OpenCTI MCP Server
by
Provides a Model Context Protocol server that enables querying and retrieving threat intelligence data from OpenCTI through a standardized interface.
OpenCTI MCP Server Overview
What is OpenCTI MCP Server about?
Enables seamless integration with an OpenCTI instance, exposing threat‑intel collections (reports, malware, indicators, threat actors, STIX objects, etc.) via a standard MCP endpoint. Clients can issue GraphQL queries or use predefined tool calls to fetch and manipulate data without dealing directly with OpenCTI's API.
How to use OpenCTI MCP Server?
- Install – clone the repo, run
npm installandnpm run build(or use the Smithery shortcut). - Configure – copy
.env.exampleto.envand setOPENCTI_URLandOPENCTI_TOKEN. - Start the server – execute the built entry point (e.g.,
node path/to/opencti-mcp/build/index.js). - Register in MCP settings – add a server entry pointing to the Node command and expose the needed environment variables.
- Consume – call the defined tools (e.g.,
get_latest_reports,search_malware) or submit arbitrary GraphQL queries through any MCP‑compatible client.
Key features of OpenCTI MCP Server
- Fetch latest reports and retrieve reports by ID
- Search malware, indicators of compromise, and threat actors
- User and group enumeration with detail lookup
- STIX object queries (attack patterns, campaigns, etc.)
- System management utilities (connectors, status templates)
- File handling (list files, get file details)
- Reference data exposure (marking definitions, labels)
- Fully customizable query limits
- Full GraphQL support for advanced queries
Use cases of OpenCTI MCP Server
- Threat‑intel aggregation: Centralize OpenCTI data for downstream analytics or SIEM ingestion.
- Automated reporting: Periodically pull the newest reports for briefing decks or dashboards.
- SOC enrichment: Enrich alerts with malware, indicator, or actor details via MCP calls.
- Custom threat‑intel applications: Build lightweight front‑ends or bots that query OpenCTI without handling authentication each time.
- Integration testing: Use the MCP server as a mockable endpoint for CI pipelines that validate threat‑intel workflows.
FAQ from the OpenCTI MCP Server
Q: Which OpenCTI version is required? A: Any version that supports the standard REST/GraphQL API; the server only forwards calls, so compatibility is broad.
Q: Do I need to expose my OpenCTI token?
A: The token is loaded from the .env file and injected via environment variables; never commit the file to version control.
Q: Can I limit the number of results returned?
A: Yes, most tool definitions accept an optional first argument (default 10) to cap result sets.
Q: Is the server compatible with other MCP clients? A: Absolutely – as long as the client follows the MCP specification, it can interact with this server.
Q: How do I upgrade the server after a new release?
A: Pull the latest commits, run npm install to update dependencies, rebuild with npm run build, and restart the process.
OpenCTI MCP Server's README
OpenCTI MCP Server
Overview
OpenCTI MCP Server is a Model Context Protocol (MCP) server that provides seamless integration with OpenCTI (Open Cyber Threat Intelligence) platform. It enables querying and retrieving threat intelligence data through a standardized interface.
Features
- Fetch and search threat intelligence data
- Get latest reports and search by ID
- Search for malware information
- Query indicators of compromise
- Search for threat actors
- User and group management
- List all users and groups
- Get user details by ID
- STIX object operations
- List attack patterns
- Get campaign information by name
- System management
- List connectors
- View status templates
- File operations
- List all files
- Get file details by ID
- Reference data access
- List marking definitions
- View available labels
- Customizable query limits
- Full GraphQL query support
Prerequisites
- Node.js 16 or higher
- Access to an OpenCTI instance
- OpenCTI API token
Installation
Installing via Smithery
To install OpenCTI Server for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install opencti-server --client claude
Manual Installation
# Clone the repository
git clone https://github.com/yourusername/opencti-mcp-server.git
# Install dependencies
cd opencti-mcp-server
npm install
# Build the project
npm run build
Configuration
Environment Variables
Copy .env.example to .env and update with your OpenCTI credentials:
cp .env.example .env
Required environment variables:
OPENCTI_URL: Your OpenCTI instance URLOPENCTI_TOKEN: Your OpenCTI API token
MCP Settings
Create a configuration file in your MCP settings location:
{
"mcpServers": {
"opencti": {
"command": "node",
"args": ["path/to/opencti-server/build/index.js"],
"env": {
"OPENCTI_URL": "${OPENCTI_URL}", // Will be loaded from .env
"OPENCTI_TOKEN": "${OPENCTI_TOKEN}" // Will be loaded from .env
}
}
}
}
Security Notes
- Never commit
.envfile or API tokens to version control - Keep your OpenCTI credentials secure
- The
.gitignorefile is configured to exclude sensitive files
Available Tools
Available Tools
Reports
get_latest_reports
Retrieves the most recent threat intelligence reports.
