What is Mcp Cti

mcp-cti is an MCP (Model Context Protocol) server designed for accessing AlienVault Open Threat Exchange (OTX) threat intelligence directly in the Claude desktop client. It allows users to search, retrieve, and analyze cyber threat intelligence data using natural language.

Use cases

Use cases for mcp-cti include searching for recent threat intelligence pulses, analyzing specific indicators of compromise, retrieving details about threat actors, and checking the maliciousness of IPs, domains, and URLs.

How to use

To use mcp-cti, install the server and ensure you have Python 3.8 or higher along with an AlienVault OTX account and API key. Once set up, you can interact with the OTX API through various tools provided, such as searching for threat intelligence pulses and checking indicators of compromise.

Key features

Key features of mcp-cti include real-time access to threat intelligence, comprehensive IOC analysis, threat actor profiling, cached results for optimized performance, and an asynchronous API for efficient request handling.

Where to use

mcp-cti can be used in cybersecurity research, threat intelligence analysis, incident response, and any field requiring up-to-date information on cyber threats and vulnerabilities.

otx-cti MCP Server

An MCP (Model Context Protocol) server for accessing AlienVault Open Threat Exchange (OTX) threat intelligence directly in Claude.

Overview

This server connects to AlienVault’s OTX DirectConnect API, allowing the Claude for desktop client to search, retrieve, and analyse cyber threat intelligence data. Use this tool to interact with the OTX API using natural language prompting via Claude. By installing this MCP server, you get access to the most recent threat data, including:

• Threat intelligence pulses
• Indicators of compromise (IOCs)
• Malicious IP addresses, domains, and URLs
• Malware file hashes
• Threat actor information

Features

• Real-time Threat Intelligence: Access the latest threat data from AlienVault OTX’s global community
• Comprehensive IOC Analysis: Check if IPs, domains, URLs, or file hashes are known to be malicious
• Threat Actor Profiling: Retrieve information about known threat actors and their activities
• Cached Results: Optimised performance with local caching of API responses
• Asynchronous API: Built with modern async Python for efficient handling of API requests

Tools Provided

Installation

Prerequisites

• Python 3.8 or higher
• An AlienVault OTX account and API key (Sign up here)
• uv package manager (recommended) or pip

Set Up Using UV (Recommended)

1. Clone this repository:

   git clone https://github.com/your-username/otx-mcp-server.git
   cd otx-mcp-server
   
   

2. Create a Python environment and install dependencies:

   uv venv
   source .venv/bin/activate  # On Windows: .venv\Scripts\activate
   uv pip install -e
   
   

Set Up Using Pip

1. Clone this repository:

   git clone https://github.com/your-username/otx-mcp-server.git
   cd otx-mcp-server
   
   

2. Create a Python environment and install dependencies:

   python -m venv .venv
   source .venv/bin/activate  # On Windows: .venv\Scripts\activate
   pip install -e
   
   

Quick install with Claude Desktop

Add the following to your Claude Desktop configuration (claude_desktop_config.json):

  "mcpServers": {
    "otx": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/otx-mcp-server",
        "run",
        "otx"
      ],
      "env": {
        "OTX_API_KEY": "YOUR_API_KEY_HERE"
      }
    }
  }
}

The configuration file is typically located at:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

Sample Prompts

Here are some example prompts to use with the OTX MCP server:

• “Search for recent threat intelligence related to ransomware attacks on healthcare organisations.”
• “Check if the IP address xxx.xx.xx.xx is associated with any known threats.”
• “Get information about the Golden Chickens/Venom Spider threat actor and their recent activities.”
• “Search OTX for specific industry-related threat intelligence. I am looking for threats targeting Financial Services organisations”
• “Find indicators of compromise related to the CWE-94 vulnerability.”
• “Check if the domain malicious-example.com is known to be malicious.”
• “Get the latest threat intelligence pulses from the past 3 days.”

Resource Types

The server provides access to several resource types:

• Pulses: otx://pulse/{pulse_id}
• Indicators: otx://indicator/{indicator_type}/{indicator_value}
• Threat Actors: otx://actor/{actor_name}

These resources can be referenced and accessed throughout your conversation with Claude.

Security Considerations

This tool is designed for legitimate security research and defence purposes. Always:

• Use responsibly and follow applicable laws and regulations
• Maintain proper authorisation for any security testing
• Handle threat intelligence data with appropriate operational security controls (OPSEC)