MCP-native agentic threat investigation server. Investigate IOCs across multiple threat intelligence sources, correlate findings to detect campaigns, and output STIX 2.1 bundles - all from within Claude.
Security analysts investigating indicators of compromise manually toggle between VirusTotal, AbuseIPDB, URLhaus, Shodan, and other tools. Each query is separate, context switches are frequent, and coordinated threat patterns - where multiple indicators share infrastructure or registrants - remain invisible because single-source analysis cannot detect campaigns spanning multiple IOCs.
ThreatWeaver is an MCP server that enables Claude to investigate indicators of compromise as a coherent workflow. It queries multiple threat intelligence sources in parallel, maintains investigation context across tool calls, correlates findings to detect threat campaigns, and outputs STIX 2.1 threat intelligence bundles for SOC tools.
The key insight: MCP's resource and prompt capabilities enable persistent, agentic investigation workflows that REST APIs cannot support.
ThreatWeaver's value depends on three capabilities that REST APIs lack:
- Persistent investigation context - MCP Resources expose investigation state that Claude reads directly, enabling natural follow up questions ("Which of these IPs are in the same ASN?") without re-prompting
- Agentic reasoning - Claude reasons about multi source findings and decides what to investigate next without explicit prompting
- Correlated state - Correlation across investigation history requires persistent state that only MCP provides
A traditional REST API would require separate endpoints for each step and manual context management. MCP enables the investigation itself to be the interface.
NitroStack provides the decorator based MCP primitives and dependency injection that make this architecture possible:
@Tooldecorators for the five investigation tools@Resourcedecorators for investigation context and threat feeds@Promptfor guiding Claude's reasoning@Injectableand module system for clean service separation- Validation via Zod schemas
- Error handling infrastructure
- Single command deployment to NitroCloud
Claude Desktop ThreatWeaver MCP Server
| |
+---> investigate_indicator -------> ThreatIntelClient
| (VT, AbuseIPDB, |
| URLhaus, Shodan) CacheManager
| |
+---> suggest_next_steps --------> InvestigationService
| |
+---> correlate_investigations ---> CorrelationEngine
| |
+---> generate_report -----------> ReportGenerator
| |
+---> Resources -----------------> InvestigationStore (SQLite)
|
Fallback Data (offline)
- Multi-source enrichment - Queries VirusTotal, AbuseIPDB, URLhaus, Shodan in parallel with automatic fallback on failure
- Threat correlation - Detects campaigns by identifying shared ASNs, registrants, malware families, and geographic proximity across investigation history
- STIX 2.1 output - Generates threat intelligence bundles consumable by Splunk, Elastic, Sentinel, and other SIEMs
- Investigation graph - Interactive visualization of IOC relationships and verdict status
- Batch investigation - Enrich multiple IOCs with progress streaming
- Offline mode - Works without API keys using pre-loaded fallback datasets
- Two-layer cache - In-memory LRU with configurable TTL backed by SQLite for persistence
- Investigation persistence - SQLite stores all findings, correlation edges, and investigation context
This is ThreatWeaver's core differentiator. When you investigate multiple IOCs, the correlation engine compares every pair and detects shared attributes:
| Relation | Confidence | Detection Method |
|---|---|---|
| IP hosts domain | 1.0 | Shodan hostname resolution |
| Shared ASN | 0.90 | Autonomous System Number match |
| Shared malware family | 0.85 | VirusTotal tag overlap |
| Same registrant/ISP | 0.75 | AbuseIPDB usage type match |
| Geographic proximity | 0.60 | Haversine distance < 100km |
The engine uses BFS to find connected components. Groups of 3+ IOCs sharing multiple attributes are reported as coordination patterns - indicating likely coordinated threat campaigns that would be invisible in single-IOC analysis.
threatweaver/
├── src/
│ ├── index.ts # Entry point
│ ├── app.module.ts # Root NitroStack module
│ ├── modules/
│ │ ├── investigation/ # MCP Tools, Resources, Prompts
│ │ ├── correlation/ # Pattern detection engine
│ │ ├── threat-intel/ # API adapters (VT, AbuseIPDB, etc.)
│ │ ├── output/ # STIX and report generation
│ │ ├── storage/ # SQLite and caching
│ │ ├── validation/ # IOC validation (Zod)
│ │ ├── widget/ # Graph visualization
│ │ └── config/ # Configuration
│ ├── common/
│ │ ├── types/ # Shared TypeScript interfaces
│ │ └── errors/ # Custom error classes
│ └── widgets/ # Next.js widget app
│ └── app/investigation-graph/ # vis-network graph component
├── data/
│ ├── fallback-feeds.json # Cached threat intelligence (offline)
│ └── fallback-iocs.json # Sample IOCs for offline mode
├── scripts/
│ ├── seed-db.ts # Database seeder
│ ├── generate-demo-data.ts # Demo data generator
│ └── deploy.sh # NitroCloud deployment script
├── docs/
│ ├── API.md # MCP API reference
│ ├── ARCHITECTURE.md # Architecture deep-dive
│ ├── DEMO.md # Demo script
│ ├── EXTENSION_GUIDE.md # Adding new threat feeds
│ ├── SECURITY.md # Security considerations
│ └── STIX_OUTPUT.md # STIX 2.1 format reference
├── package.json
├── tsconfig.json
├── vitest.config.ts
└── .env.example
git clone https://github.com/yourusername/threatweaver.git
cd threatweaver
npm install
npm run buildCreate a .env file from the example:
cp .env.example .envAPI keys are optional. Without keys, ThreatWeaver operates using fallback datasets exposed through the threat://feeds resource.
