Skip to content

Hadobot/threatweaver

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ThreatWeaver

MCP-native agentic threat investigation server. Investigate IOCs across multiple threat intelligence sources, correlate findings to detect campaigns, and output STIX 2.1 bundles - all from within Claude.

NitroStack MCP TypeScript

Problem

Security analysts investigating indicators of compromise manually toggle between VirusTotal, AbuseIPDB, URLhaus, Shodan, and other tools. Each query is separate, context switches are frequent, and coordinated threat patterns - where multiple indicators share infrastructure or registrants - remain invisible because single-source analysis cannot detect campaigns spanning multiple IOCs.

Solution

ThreatWeaver is an MCP server that enables Claude to investigate indicators of compromise as a coherent workflow. It queries multiple threat intelligence sources in parallel, maintains investigation context across tool calls, correlates findings to detect threat campaigns, and outputs STIX 2.1 threat intelligence bundles for SOC tools.

The key insight: MCP's resource and prompt capabilities enable persistent, agentic investigation workflows that REST APIs cannot support.

Why MCP?

ThreatWeaver's value depends on three capabilities that REST APIs lack:

  1. Persistent investigation context - MCP Resources expose investigation state that Claude reads directly, enabling natural follow up questions ("Which of these IPs are in the same ASN?") without re-prompting
  2. Agentic reasoning - Claude reasons about multi source findings and decides what to investigate next without explicit prompting
  3. Correlated state - Correlation across investigation history requires persistent state that only MCP provides

A traditional REST API would require separate endpoints for each step and manual context management. MCP enables the investigation itself to be the interface.

Why NitroStack?

NitroStack provides the decorator based MCP primitives and dependency injection that make this architecture possible:

  • @Tool decorators for the five investigation tools
  • @Resource decorators for investigation context and threat feeds
  • @Prompt for guiding Claude's reasoning
  • @Injectable and module system for clean service separation
  • Validation via Zod schemas
  • Error handling infrastructure
  • Single command deployment to NitroCloud

Architecture

Claude Desktop                  ThreatWeaver MCP Server
      |                                    |
      +---> investigate_indicator -------> ThreatIntelClient
      |         (VT, AbuseIPDB,              |
      |          URLhaus, Shodan)       CacheManager
      |                                    |
      +---> suggest_next_steps --------> InvestigationService
      |                                    |
      +---> correlate_investigations ---> CorrelationEngine
      |                                    |
      +---> generate_report -----------> ReportGenerator
      |                                    |
      +---> Resources -----------------> InvestigationStore (SQLite)
                                           |
                                      Fallback Data (offline)

Core Features

  • Multi-source enrichment - Queries VirusTotal, AbuseIPDB, URLhaus, Shodan in parallel with automatic fallback on failure
  • Threat correlation - Detects campaigns by identifying shared ASNs, registrants, malware families, and geographic proximity across investigation history
  • STIX 2.1 output - Generates threat intelligence bundles consumable by Splunk, Elastic, Sentinel, and other SIEMs
  • Investigation graph - Interactive visualization of IOC relationships and verdict status
  • Batch investigation - Enrich multiple IOCs with progress streaming
  • Offline mode - Works without API keys using pre-loaded fallback datasets
  • Two-layer cache - In-memory LRU with configurable TTL backed by SQLite for persistence
  • Investigation persistence - SQLite stores all findings, correlation edges, and investigation context

Threat Correlation

This is ThreatWeaver's core differentiator. When you investigate multiple IOCs, the correlation engine compares every pair and detects shared attributes:

Relation Confidence Detection Method
IP hosts domain 1.0 Shodan hostname resolution
Shared ASN 0.90 Autonomous System Number match
Shared malware family 0.85 VirusTotal tag overlap
Same registrant/ISP 0.75 AbuseIPDB usage type match
Geographic proximity 0.60 Haversine distance < 100km

The engine uses BFS to find connected components. Groups of 3+ IOCs sharing multiple attributes are reported as coordination patterns - indicating likely coordinated threat campaigns that would be invisible in single-IOC analysis.

