Threat Intelligence MCP Server
Threat intelligence aggregation from multiple sources for security monitoring.
Part of the Agentic System - a 24/7 autonomous AI framework with persistent memory.
Real-time threat intelligence aggregation for the AGI agentic cluster.
Version: 0.2.0
Features
- Multi-source threat feeds: Feodo Tracker, URLhaus, CISA KEV, ThreatFox, Emerging Threats, Spamhaus DROP, Blocklist.de, CINSscore
- IP/Hash reputation checking: VirusTotal, AbuseIPDB, Shodan integration
- Bulk IP checking: Check up to 100 IPs in a single request
- Network scanning integration: Check scanned devices against threat lists
- Thread-safe caching: Intelligent caching with TTL and size limits
- Dashboard API: Aggregated data for visualization (Flask-based)
Installation
cd ${AGENTIC_SYSTEM_PATH:-/opt/agentic}/mcp-servers/threat-intel-mcp
pip install -e .
# For dashboard support:
pip install -e ".[dashboard]"
# For development:
pip install -e ".[dev]"
Configuration
Add to ~/.claude.json:
{
"mcpServers": {
"threat-intel": {
"command": "${AGENTIC_SYSTEM_PATH:-/opt/agentic}/.venv/bin/python3",
"args": ["-m", "threat_intel_mcp.server"]
}
}
}
API Keys (Optional)
Set environment variables for enhanced capabilities:
| Variable | Service | Purpose |
|---|---|---|
VIRUSTOTAL_API_KEY | VirusTotal | Hash and IP lookups |
ABUSEIPDB_API_KEY | AbuseIPDB | IP reputation and abuse reports |
SHODAN_API_KEY | Shodan | IP intelligence and port scanning |
OTX_API_KEY | AlienVault OTX | Threat pulse feeds |
MCP Tools
| Tool | Description |
|---|---|
get_threat_feeds | List all available threat intelligence feeds with status |
fetch_threat_feed | Fetch IOCs from a specific feed by name |
check_ip_reputation | Check IP against multiple threat sources (VT, AbuseIPDB, Shodan) |
check_hash_reputation | Check file hash (MD5/SHA1/SHA256) reputation |
check_bulk_ips | NEW Check up to 100 IPs in a single request |
get_cisa_kev | Get CISA Known Exploited Vulnerabilities catalog |
get_dashboard_summary | Aggregated threat data for dashboards |
get_recent_iocs | Recent IOCs from ThreatFox (filterable by type) |
check_network_against_threats | Check network scan results for threats |
get_threat_stats | NEW Get cache statistics and API key status |
clear_threat_cache | NEW Clear the threat intelligence cache |
Threat Feeds
Free (No API Key Required)
| Feed | Type | Description |
|---|---|---|
feodo_tracker | IP List | Botnet C&C IPs (Dridex, Emotet, TrickBot) |
urlhaus_recent | URL List | Recent malware distribution URLs |
sslbl_ip | IP List | SSL Blacklist malicious IPs |
emerging_threats_compromised | IP List | Compromised host IPs |
tor_exit_nodes | IP List | Known Tor exit node IPs |
cisa_kev | JSON | Known Exploited Vulnerabilities catalog |
threatfox_recent | JSON | Recent malware IOCs |
blocklist_de_all | IP List | All attackers from blocklist.de |
cinsscore_badguys | IP List | CINSscore malicious IPs |
spamhaus_drop | CIDR List | Spamhaus Don't Route Or Peer |
API-Enhanced
| Feed | API Key | Enhanced Data |
|---|---|---|
| VirusTotal | VIRUSTOTAL_API_KEY | Detection ratios, vendor verdicts |
| AbuseIPDB | ABUSEIPDB_API_KEY | Abuse confidence score, report counts |
| Shodan | SHODAN_API_KEY | Open ports, services, vulnerabilities |
| AlienVault OTX | OTX_API_KEY | Threat pulses, related IOCs |
Usage Examples
Check IP Reputation
# Returns threat level: clean/low/medium/high/critical
result = await check_ip_reputation("192.0.2.102")
Bulk IP Check
# Comma-separated
result = await check_bulk_ips("8.8.8.8, 1.1.1.1, 192.0.2.102")
# JSON array
result = await check_bulk_ips('["8.8.8.8", "1.1.1.1"]')
Network Scanner Integration
# Check network scan results against threats
scan_results = '{"devices": [{"ip": "192.0.2.217"}, {"ip": "192.0.2.25"}]}'
threat_check = await check_network_against_threats(scan_results)
Get Recent IOCs
# All recent IOCs
result = await get_recent_iocs()
# Filter by type: ip, ip:port, domain, url, md5, sha1, sha256
result = await get_recent_iocs(ioc_type="ip:port", limit=50)
Running the Dashboard
# Start the Flask dashboard server
threat-intel-dashboard
# Or directly:
python -m threat_intel_mcp.dashboard
Dashboard provides REST API endpoints for visualization tools.
Development
Running Tests
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# With coverage
pytest tests/ --cov=threat_intel_mcp --cov-report=html
Project Structure
threat-intel-mcp/
├── src/threat_intel_mcp/
│ ├── __init__.py # Package exports
│ ├── config.py # Configuration, validation, caching
│ ├── server.py # FastMCP server and tools
│ └── dashboard.py # Flask dashboard API
├── tests/
│ ├── conftest.py # Pytest fixtures
│ ├── test_config.py # Config module tests
│ └── test_server.py # Server and tool tests
└── pyproject.toml # Package configuration
Changelog
v0.2.0
-
New Features:
- Bulk IP checking (up to 100 IPs)
- Shodan integration for IP intelligence
- Cache statistics and management tools
- 3 additional threat feeds (blocklist.de, CINSscore, Spamhaus DROP)
-
Improvements:
- Shared configuration module eliminates code duplication
- Thread-safe caching with TTL and size limits
- Proper input validation for all IOC types
- Type hints throughout codebase
-
Bug Fixes:
- Fixed all bare except clauses with proper exception handling
- Removed unused imports and dependencies
- Fixed variable scope issues
-
Developer Experience:
- Comprehensive test suite (67 tests)
- pytest-asyncio for async testing
- Optional dependency groups (dashboard, dev)
v0.1.0
- Initial release with basic threat feed aggregation
Part of the MCP Ecosystem
This server integrates with other MCP servers for comprehensive AGI capabilities:
| Server | Purpose |
|---|---|
| enhanced-memory-mcp | 4-tier persistent memory with semantic search |
| agent-runtime-mcp | Persistent task queues and goal decomposition |
| agi-mcp | Full AGI orchestration with 21 tools |
| cluster-execution-mcp | Distributed task routing across nodes |
| node-chat-mcp | Inter-node AI communication |
| ember-mcp | Production-only policy enforcement |
See agentic-system-oss for the complete framework.