MCP Hub
Back to servers

OpenCTI MCP Server

A Model Context Protocol server that connects AI assistants to OpenCTI threat intelligence platforms. It enables natural language interaction for searching threat intelligence, analyzing reports, managing indicators, and monitoring connectors.

glama
Updated
Apr 21, 2026
View Source
Claim this server

OpenCTI MCP Server

A Model Context Protocol (MCP) server for OpenCTI — the Open Cyber Threat Intelligence Platform developed by Filigran.

Connect your AI assistant to your OpenCTI instance for threat intelligence search, indicator lookup, report analysis, and connector monitoring through natural conversation.

Tools

ToolDescription
search_entitiesSearch any STIX entity type (reports, malware, threat actors, etc)
get_reportGet full report details by STIX ID
search_indicatorsSearch IOCs by value, pattern type, or keyword
create_indicatorCreate new indicator with STIX/YARA/Sigma pattern
list_connectorsList all connectors with status and queue depth

Quick Start

Environment Variables

VariableRequiredDefaultDescription
OPENCTI_URLYesURL of your OpenCTI instance
OPENCTI_TOKENYesOpenCTI API token
OPENCTI_SSL_VERIFYNofalseVerify SSL certificates
MCP_TRANSPORTNostdioTransport: stdio or http
MCP_HOSTNo0.0.0.0Host to bind (http mode)
MCP_PORTNo8000Port to bind (http mode)

Docker

git clone https://github.com/DarkAngel-agents/opencti-mcp.git
cd opencti-mcp

export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token

docker compose up -d

Local

pip install -r requirements.txt

export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token

# stdio mode
python server.py

# http mode
MCP_TRANSPORT=http python server.py

Claude Desktop

{
  "mcpServers": {
    "opencti": {
      "command": "python",
      "args": ["/path/to/opencti-mcp/server.py"],
      "env": {
        "OPENCTI_URL": "https://your-opencti-instance.com",
        "OPENCTI_TOKEN": "your-api-token"
      }
    }
  }
}

Example Prompts

  • "Search OpenCTI for threat actors related to APT28"
  • "Show me the latest reports about ransomware"
  • "Look up indicators matching this IP: 192.168.1.100"
  • "Create a STIX indicator for domain evil.example.com"
  • "What connectors are active and what's their queue status?"

Related Projects

License

MIT

Reviews

No reviews yet

Sign in to write a review