# API Keys (optional - without keys, use fallback data)
VIRUSTOTAL_API_KEY=
ABUSEIPDB_API_KEY=
SHODAN_API_KEY=
# Cache
CACHE_TTL=3600
CACHE_MAX_SIZE=1000
# Rate Limits
VT_RATE_LIMIT_PER_MIN=600
ABUSEIPDB_RATE_LIMIT_PER_DAY=1000
# Database
DATABASE_PATH=./data/threatweaver.db
# Mode
OFFLINE_MODE=false
LOG_LEVEL=info# Development
npm run dev
# Production
npm run build
npm run start:prodAdd to ~/.config/Claude/claude_desktop_config.json:
{
"mcpServers": {
"threatweaver": {
"command": "node",
"args": ["/absolute/path/to/threatweaver/dist/index.js"]
}
}
}Restart Claude. ThreatWeaver tools appear automatically.
You: "Investigate the IP 1.2.3.4"
Claude: [calls investigate_indicator]
1.2.3.4 - Threat score 92/100
- VirusTotal: 45 detections (emotet, banking-trojan, c2)
- AbuseIPDB: 95% abuse confidence, 150 reports
- Shodan: Ports 80, 443, 8443 | ASN AS48031 | Moscow, RU
- Verdict: Malicious
Claude: [calls suggest_next_steps]
Found 2 related IOCs:
- evil.com (same ASN AS48031)
- paypa1-secure.login.com (same ASN, shared phishing tags)
You: "Investigate those too"
Claude: [investigates both, then calls correlate_investigations]
Pattern detected: 3 IOCs share ASN AS48031 + malware tags
Confidence: 87%
Evidence: Coordinated phishing infrastructure
Claude: [calls generate_report with format: "stix"]
[Produces STIX 2.1 bundle with IOC objects, malware objects, and relationships]
| Tool | Purpose |
|---|---|
investigate_indicator |
Query VT, AbuseIPDB, URLhaus, Shodan for an IOC |
suggest_next_steps |
Analyze context and recommend related IOCs |
correlate_investigations |
Detect threat patterns across investigation history |
generate_report |
Produce Markdown or STIX 2.1 output |
batch_investigate |
Enrich multiple IOCs with progress streaming |
| Resource | URI | Purpose |
|---|---|---|
| Investigation Context | investigation://current |
Current investigation state, findings, correlation graph |
| Threat Feeds | threat://feeds |
Pre-loaded fallback data for offline mode |
| Prompt | Purpose |
|---|---|
investigation_template |
Guides Claude through structured investigation workflow |
| Widget | Purpose |
|---|---|
investigation_graph |
Interactive vis-network graph of IOC relationships, color-coded by verdict |
- Framework - NitroStack (MCP server framework)
- Language - TypeScript 5.3+ (strict mode)
- Runtime - Node.js 18+
- Database - SQLite 3 (WAL mode, foreign keys)
- Validation - Zod
- HTTP - Axios
- Widget - Next.js 14 + vis-network + React 18
- Build - NitroStack CLI
| API | Purpose | Free Tier |
|---|---|---|
| VirusTotal | Hash/URL/IP reputation | 600 req/min |
| AbuseIPDB | IP reputation + abuse reports | 1,000 req/day |
| URLhaus | Malicious URL database | Unlimited |
| Shodan | Port/service enumeration | 1 req/month (lite) |
npm run deployThe deployment script runs pre-flight checks, tests, type checking, and builds before deploying.
npm run build
npm run start:prodSet on NitroCloud Dashboard:
VIRUSTOTAL_API_KEY- for live VirusTotal queriesABUSEIPDB_API_KEY- for live AbuseIPDB queriesDATABASE_PATH- use persistent volume pathOFFLINE_MODE- set tofalsefor production
- Automated test suite (unit, integration, e2e)
- Proactive rate limiting with request queuing
- Offline mode with full fallback enrichment
- MITRE ATT&CK automatic technique mapping from VT tags
- File-based JSON logging
- Sigma detection rule generation
- Additional adapters (Censys, SecurityTrails)
- CSV and PDF export formats
- Redis caching for distributed deployments
Built for Amrita University MCP Hackathon 2026.
- NitroStack - MCP server framework
- Model Context Protocol - The standard
- MITRE ATT&CK - Threat tactics reference
- Threat intelligence providers - VirusTotal, AbuseIPDB, URLhaus, Shodan