Security Intelligence Server
FreeNot checkedProvides a unified interface for security analysts to gather threat intelligence from multiple sources including VirusTotal, Shodan, NVD, AnyRun, AlienVault OTX
About
Provides a unified interface for security analysts to gather threat intelligence from multiple sources including VirusTotal, Shodan, NVD, AnyRun, AlienVault OTX, and GitHub.
README
A Model Context Protocol (MCP) server that provides a unified interface for security analysts to gather threat intelligence from VirusTotal, Shodan, NVD, AnyRun, AlienVault OTX, and GitHub.
Features
This server implements a set of tools that allow an LLM to perform the following operations:
VirusTotal
vt_file_report: Retrieve analysis reports for file hashes (MD5, SHA1, SHA256).vt_url_report: Retrieve analysis reports for URLs.vt_domain_report: Retrieve analysis reports for domains.vt_ip_report: Retrieve analysis reports for IP addresses.
Shodan
shodan_host_info: Get detailed host information for a specific IP.shodan_search: Search for hosts matching a specific query.
NVD (National Vulnerability Database)
nvd_cve_details: Get detailed information for a specific CVE ID.nvd_search: Search for CVEs using keywords with optional date range filtering (daysBack,pubStartDate/pubEndDate,lastModStartDate/lastModEndDate), pagination (resultsPerPage,startIndex).
AnyRun
anyrun_task_details: Get details for a specific sandbox task.anyrun_search: Search for tasks matching a query.anyrun_submit_url: Submit a URL for analysis.anyrun_submit_file: Submit a local file for analysis.anyrun_get_report: Retrieve the final analysis report.
AlienVault OTX
otx_indicator_details: Get detailed information for an indicator. Returns all available sections (reputation, geo, malware, url_list, passive_dns, analysis) or a specific section if requested. Supports types: IPv4, IPv6, domain, hostname, file, url.otx_indicator_pulses: Find all OTX Pulses associated with an indicator.otx_pulse_details: Get full details of a specific threat pulse.otx_search_pulses: Search for pulses by keyword.otx_subscribed_pulses: Get your subscribed pulse feed (paginated).otx_recent_activity: Get recent OTX community activity (paginated).
GitHub
github_search_advisories: Search GitHub for security advisories and vulnerability discussions.github_search_poc: Search GitHub for exploit PoC code related to a CVE or vulnerability.
Sigma Rule Generator
generate_sigma_rules: Generate Sigma detection rules (YAML) from threat indicators. Accepts enriched indicators (IPs, domains, URLs, file hashes, CVEs) with optional descriptions, references, and tags. Supportssinglemode (all indicators in one rule) orseparatemode (one rule per indicator). Configurable severity level, status, and author.
Quick Start Guide
Prerequisites
- Node.js (v18 or higher)
- API Keys for the following services:
- VirusTotal
- Shodan
- NVD
- AnyRun
- AlienVault OTX
- GitHub
Installation
Clone the repository or navigate to the project folder:
cd kb-mcpInstall dependencies:
npm installConfigure environment variables: Create a
.envfile in the root directory and add your API keys:VIRUSTOTAL_API_KEY=your_vt_key_here SHODAN_API_KEY=your_shodan_key_here NVD_API_KEY=your_nvd_key_here ANYRUN_API_KEY=your_anyrun_key_here ALIENVAULT_OTX_API_KEY=your_otx_key_here GITHUB_TOKEN=your_github_token_hereBuild the project:
npm run build
Running the Server
You can start the server in stdio mode:
npm start
Integration with MCP Clients (e.g., Claude Desktop)
Add the following configuration to your MCP settings file:
{
"mcpServers": {
"security-intelligence": {
"command": "node",
"args": ["FULL_PATH_TO/kb-mcp/dist/index.js"],
"env": {
"VIRUSTOTAL_API_KEY": "your_vt_key",
"SHODAN_API_KEY": "your_shodan_key",
"NVD_API_KEY": "your_nvd_key",
"ANYRUN_API_KEY": "your_anyrun_key",
"ALIENVAULT_OTX_API_KEY": "your_otx_key",
"GITHUB_TOKEN": "your_github_token"
}
}
}
}
Alternatively, if your client uses YAML configuration:
mcpServers:
security-intelligence:
command: "node"
args:
- "FULL_PATH_TO/kb-mcp/dist/index.js"
env:
VIRUSTOTAL_API_KEY: "your_vt_key"
SHODAN_API_KEY: "your_shodan_key"
NVD_API_KEY: "your_nvd_key"
ANYRUN_API_KEY: "your_anyrun_key"
ALIENVAULT_OTX_API_KEY: "your_otx_key"
GITHUB_TOKEN: "your_github_token"
Architecture
The server uses a provider-based architecture where each security service is encapsulated in its own provider class. This ensures that API-specific logic (authentication, rate limiting, and data formatting) is isolated from the MCP tool definitions.
src/index.ts: Main server entry point and tool routing.src/providers/: Individual API clients for each service.src/config.ts: Environment variable management.src/types/: Shared TypeScript interfaces.
Installing Security Intelligence Server
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/df4u1t/kb-mcpFAQ
Is Security Intelligence Server MCP free?
Yes, Security Intelligence Server MCP is free — one-click install via Unyly at no cost.
Does Security Intelligence Server need an API key?
No, Security Intelligence Server runs without API keys or environment variables.
Is Security Intelligence Server hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Security Intelligence Server in Claude Desktop, Claude Code or Cursor?
Open Security Intelligence Server on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Security Intelligence Server with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