{
"name": "get_latest_reports",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
get_report_by_id
Retrieves a specific report by its ID.
{
"name": "get_report_by_id",
"arguments": {
"id": "report-uuid" // Required
}
}
Search Operations
search_malware
Searches for malware information in the OpenCTI database.
{
"name": "search_malware",
"arguments": {
"query": "ransomware",
"first": 10 // Optional, defaults to 10
}
}
search_indicators
Searches for indicators of compromise.
{
"name": "search_indicators",
"arguments": {
"query": "domain",
"first": 10 // Optional, defaults to 10
}
}
search_threat_actors
Searches for threat actor information.
{
"name": "search_threat_actors",
"arguments": {
"query": "APT",
"first": 10 // Optional, defaults to 10
}
}
User Management
get_user_by_id
Retrieves user information by ID.
{
"name": "get_user_by_id",
"arguments": {
"id": "user-uuid" // Required
}
}
list_users
Lists all users in the system.
{
"name": "list_users",
"arguments": {}
}
list_groups
Lists all groups with their members.
{
"name": "list_groups",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
STIX Objects
list_attack_patterns
Lists all attack patterns in the system.
{
"name": "list_attack_patterns",
"arguments": {
"first": 10 // Optional, defaults to 10
}
}
get_campaign_by_name
Retrieves campaign information by name.
{
"name": "get_campaign_by_name",
"arguments": {
"name": "campaign-name" // Required
}
}
System Management
list_connectors
Lists all system connectors.
{
"name": "list_connectors",
"arguments": {}
}
list_status_templates
Lists all status templates.
{
"name": "list_status_templates",
"arguments": {}
}
File Operations
get_file_by_id
Retrieves file information by ID.
{
"name": "get_file_by_id",
"arguments": {
"id": "file-uuid" // Required
}
}
list_files
Lists all files in the system.
{
"name": "list_files",
"arguments": {}
}
Reference Data
list_marking_definitions
Lists all marking definitions.
{
"name": "list_marking_definitions",
"arguments": {}
}
list_labels
Lists all available labels.
{
"name": "list_labels",
"arguments": {}
}
Contributing
Contributions are welcome! Please feel free to submit pull requests.
License
MIT License
OpenCTI MCP Server Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
OpenCTI MCP Server's Information
- Author
- Spathodea-Network
- Category
- Security
- Language
- TypeScript
- License
- MIT License
- Version
- v0.1.0
- Stars
- 22
- Updated
- 21 days ago
Similar MCP Servers like OpenCTI MCP Server
Explore related MCPs that share similar capabilities and solve comparable challenges
SafeLine
by chaitin
A self‑hosted web application firewall and reverse proxy that protects web applications from attacks and exploits by filtering, monitoring, and blocking malicious HTTP/S traffic.
Burp MCP Server
by PortSwigger
Enables Burp Suite to communicate with AI clients via the Model Context Protocol, providing an MCP server and bundled stdio proxy.
Cycode CLI
by cycodehq
Boost security in the development lifecycle via SAST, SCA, secrets, and IaC scanning.
Keycloak MCP Server
by ChristophEnglisch
Provides AI‑powered administration of Keycloak users and realms through the Model Context Protocol, enabling automated creation, deletion, and listing of users and realms from MCP clients such as Claude Desktop.
Authenticator App MCP Server
Officialby firstorderai
Provides seamless access to two‑factor authentication codes and passwords for AI agents, enabling automated login while maintaining security.
OPNSense MCP Server
by vespo92
Manage OPNsense firewalls through conversational AI, providing network configuration, device discovery, DNS filtering, HAProxy setup, and backup/restore via simple commands.
MalwareBazaar MCP
by mytechnotalent
Provides an AI-driven interface to Malware Bazaar, delivering real-time threat intelligence and sample metadata for authorized cybersecurity research workflows.
Attestable MCP Server
by co-browser
Verify that any MCP server is running the intended and untampered code via hardware attestation.
Shodan Mcp
by Hexix23
Provides a powerful interface to the Shodan API, enabling advanced search, host intelligence, vulnerability discovery, and network mapping for security research.