FastMCP ThreatIntel
Enables AI-powered threat intelligence analysis of IPs, domains, URLs, and file hashes across multiple threat intelligence platforms (VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo) with APT attribution and interactive reporting through natural langua
What is FastMCP ThreatIntel?
FastMCP ThreatIntel is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enables ai-powered threat intelligence analysis of ips, domains, urls, and file hashes across multiple threat intelligence platforms (virustotal, alienvault otx, abuseipdb, ipinfo) with apt attributio...
Enables AI-powered threat intelligence analysis of IPs, domains, URLs, and file hashes across multiple threat intelligence platforms (VirusTotal, AlienVault OTX, AbuseIPDB, IPinfo) with APT attribution and interactive reporting through natural langua
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Enables AI-powered threat intelligence analysis of IPs, doma
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx fastmcp-threatintelConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use FastMCP ThreatIntel
FastMCP ThreatIntel is a Python-based MCP server that brings multi-source threat intelligence analysis to AI assistants, enabling natural-language investigation of IP addresses, domain names, URLs, and file hashes. It aggregates reputation data from VirusTotal (70+ AV engines), AlienVault OTX (community IOC feeds), AbuseIPDB (IP abuse history), and IPinfo (geolocation), then layers on APT group attribution with MITRE ATT&CK mapping and produces exportable reports in HTML, JSON, Markdown, or STIX formats. Security analysts and incident responders use it to rapidly triage indicators of compromise without context-switching between multiple threat intelligence portals.
Prerequisites
- Python 3.9+ and pip installed
- A VirusTotal API key (free tier available at virustotal.com)
- An AlienVault OTX API key (free at otx.alienvault.com)
- Optional: AbuseIPDB API key and IPinfo API key for enhanced coverage
- An MCP-compatible client such as Claude Desktop
Install the package via pip
Install fastmcp-threatintel from PyPI and run the interactive setup wizard which prompts for your API keys and stores them in a config file.
pip install fastmcp-threatintel
threatintel setupTest the CLI directly
Verify the installation by analyzing a known IP address from the command line before wiring it up to your MCP client.
threatintel analyze 8.8.8.8 --output-format table --verboseAdd the MCP server to Claude Desktop config
Edit claude_desktop_config.json to start the threat intelligence MCP server. The server command is 'threatintel server' and API keys are passed via environment variables.
{
"mcpServers": {
"threatintel": {
"command": "threatintel",
"args": ["server"],
"env": {
"VIRUSTOTAL_API_KEY": "your_virustotal_key",
"OTX_API_KEY": "your_otx_key",
"ABUSEIPDB_API_KEY": "your_abuseipdb_key",
"IPINFO_API_KEY": "your_ipinfo_key"
}
}
}
}Restart Claude Desktop
Restart Claude Desktop to connect to the new MCP server. Once running, the threat intelligence tools will be available for IOC analysis and APT attribution queries.
Optional: run with Docker for production deployments
For team or server deployments, use the Docker image which packages all dependencies and supports running the server over HTTP.
docker run -e VIRUSTOTAL_API_KEY=your_key \
-e OTX_API_KEY=your_key \
-p 8000:8000 \
arjuntrivedi/fastmcp-threatintel:latest server --host 0.0.0.0 --port 8000FastMCP ThreatIntel Examples
Client configuration
Claude Desktop config that starts the FastMCP ThreatIntel server with VirusTotal and OTX API keys. Add ABUSEIPDB_API_KEY and IPINFO_API_KEY for fuller coverage.
{
"mcpServers": {
"threatintel": {
"command": "threatintel",
"args": ["server"],
"env": {
"VIRUSTOTAL_API_KEY": "your_virustotal_api_key",
"OTX_API_KEY": "your_alienvault_otx_key",
"ABUSEIPDB_API_KEY": "your_abuseipdb_key",
"IPINFO_API_KEY": "your_ipinfo_key"
}
}
}
}Prompts to try
Example prompts for threat intelligence analysis of IPs, domains, URLs, and file hashes with APT attribution.
- "Analyze the IP address 185.220.101.45 across all threat intelligence platforms"
- "Is the domain evil-phishing-site.ru flagged by any threat intelligence sources?"
- "Check this file hash for malware: d41d8cd98f00b204e9800998ecf8427e"
- "Investigate this URL and tell me if it's associated with any APT groups: http://malware.example.com/payload"
- "Generate a MITRE ATT&CK-mapped threat report for IP 203.0.113.42 and export it as HTML"
- "Batch analyze these 3 IOCs and rank them by severity"Troubleshooting FastMCP ThreatIntel
VirusTotal API returns 403 or quota exceeded errors
The free VirusTotal API tier is limited to 4 requests per minute and 500 per day. If you hit the limit, reduce the CACHE_TTL or space out queries. For higher volume, upgrade to a VirusTotal Premium API key or add CACHE_TTL=3600 to your env config to cache results longer.
'threatintel' command not found after pip install
The pip install placed the script in a directory not on your PATH. Run 'python -m threatintel setup' instead, or find the script location with 'pip show fastmcp-threatintel | grep Location' and add the corresponding bin directory to your PATH.
APT attribution returns 'no attribution data' for known malicious IPs
APT attribution requires active OTX pulse data. Ensure your OTX_API_KEY is valid and that the IP/domain has associated OTX pulses. Try searching the indicator directly in otx.alienvault.com to verify pulse data exists. MITRE ATT&CK mapping also depends on OTX pulse tags.
Frequently Asked Questions about FastMCP ThreatIntel
What is FastMCP ThreatIntel?
FastMCP ThreatIntel is a Model Context Protocol (MCP) server that enables ai-powered threat intelligence analysis of ips, domains, urls, and file hashes across multiple threat intelligence platforms (virustotal, alienvault otx, abuseipdb, ipinfo) with apt attribution and interactive reporting through natural langua It connects AI assistants to external tools and data sources through a standardized interface.
How do I install FastMCP ThreatIntel?
Follow the installation instructions on the FastMCP ThreatIntel GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with FastMCP ThreatIntel?
FastMCP ThreatIntel works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is FastMCP ThreatIntel free to use?
Yes, FastMCP ThreatIntel is open source and available under the Apache 2.0 license. You can use it freely in both personal and commercial projects.
FastMCP ThreatIntel Alternatives — Similar Security Servers
Looking for alternatives to FastMCP ThreatIntel? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up FastMCP ThreatIntel in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use FastMCP ThreatIntel?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.