mcp-threatintel
Integrates abuse.ch threat feeds (URLhaus, MalwareBazaar, ThreatFox, Feodo) for checking IPs, domains, hashes, and URLs against malware and C2 indicators.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-threatintelCheck this IP: 45.33.32.156"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-threatintel
A threat intelligence MCP server for Claude Code. Gives Claude tools to look up IOCs, search threat feeds, check breached credentials, query CVEs, and search the dark web.
Built with FastMCP and SQLite. Feeds are synced locally by a background poller so lookups are fast and don't depend on external API availability.
Tools
Tool | What it does |
| Check an IP, domain, hash, or URL against all threat feeds |
| Full-text search across IOCs, OTX pulses, and CVEs |
| What's been added in the last N hours |
| Check if a CVE is in the CISA Known Exploited Vulnerabilities catalog |
| Show sync status and record counts for all feeds |
| Search AlienVault OTX community threat pulses |
| Check LeakCheck for breached credentials by email, domain, username, or hash |
| Check all known breaches for a domain |
| Search Ahmia.fi's index of Tor hidden services |
| Check if a password has been exposed (HIBP k-anonymity, free, password never leaves machine) |
| Check if an email is in any known breach via HIBP |
| Get the most recently added breach from HIBP |
Related MCP server: ThreatMCP
Data Sources
Source | What it provides | Auth | Cost |
abuse.ch (URLhaus, MalwareBazaar, ThreatFox, Feodo) | Malware URLs, hashes, C2s, botnet IPs |
| Free |
Community threat pulses, IOC enrichment |
| Free | |
Known exploited vulnerabilities catalog | None | Free | |
Dark web search (.onion index) | None | Free | |
Breached password check (k-anonymity) | None | Free | |
Email breach lookup |
| $4.50/mo | |
Dark web breach data (7B+ records) |
| $10/mo |
All optional keys degrade gracefully. The server runs fine without them and returns a clear error message when a tool needs a key that isn't configured.
Architecture
Claude Code
|
| Streamable HTTP (port 3707, /mcp)
v
mcp-threatintel (mcp_threatintel.server)
|
|-- SQLite cache (threatintel.db) <-- populated by poller
|-- Live API calls (LeakCheck, HIBP, Ahmia)
v
threatintel-poller (mcp_threatintel.poller)
|
|-- abuse.ch feeds (URLhaus, MalwareBazaar, ThreatFox, Feodo)
|-- AlienVault OTX pulses
|-- CISA KEV catalog
(syncs hourly by default)The poller runs as a separate container and syncs threat feeds into a shared SQLite database. The MCP server reads from the cache for fast lookups, with live API calls only for on-demand services (LeakCheck, HIBP, Ahmia).
Setup
1. Clone and configure
git clone https://github.com/pete-builds/mcp-threatintel.git
cd mcp-threatintel
cp .env.example .envEdit .env and add your API keys. Only ABUSECH_API_KEY is required. All others are optional.
2. Start the stack
docker compose up -dThis starts two containers:
mcp-threatintel: the MCP server on port 3707threatintel-poller: background feed sync (runs every hour)
The poller will do an initial sync on first start. Give it a minute before the tools have data.
3. Connect to Claude Code
Register the MCP server with the Claude CLI:
claude mcp add threatintel --transport http --scope user --url http://localhost:3707/mcpOr add to your Claude Code settings.json:
{
"mcpServers": {
"threatintel": {
"type": "http",
"url": "http://localhost:3707/mcp"
}
}
}Restart Claude Code. The 12 tools will show up as mcp__threatintel__*.
API Keys
# Required
ABUSECH_API_KEY # Register free at https://auth.abuse.ch/
# Optional (free)
OTX_API_KEY # Register free at https://otx.alienvault.com/
# Optional (paid)
HIBP_API_KEY # $4.50/mo at https://haveibeenpwned.com/API/Key
LEAKCHECK_API_KEY # $10/mo at https://leakcheck.io/Notes
docker-compose.ymlusesnetwork_mode: host. The MCP server binds to0.0.0.0:3707. If you're running this on a server (not just localhost), add a firewall rule to restrict access.Optional bearer-token auth: set
MCP_THREATINTEL_AUTH_TOKEN(generate withopenssl rand -hex 32) and every HTTP client must sendAuthorization: Bearer <token>. Unset = no auth (single-host trusted-boundary default).The SQLite database is stored in a named Docker volume (
threatintel-data). It persists across container restarts.LeakCheck results redact most of the exposed password value. Only the first and last two characters are shown.
HIBP password checks use k-anonymity: only the first 5 characters of the SHA-1 hash are sent to the API. The full password never leaves the machine.
Credits
Built by Pete Stergion for use with Claude Code.
Related: claude-research-agent — the research skill that uses this server for security investigations.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/pete-builds/mcp-threatintel'
If you have feedback or need assistance with the MCP directory API, please join our Discord server