Yes, Threatintel is free to use.

How do I install Threatintel?

Threatintel is a local plugin. Install it using npm package: mcp-threatintel-server and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Threatintel need?

Threatintel requires the following credentials or environment variables: OTX_API_KEY, ABUSEIPDB_API_KEY, GREYNOISE_API_KEY, ABUSECH_AUTH_KEY. You can find setup instructions on the server detail page.

What AI apps work with Threatintel?

Threatintel uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Threatintel MCP Server

by Aplaceforallmystuff

Developer ToolsLow Risk8.3MCP RegistryLocal

Free

Server data from the Official MCP Registry

Unified threat intel - OTX, AbuseIPDB, GreyNoise, abuse.ch, Feodo Tracker

About

Unified threat intel - OTX, AbuseIPDB, GreyNoise, abuse.ch, Feodo Tracker

Security Report

8.3

Low Risk8.3Low Risk

Valid MCP server (2 strong, 4 medium validity signals). 2 known CVEs in dependencies (0 critical, 2 high severity) Package registry verified. Imported from the Official MCP Registry. Trust signals: trusted author (9/9 approved).

3 files analyzed · 3 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

HTTP Network Access

Connects to external APIs or services over the internet.

env_vars

Check that this permission is expected for this type of plugin.

What You'll Need

Set these up before or after installing:

AlienVault OTX API key (free at otx.alienvault.com)Required

Environment variable: OTX_API_KEY

AbuseIPDB API key (free at abuseipdb.com)Required

Environment variable: ABUSEIPDB_API_KEY

GreyNoise API key (free at greynoise.io)Required

Environment variable: GREYNOISE_API_KEY

abuse.ch Auth Key for URLhaus, MalwareBazaar, ThreatFox (free at auth.abuse.ch)Required

Environment variable: ABUSECH_AUTH_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-aplaceforallmystuff-mcp-threatintel": {
      "env": {
        "OTX_API_KEY": "your-otx-api-key-here",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key-here",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key-here",
        "GREYNOISE_API_KEY": "your-greynoise-api-key-here"
      },
      "args": [
        "-y",
        "mcp-threatintel-server"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

MCP Threat Intel Server

MCP server providing unified access to multiple threat intelligence sources for security research and analysis.

Why Use This?

If you're doing security research, incident response, or threat analysis, this MCP server lets you:

Unified lookups - Query IPs, domains, hashes, and URLs across multiple sources simultaneously
Reduce context switching - No need to open multiple browser tabs for different intel sources
Correlate intelligence - See results from all configured sources in one response
Free tier friendly - Works with free API tiers, gracefully degrades when sources unavailable
Works without keys - Feodo Tracker (botnet C2s) works without any API keys

Features

Category	Capabilities
Unified Lookups	Query IPs, domains, file hashes, URLs across all sources
AlienVault OTX	Threat pulses, indicators of compromise, community intelligence
AbuseIPDB	IP reputation, abuse reports, confidence scores
GreyNoise	Internet noise vs targeted attacks, scanner identification
abuse.ch	URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker

Prerequisites

Node.js 18+
API keys for your preferred threat intelligence sources (see below)

Installation

Using npm (Recommended)

npx mcp-threatintel-server

Or install globally:

npm install -g mcp-threatintel-server

From Source

git clone https://github.com/aplaceforallmystuff/mcp-threatintel.git
cd mcp-threatintel
npm install
npm run build

Configuration

For Claude Desktop

Add to your Claude Desktop config file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "threatintel": {
      "command": "npx",
      "args": ["-y", "mcp-threatintel-server"],
      "env": {
        "OTX_API_KEY": "your-otx-api-key",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
        "GREYNOISE_API_KEY": "your-greynoise-api-key",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key"
      }
    }
  }
}

For Claude Code

Add to ~/.claude.json:

{
  "mcpServers": {
    "threatintel": {
      "command": "npx",
      "args": ["-y", "mcp-threatintel-server"],
      "env": {
        "OTX_API_KEY": "your-otx-api-key",
        "ABUSEIPDB_API_KEY": "your-abuseipdb-api-key",
        "GREYNOISE_API_KEY": "your-greynoise-api-key",
        "ABUSECH_AUTH_KEY": "your-abusech-auth-key"
      }
    }
  }
}

API Keys

Service	Required	Free Tier	Get Key
AlienVault OTX	Optional	Yes (unlimited)	otx.alienvault.com
AbuseIPDB	Optional	Yes (1,000/day)	abuseipdb.com
GreyNoise	Optional	Yes (limited)	greynoise.io
abuse.ch	Optional	Yes	auth.abuse.ch
Feodo Tracker	No	Yes	Public JSON feeds

Note: Tools are dynamically enabled based on which API keys you provide. Feodo Tracker works without authentication (public JSON feeds).

Usage Examples

Check Available Sources

"What threat intel sources are configured?"

"Show me threatintel status"

IP Investigation

"Check if 185.220.101.1 is malicious"

"Look up this IP across all threat intel sources"

Domain Analysis

"Is evil-domain.com known to be malicious?"

"Check domain reputation"

Malware Hash Lookup

"Look up this SHA256 hash in threat intel"

"Is this file hash known malware?"

