FastMCP ThreatIntel

v1.0.0Securitystable

Enables AI-powered threat intelligence analysis of IPs, domains, URLs, and file hashes across multiple threat intelligence platforms (VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo) with APT attribution and interactive reporting through natural langua

mcpmcp-servermcp-toolsthreat-huntingthreat-intelligence
Share:
37
Stars
0
Downloads
0
Weekly
0/5

What is FastMCP ThreatIntel?

FastMCP ThreatIntel is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enables ai-powered threat intelligence analysis of ips, domains, urls, and file hashes across multiple threat intelligence platforms (virustotal, alienvault otx, abuseipdb, ipinfo) with apt attributio...

Enables AI-powered threat intelligence analysis of IPs, domains, URLs, and file hashes across multiple threat intelligence platforms (VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo) with APT attribution and interactive reporting through natural langua

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Enables AI-powered threat intelligence analysis of IPs, doma

Use Cases

Perform threat intelligence analysis of IPs, domains, URLs, and file hashes across VirusTotal, AlienVault OTX, AbuseIPDB, and IPinfo. Identify APT attribution.
4R9UN

Maintainer

LicenseApache 2.0
Languagepython
Versionv1.0.0
UpdatedApr 20, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx fastmcp-threatintel

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use FastMCP ThreatIntel

FastMCP ThreatIntel is a Python-based MCP server that brings multi-source threat intelligence analysis to AI assistants, enabling natural-language investigation of IP addresses, domain names, URLs, and file hashes. It aggregates reputation data from VirusTotal (70+ AV engines), AlienVault OTX (community IOC feeds), AbuseIPDB (IP abuse history), and IPinfo (geolocation), then layers on APT group attribution with MITRE ATT&CK mapping and produces exportable reports in HTML, JSON, Markdown, or STIX formats. Security analysts and incident responders use it to rapidly triage indicators of compromise without context-switching between multiple threat intelligence portals.

Prerequisites

  • Python 3.9+ and pip installed
  • A VirusTotal API key (free tier available at virustotal.com)
  • An AlienVault OTX API key (free at otx.alienvault.com)
  • Optional: AbuseIPDB API key and IPinfo API key for enhanced coverage
  • An MCP-compatible client such as Claude Desktop
1

Install the package via pip

Install fastmcp-threatintel from PyPI and run the interactive setup wizard which prompts for your API keys and stores them in a config file.

pip install fastmcp-threatintel
threatintel setup
2

Test the CLI directly

Verify the installation by analyzing a known IP address from the command line before wiring it up to your MCP client.

threatintel analyze 8.8.8.8 --output-format table --verbose
3

Add the MCP server to Claude Desktop config

Edit claude_desktop_config.json to start the threat intelligence MCP server. The server command is 'threatintel server' and API keys are passed via environment variables.

{
  "mcpServers": {
    "threatintel": {
      "command": "threatintel",
      "args": ["server"],
      "env": {
        "VIRUSTOTAL_API_KEY": "your_virustotal_key",
        "OTX_API_KEY": "your_otx_key",
        "ABUSEIPDB_API_KEY": "your_abuseipdb_key",
        "IPINFO_API_KEY": "your_ipinfo_key"
      }
    }
  }
}
4

Restart Claude Desktop

Restart Claude Desktop to connect to the new MCP server. Once running, the threat intelligence tools will be available for IOC analysis and APT attribution queries.

5

Optional: run with Docker for production deployments

For team or server deployments, use the Docker image which packages all dependencies and supports running the server over HTTP.

docker run -e VIRUSTOTAL_API_KEY=your_key \
           -e OTX_API_KEY=your_key \
           -p 8000:8000 \
           arjuntrivedi/fastmcp-threatintel:latest server --host 0.0.0.0 --port 8000

FastMCP ThreatIntel Examples

Client configuration

Claude Desktop config that starts the FastMCP ThreatIntel server with VirusTotal and OTX API keys. Add ABUSEIPDB_API_KEY and IPINFO_API_KEY for fuller coverage.

{
  "mcpServers": {
    "threatintel": {
      "command": "threatintel",
      "args": ["server"],
      "env": {
        "VIRUSTOTAL_API_KEY": "your_virustotal_api_key",
        "OTX_API_KEY": "your_alienvault_otx_key",
        "ABUSEIPDB_API_KEY": "your_abuseipdb_key",
        "IPINFO_API_KEY": "your_ipinfo_key"
      }
    }
  }
}

Prompts to try

Example prompts for threat intelligence analysis of IPs, domains, URLs, and file hashes with APT attribution.

- "Analyze the IP address 185.220.101.45 across all threat intelligence platforms"
- "Is the domain evil-phishing-site.ru flagged by any threat intelligence sources?"
- "Check this file hash for malware: d41d8cd98f00b204e9800998ecf8427e"
- "Investigate this URL and tell me if it's associated with any APT groups: http://malware.example.com/payload"
- "Generate a MITRE ATT&CK-mapped threat report for IP 203.0.113.42 and export it as HTML"
- "Batch analyze these 3 IOCs and rank them by severity"

Troubleshooting FastMCP ThreatIntel

VirusTotal API returns 403 or quota exceeded errors

The free VirusTotal API tier is limited to 4 requests per minute and 500 per day. If you hit the limit, reduce the CACHE_TTL or space out queries. For higher volume, upgrade to a VirusTotal Premium API key or add CACHE_TTL=3600 to your env config to cache results longer.

'threatintel' command not found after pip install

The pip install placed the script in a directory not on your PATH. Run 'python -m threatintel setup' instead, or find the script location with 'pip show fastmcp-threatintel | grep Location' and add the corresponding bin directory to your PATH.

APT attribution returns 'no attribution data' for known malicious IPs

APT attribution requires active OTX pulse data. Ensure your OTX_API_KEY is valid and that the IP/domain has associated OTX pulses. Try searching the indicator directly in otx.alienvault.com to verify pulse data exists. MITRE ATT&CK mapping also depends on OTX pulse tags.

Frequently Asked Questions about FastMCP ThreatIntel

What is FastMCP ThreatIntel?

FastMCP ThreatIntel is a Model Context Protocol (MCP) server that enables ai-powered threat intelligence analysis of ips, domains, urls, and file hashes across multiple threat intelligence platforms (virustotal, alienvault otx, abuseipdb, ipinfo) with apt attribution and interactive reporting through natural langua It connects AI assistants to external tools and data sources through a standardized interface.

How do I install FastMCP ThreatIntel?

Follow the installation instructions on the FastMCP ThreatIntel GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with FastMCP ThreatIntel?

FastMCP ThreatIntel works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is FastMCP ThreatIntel free to use?

Yes, FastMCP ThreatIntel is open source and available under the Apache 2.0 license. You can use it freely in both personal and commercial projects.

FastMCP ThreatIntel Alternatives — Similar Security Servers

Looking for alternatives to FastMCP ThreatIntel? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "fastmcp-threatintel": { "command": "npx", "args": ["-y", "fastmcp-threatintel"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use FastMCP ThreatIntel?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides