OpenCTI MCP Server

MCPOpen SourceMIT46.6

by Spathodea-Network • Identity & Access

An MCP server that exposes OpenCTI threat intelligence (reports, indicators, malware, actors, STIX objects, files, users) via a standardized Model Context Protocol interface.

Example Use Cases

1
Fetch and search the latest threat intelligence reports and related metadata from an OpenCTI instance.
2
Query and filter indicators, malware, and threat actor information programmatically using a standardized MCP interface.
3
Browse and retrieve STIX objects, files, users/groups, connectors, and reference data (labels, marking definitions) from OpenCTI.

Description

OpenCTI MCP Server provides a Model Context Protocol (MCP) wrapper around an OpenCTI instance, enabling agents to query and retrieve threat intelligence data through standardized calls. It supports fetching latest reports, searching malware, indicators, threat actors, STIX objects, user/group management, connectors, files, labels and marking definitions. The server is configurable via environment variables and MCP settings and aims to simplify integration between agents and the OpenCTI platform. It is distributed under an MIT license and intended for self-hosting with an OpenCTI API token.

Quick Actions

View on GitHub

Security

Scanned 3 month(s) ago

Risk Level

MINIMAL

Read-only data retrieval, no side effects

Trust Score

D44/100

4/17 checks passed

Scores are informational only and provided “as is” without warranty. AgentHotspot assumes no liability for actions taken based on these ratings.

Quick Stats

Service TypeMCP

Pricing ModelFree

Capabilities0 Tools / 0 Prompts / 0 Resources

OwnerSpathodea-Network

CategoryIdentity & Access

DependenciesStandalone