Best VirusTotal MCP Servers
VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content. It aggregates many antivirus products and online scan engines to check for threats that the user's own antivirus may have missed.
Why this server?
Provides tools for checking files and domains against VirusTotal's database for security analysis.
AlicenseAqualityAmaintenanceAI-powered OSINT framework exposing 10 tools (email, username, breach, WHOIS, IP, subdomain, phone, Shodan, dorks, Pastebin) as an MCP server for Claude Code and Claude Desktop, with an autonomous agent REPL and direct CLI.Last updated20906MITWhy this server?
Enables querying VirusTotal/Google Threat Intelligence for file hash, URL, domain, and IP analysis, providing reputation data and threat intelligence reports.

Purple AI MCP Serverofficial
AlicenseAqualityBmaintenanceEnables MCP clients to interact with SentinelOne's cybersecurity platform for security analysis, threat investigation, and asset management through natural language queries. Provides read-only access to alerts, vulnerabilities, misconfigurations, and inventory data.Last updated3386MITWhy this server?
Provides tools for analyzing file hashes, URLs, domains, or IP addresses against 70+ antivirus engines and threat intelligence databases for malware detection and reputation checking.
AlicenseAqualityAmaintenanceThis MCP server transforms Claude into a comprehensive security analyst by providing access to 27 security tools across 21 APIs for vulnerability intelligence. It enables users to query multiple sources like NVD, EPSS, CISA KEV, and threat intelligence platforms in parallel to get correlated security insights and risk assessments for CVEs.Last updated4281,072Apache 2.0Why this server?
Allows for the submission of observables like IPs and hashes to VirusTotal through Cortex's analysis pipeline for security enrichment.
AlicenseAqualityAmaintenanceAn MCP server for the Cortex observable analysis and active response engine. It enables LLMs to automate security investigations by running analyzers on observables like IPs and URLs and executing automated response actions.Last updated3171MITWhy this server?
Enables virus and threat intelligence lookups (e.g., domain, IP, hash analysis) as part of Maltego investigations.
AlicenseAqualityBmaintenanceTurns an LLM into a Maltego CE investigation copilot, enabling AI-assisted OSINT investigations by building, analyzing, and exporting Maltego graph files.Last updated52MITWhy this server?
Enables checking file hash (MD5/SHA1/SHA256) and IP reputation with detection ratios and vendor verdicts from VirusTotal's threat intelligence database.
AlicenseAqualityCmaintenanceAggregates real-time threat intelligence from multiple sources including Feodo Tracker, URLhaus, CISA KEV, and ThreatFox, with IP/hash reputation checking via VirusTotal, AbuseIPDB, and Shodan for comprehensive security monitoring.Last updated1136MITWhy this server?
Automatically routes requests to VirusTotal through Tor to anonymize the origin IP, as it is a default OSINT/security target.
AlicenseAqualityCmaintenanceRoutes web requests from AI tools through Tor for anonymized fetching, with selective per-URL routing to bypass Tor-blocking sites.Last updated41MITWhy this server?
Provides tools for domain reputation analysis, threat detections, and subdomain enumeration by querying the VirusTotal API.
AlicenseAqualityCmaintenanceA comprehensive reconnaissance toolset that provides AI agents with 37 tools across 12 data sources like Shodan and VirusTotal for automated intelligence gathering. It enables agents to perform domain reconnaissance, attack surface mapping, and cross-platform data correlation within a single conversational interface.Last updated375432MITWhy this server?
Enables analysis of observables using VirusTotal engine through Cyberbro integration, allowing threat intelligence queries and reputation checks for IPs, domains, URLs, and file hashes.
AlicenseAqualityAmaintenanceAn MCP server that extracts Indicators of Compromise (IoCs) from unstructured text and checks their reputation across multiple threat intelligence services. It enables real-time analysis of IPs, domains, hashes, and URLs, providing enriched context for security workflows within LLMs.Last updated519MIT