Skip to main content
Glama
Abraar02

ThreatWatch MCP

by Abraar02

๐Ÿ›ก๏ธ ThreatWatch MCP

AI-Powered Threat Intelligence with Real-Time Alert Monitoring

A Model Context Protocol (MCP) server that brings multi-source threat intelligence directly into Claude Desktop and any MCP-compatible AI assistant.

Python 3.11+ License: Apache-2.0 MCP


โœจ What Makes ThreatWatch Different

Feature

ThreatWatch

fastmcp-threatintel

Real-time watch-list & alerts

โœ…

โŒ

Persistent alert history

โœ…

โŒ

Shodan InternetDB (free, no key needed)

โœ…

โŒ

Status-change detection

โœ…

โŒ

IOC extraction from freeform text

โœ…

โŒ

Works with zero API keys

โœ…

โŒ


Related MCP server: FastMCP ThreatIntel

๐Ÿ”Œ Available MCP Tools

Tool

Description

analyze_ioc

Analyse a single IP / domain / URL / hash

bulk_analyze

Analyse up to 50 IOCs concurrently

detect_iocs_in_text

Extract IOCs from log files, reports, pastes

add_watch

Add an IOC to the real-time watch-list

remove_watch

Remove an IOC from the watch-list

list_watches

Show all monitored IOCs and their status

get_alerts

Retrieve alerts from monitored IOCs

run_monitor_cycle

Manually trigger a re-scan of all watches

server_status

Show configured sources and monitor state


๐Ÿš€ Installation

Prerequisites

  • Python 3.11 or higher

  • Claude Desktop

  • API keys (see below โ€” all free tier)

Step 1 โ€” Clone the repo

git clone https://github.com/YOUR_USERNAME/threatwatch-mcp.git
cd threatwatch-mcp

Step 2 โ€” Install

pip3 install fastmcp httpx python-dotenv
pip3 install -e .

Step 3 โ€” Verify installation

which threatwatch

You should see a path like /usr/local/bin/threatwatch or /Library/Frameworks/Python.framework/Versions/3.x/bin/threatwatch. Copy this path โ€” you'll need it in Step 5.


๐Ÿ”‘ API Keys (All Free)

Source

Required

Free Limit

Sign Up

VirusTotal

Recommended

1,000 req/day

virustotal.com

AlienVault OTX

Recommended

Unlimited

otx.alienvault.com

AbuseIPDB

Optional

1,000 req/day

abuseipdb.com

IPinfo

Optional

50,000 req/month

ipinfo.io

Shodan InternetDB

None needed

Always free

Built-in

ThreatWatch works with zero API keys โ€” Shodan InternetDB is always available and returns open ports, CVEs, and hostnames for any IP for free.


โš™๏ธ Connect to Claude Desktop

Step 4 โ€” Open the Claude Desktop config

macOS:

open -e ~/Library/Application\ Support/Claude/claude_desktop_config.json

Windows:

%APPDATA%\Claude\claude_desktop_config.json

Step 5 โ€” Add ThreatWatch

Add the threatwatch entry to your mcpServers block. Replace the command path with the output of which threatwatch from Step 3, and fill in your API keys:

{
  "mcpServers": {
    "threatwatch": {
      "command": "/Library/Frameworks/Python.framework/Versions/3.13/bin/threatwatch",
      "env": {
        "VIRUSTOTAL_API_KEY": "your_virustotal_key_here",
        "OTX_API_KEY": "your_otx_key_here",
        "ABUSEIPDB_API_KEY": "your_abuseipdb_key_here",
        "IPINFO_API_KEY": "your_ipinfo_key_here"
      }
    }
  }
}

If you already have other MCP servers configured, just add the threatwatch block inside your existing mcpServers object โ€” don't replace the whole file.

Step 6 โ€” Restart Claude Desktop

Fully quit Claude Desktop (Cmd + Q on Mac, system tray โ†’ Exit on Windows) and reopen it.

Step 7 โ€” Verify

Click the "+" button at the bottom of the Claude chat โ†’ Connectors. You should see ThreatWatch listed with all 9 tools.

Then test it:

Run server_status

๐Ÿ’ฌ Example Prompts

Analyse IP 185.220.101.1 for threats

Check if domain update-adobe-flash.ru is malicious

Is this hash dangerous: d41d8cd98f00b204e9800998ecf8427e

Extract all IOCs from this log and analyse them:
[paste your firewall log, SIEM alert, or email header]

Add a watch on 185.220.101.1 and alert me if it becomes malicious

Get all alerts from the last hour

Run a full monitor cycle now

๐Ÿ”” How Real-Time Monitoring Works

add_watch("185.220.101.1", alert_on=["malicious", "suspicious"])
         โ”‚
         โ–ผ
   Watch-list saved to ~/.threatwatch/watchlist.json
         โ”‚
         โ–ผ
run_monitor_cycle()   โ† trigger manually or on a schedule
         โ”‚
         โ–ผ
   Re-queries all sources for each watched IOC
         โ”‚
         โ–ผ
   Status changed or threshold crossed?
         โ”‚
    Yes  โ”‚  No
    โ–ผ    โ–ผ
  Alert  (no-op)
    โ”‚
    โ–ผ
get_alerts(since_minutes=60)

๐Ÿ—๏ธ Project Structure

threatwatch-mcp/
โ”œโ”€โ”€ src/
โ”‚   โ””โ”€โ”€ threatwatch/
โ”‚       โ”œโ”€โ”€ __init__.py        โ† package definition
โ”‚       โ”œโ”€โ”€ server.py          โ† FastMCP server + all 9 MCP tools
โ”‚       โ”œโ”€โ”€ config.py          โ† settings from environment variables
โ”‚       โ”œโ”€โ”€ ioc_detector.py    โ† IOC type detection (IP/domain/URL/hash)
โ”‚       โ”œโ”€โ”€ intel_sources.py   โ† API adapters (VT, OTX, AbuseIPDB, IPinfo, Shodan)
โ”‚       โ”œโ”€โ”€ alert_monitor.py   โ† real-time watch-list + alert engine
โ”‚       โ””โ”€โ”€ reporter.py        โ† Markdown report builder
โ”œโ”€โ”€ tests/
โ”‚   โ””โ”€โ”€ test_core.py           โ† unit tests
โ”œโ”€โ”€ pyproject.toml             โ† package config + dependencies
โ”œโ”€โ”€ .env.example               โ† environment variable template
โ””โ”€โ”€ README.md

๐Ÿ”’ Security Notes

  • Never commit your .env file โ€” it is in .gitignore by default

  • Restrict config file permissions on your machine:

    chmod 600 ~/Library/Application\ Support/Claude/claude_desktop_config.json
  • All API keys used are read-only โ€” they can query data but cannot modify anything

  • If a key is ever leaked, regenerate it instantly from each service's dashboard


๐Ÿงช Running Tests

pip3 install pytest pytest-asyncio
pytest tests/ -v

๐Ÿ“œ License

Apache 2.0 โ€” see LICENSE for details.


๐Ÿ™ Acknowledgments

A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Abraar02/threatwatch-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server