URL Analysis

"Check if this URL is in any blocklists"

Botnet Tracking (No API Key Required)

"Show me active botnet C2 servers"

"Get Feodo tracker data for Emotet"

Threat Pulses

"Search OTX for recent ransomware pulses"

"Get latest threat intelligence pulses"

Available Tools

Status

Tool	Description
`threatintel_status`	Check which threat intelligence sources are configured

Unified Lookups

Tool	Description
`threatintel_lookup_ip`	Look up IP across all configured sources
`threatintel_lookup_domain`	Look up domain across all configured sources
`threatintel_lookup_hash`	Look up file hash (MD5/SHA1/SHA256) across sources
`threatintel_lookup_url`	Look up URL across sources

AbuseIPDB (requires API key)

Tool	Description
`abuseipdb_check`	Check IP reputation and abuse history

AlienVault OTX (requires API key)

Tool	Description
`otx_get_pulses`	Get recent threat intelligence pulses
`otx_search_pulses`	Search pulses by keyword

GreyNoise (requires API key)

Tool	Description
`greynoise_ip`	Check if IP is internet noise or targeted threat

URLhaus (requires abuse.ch auth key)

Tool	Description
`urlhaus_lookup`	Look up URL, domain, or IP in URLhaus
`urlhaus_recent`	Get recent malware URLs

MalwareBazaar (requires abuse.ch auth key)

Tool	Description
`malwarebazaar_hash`	Look up malware sample by hash
`malwarebazaar_recent`	Get recent malware samples
`malwarebazaar_tag`	Search samples by tag

ThreatFox (requires abuse.ch auth key)

Tool	Description
`threatfox_iocs`	Get recent IOCs from ThreatFox
`threatfox_search`	Search ThreatFox IOCs

Feodo Tracker (no key required)

Tool	Description
`feodo_tracker`	Get active botnet C2 servers (QakBot, Emotet, Dridex, etc.)

Development

# Watch mode for development
npm run watch

# Build TypeScript
npm run build

# Run locally
node dist/index.js

Troubleshooting

"No threat intel sources configured"

You can use the server without any API keys - Feodo Tracker will still work. For other sources, add the appropriate API keys to your configuration.

"API error: 401 Unauthorized"

Your API key is invalid or expired. Generate a new one from the respective service.

"API error: 429 Too Many Requests"

You've exceeded the rate limit for a service. Wait a while or upgrade your API tier.

Partial results

If some sources return errors, the unified lookup tools will still return results from working sources. Check threatintel_status to see which sources are configured correctly.

Data Sources

AlienVault OTX

Open Threat Exchange - community-driven threat intelligence platform with pulses containing indicators of compromise.

AbuseIPDB

Crowdsourced IP reputation database with abuse reports from network administrators worldwide.

GreyNoise

Identifies IPs scanning the internet vs targeted attacks. Helps reduce false positives in threat detection.

abuse.ch Projects

URLhaus - Malware distribution URLs
MalwareBazaar - Malware sample repository
ThreatFox - IOC sharing platform
Feodo Tracker - Botnet C2 infrastructure tracking

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

License

MIT - see LICENSE for details.

Related Projects

For additional threat intelligence capabilities, consider:

@burtthecoder/mcp-shodan - Shodan internet scanning
@burtthecoder/mcp-virustotal - VirusTotal malware analysis

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

MarkItDown

Free

by Microsoft · Content & Media

Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption

mcp-creator-typescript

Free

by mcp-marketplace · Developer Tools

Scaffold, build, and publish TypeScript MCP servers to npm — conversationally

FinAgent

Free

by mcp-marketplace · Finance

Free stock data and market news for any MCP-compatible AI assistant.

Threatintel MCP Server

About

Security Report

Findings (3)Action required

Permissions Required

What You'll Need

How to Install

Documentation

MCP Threat Intel Server

Why Use This?

Features

Prerequisites

Installation

Using npm (Recommended)

From Source

Configuration

For Claude Desktop

For Claude Code

API Keys

Usage Examples

Check Available Sources

IP Investigation

Domain Analysis

Malware Hash Lookup

URL Analysis

Botnet Tracking (No API Key Required)

Threat Pulses

Available Tools

Status

Unified Lookups

AbuseIPDB (requires API key)

AlienVault OTX (requires API key)

GreyNoise (requires API key)

URLhaus (requires abuse.ch auth key)

MalwareBazaar (requires abuse.ch auth key)

ThreatFox (requires abuse.ch auth key)

Feodo Tracker (no key required)

Development

Troubleshooting

"No threat intel sources configured"

"API error: 401 Unauthorized"

"API error: 429 Too Many Requests"

Partial results

Data Sources

AlienVault OTX

AbuseIPDB

GreyNoise

abuse.ch Projects

Contributing

License

Links

Related Projects

Reviews

No reviews yet

More Developer Tools MCP Servers

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

Threatintel MCP Server

About

Security Report

Findings (3)Action required

Permissions Required

What You'll Need

How to Install

Documentation

MCP Threat Intel Server

Why Use This?

Features

Prerequisites

Installation

Using npm (Recommended)

From Source

Configuration

For Claude Desktop

For Claude Code

API Keys