OpenCTI MCP Server
A Model Context Protocol (MCP) server for OpenCTI — the Open Cyber Threat Intelligence Platform developed by Filigran.
Connect your AI assistant to your OpenCTI instance for threat intelligence search, indicator lookup, report analysis, and connector monitoring through natural conversation.
Tools
| Tool | Description |
|---|---|
search_entities |
Search any STIX entity type (reports, malware, threat actors, etc) |
get_report |
Get full report details by STIX ID |
search_indicators |
Search IOCs by value, pattern type, or keyword |
create_indicator |
Create new indicator with STIX/YARA/Sigma pattern |
list_connectors |
List all connectors with status and queue depth |
Quick Start
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
OPENCTI_URL |
Yes | — | URL of your OpenCTI instance |
OPENCTI_TOKEN |
Yes | — | OpenCTI API token |
OPENCTI_SSL_VERIFY |
No | false |
Verify SSL certificates |
MCP_TRANSPORT |
No | stdio |
Transport: stdio or http |
MCP_HOST |
No | 0.0.0.0 |
Host to bind (http mode) |
MCP_PORT |
No | 8000 |
Port to bind (http mode) |
Docker
git clone https://github.com/DarkAngel-agents/opencti-mcp.git
cd opencti-mcp
export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token
docker compose up -d
Local
pip install -r requirements.txt
export OPENCTI_URL=https://your-opencti-instance.com
export OPENCTI_TOKEN=your-api-token
# stdio mode
python server.py
# http mode
MCP_TRANSPORT=http python server.py
Claude Desktop
{
"mcpServers": {
"opencti": {
"command": "python",
"args": ["/path/to/opencti-mcp/server.py"],
"env": {
"OPENCTI_URL": "https://your-opencti-instance.com",
"OPENCTI_TOKEN": "your-api-token"
}
}
}
}
Example Prompts
- "Search OpenCTI for threat actors related to APT28"
- "Show me the latest reports about ransomware"
- "Look up indicators matching this IP: 192.168.1.100"
- "Create a STIX indicator for domain evil.example.com"
- "What connectors are active and what's their queue status?"
Related Projects
- misp-mcp — MCP server for MISP
- nixos-anssi-bp028 — NixOS ANSSI hardening module
License
MIT
