼
your MISP instanceTLS terminates at the load balancer; misp-mcp serves plain HTTP on
:8080behind it (or give the process its own cert, see DEPLOY.md).Ingress is scoped to your caller networks; the endpoint is not public.
Two common topologies: run misp-mcp standalone in front of a separate MISP (the Terraform module below), or co-locate it beside an existing MISP behind one load balancer with a
/mcp*path rule so MISP is untouched.
Host it (local, self-host, or cloud)
Local (in your MCP client, against your own MISP): install and add the
misp-mcpbinary - see ONBOARDING.md.Self-host for a team (HTTP server behind TLS, EC2/VM + systemd): DEPLOY.md.
Cloud, any provider (AWS / GCP / Azure guidance): CLOUD.md.
AWS, Terraform - ready modules behind an internal ALB with TLS, in two flavors sharing one networking module: Fargate (serverless, no VM) or EC2 (managed VM, SSM access): deploy/terraform/. Fill in a
.tfvars,terraform apply, and it prints the/mcpendpoint.
Automated local setup:
git clone https://github.com/indranilroy99/misp-mcp.git
cd misp-mcp
./install.shSetting | Mode | Default | Meaning |
| both | required | MISP base URL |
| local | required | your key (local mode) |
| both |
|
|
| hosted |
| bind address |
| hosted |
| port |
| both |
| set |
| both |
|
|
| both | required for writes | event that |
| both | empty | your own domains that can never be submitted |
| both |
| max submissions per key per minute |
| hosted | none | serve HTTPS directly |
| hosted |
| allow a public plain-HTTP bind (TLS on a proxy) |
python3 -m venv .venv
.venv/bin/pip install -e '.[dev]'
.venv/bin/python -m pytest tests/ -q # 60 testsmisp_mcp/
server.py the 18 tools and the MCP server
client.py talks to the MISP REST API (read + write)
config.py reads settings from the environment
http_app.py hosted mode: header auth + web server
context.py carries your identity through one request
validators.py cleans, checks, and safelists indicatorsDependencies are pinned in pyproject.toml: mcp, httpx, pydantic,
uvicorn, starlette.
Report vulnerabilities privately - see SECURITY.md. Licensed under Apache-2.0 (LICENSE). Contributions welcome - see CONTRIBUTING.md.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/indranilroy99/misp-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server