MCP-ThreatIntel

---
name: mcp-threatintel
category: digital-forensics
cost: freemium
api_key_required: yes
repo: https://github.com/aplaceforallmystuff/mcp-threatintel
paired_skills: ["malware-triage-static", "malware-triage-dynamic", "virustotal-pivoting", "hybrid-analysis-and-any-run-triage", "malwarebazaar-and-malshare-pivoting", "abuseipdb-and-greynoise-attribution"]
capabilities: ["threat-intel", "ioc-enrichment", "reputation-lookup"]
---

# MCP-ThreatIntel — IOC fan-out across OTX, AbuseIPDB, GreyNoise, URLhaus, MalwareBazaar

Submit one IOC and the server fans out to OTX, AbuseIPDB, GreyNoise, URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, and CISA KEV simultaneously, then synthesizes a unified threat picture.

## Install

```
uvx mcp-threatintel
```

## Configuration

```json
{
  "mcpServers": {
    "threatintel": {
      "command": "uvx",
      "args": ["mcp-threatintel"],
      "env": {
        "OTX_API_KEY": "YOUR_OTX_KEY_HERE",
        "ABUSEIPDB_API_KEY": "YOUR_ABUSEIPDB_KEY_HERE"
      }
    }
  }
}
```

OTX key: otx.alienvault.com (free). AbuseIPDB key: abuseipdb.com (free tier).

## What it adds

Instead of manually checking 8 threat intel feeds for each IOC, Claude submits once and gets a consolidated verdict — is this IP known-bad, in what campaigns, with what confidence, flagged by CISA as actively exploited, or linked to known malware families. Replaces 30+ minutes of manual feed checking with a single query per IOC.

## Pairs with skills

- 085 `malware-triage-static`
- 086 `malware-triage-dynamic`
- 432 `virustotal-pivoting`
- 434 `hybrid-analysis-and-any-run-triage`
- 436 `malwarebazaar-and-malshare-pivoting`
- 437 `abuseipdb-and-greynoise-attribution`

## Cost

OTX and AbuseIPDB keys required (both free). All other feeds (GreyNoise, URLhaus, MalwareBazaar, ThreatFox, Feodo, CISA KEV) work without keys.