Repository Structure

threatweaver/
├── src/
│   ├── index.ts                          # Entry point
│   ├── app.module.ts                     # Root NitroStack module
│   ├── modules/
│   │   ├── investigation/                # MCP Tools, Resources, Prompts
│   │   ├── correlation/                  # Pattern detection engine
│   │   ├── threat-intel/                 # API adapters (VT, AbuseIPDB, etc.)
│   │   ├── output/                       # STIX and report generation
│   │   ├── storage/                      # SQLite and caching
│   │   ├── validation/                   # IOC validation (Zod)
│   │   ├── widget/                       # Graph visualization
│   │   └── config/                       # Configuration
│   ├── common/
│   │   ├── types/                        # Shared TypeScript interfaces
│   │   └── errors/                       # Custom error classes
│   └── widgets/                          # Next.js widget app
│       └── app/investigation-graph/      # vis-network graph component
├── data/
│   ├── fallback-feeds.json               # Cached threat intelligence (offline)
│   └── fallback-iocs.json                # Sample IOCs for offline mode
├── scripts/
│   ├── seed-db.ts                        # Database seeder
│   ├── generate-demo-data.ts             # Demo data generator
│   └── deploy.sh                         # NitroCloud deployment script
├── docs/
│   ├── API.md                            # MCP API reference
│   ├── ARCHITECTURE.md                   # Architecture deep-dive
│   ├── DEMO.md                           # Demo script
│   ├── EXTENSION_GUIDE.md                # Adding new threat feeds
│   ├── SECURITY.md                       # Security considerations
│   └── STIX_OUTPUT.md                    # STIX 2.1 format reference
├── package.json
├── tsconfig.json
├── vitest.config.ts
└── .env.example

Installation

git clone https://github.com/yourusername/threatweaver.git
cd threatweaver
npm install
npm run build

Configuration

Create a .env file from the example:

cp .env.example .env

API keys are optional. Without keys, ThreatWeaver operates using fallback datasets exposed through the threat://feeds resource.

# API Keys (optional - without keys, use fallback data)
VIRUSTOTAL_API_KEY=
ABUSEIPDB_API_KEY=
SHODAN_API_KEY=

# Cache
CACHE_TTL=3600
CACHE_MAX_SIZE=1000

# Rate Limits
VT_RATE_LIMIT_PER_MIN=600
ABUSEIPDB_RATE_LIMIT_PER_DAY=1000

# Database
DATABASE_PATH=./data/threatweaver.db

# Mode
OFFLINE_MODE=false
LOG_LEVEL=info

Running

# Development
npm run dev

# Production
npm run build
npm run start:prod

Claude Desktop Setup

Add to ~/.config/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "threatweaver": {
      "command": "node",
      "args": ["/absolute/path/to/threatweaver/dist/index.js"]
    }
  }
}

Restart Claude. ThreatWeaver tools appear automatically.

Example Investigation

You: "Investigate the IP 1.2.3.4"

Claude: [calls investigate_indicator]
1.2.3.4 - Threat score 92/100
- VirusTotal: 45 detections (emotet, banking-trojan, c2)
- AbuseIPDB: 95% abuse confidence, 150 reports
- Shodan: Ports 80, 443, 8443 | ASN AS48031 | Moscow, RU
- Verdict: Malicious

Claude: [calls suggest_next_steps]
Found 2 related IOCs:
- evil.com (same ASN AS48031)
- paypa1-secure.login.com (same ASN, shared phishing tags)

You: "Investigate those too"

Claude: [investigates both, then calls correlate_investigations]
Pattern detected: 3 IOCs share ASN AS48031 + malware tags
Confidence: 87%
Evidence: Coordinated phishing infrastructure

Claude: [calls generate_report with format: "stix"]
[Produces STIX 2.1 bundle with IOC objects, malware objects, and relationships]

MCP Primitives

Tools (5)

Tool Purpose
investigate_indicator Query VT, AbuseIPDB, URLhaus, Shodan for an IOC
suggest_next_steps Analyze context and recommend related IOCs
correlate_investigations Detect threat patterns across investigation history
generate_report Produce Markdown or STIX 2.1 output
batch_investigate Enrich multiple IOCs with progress streaming

Resources (2)

Resource URI Purpose
Investigation Context investigation://current Current investigation state, findings, correlation graph
Threat Feeds threat://feeds Pre-loaded fallback data for offline mode

Prompt (1)

Prompt Purpose
investigation_template Guides Claude through structured investigation workflow

Widget (1)

Widget Purpose
investigation_graph Interactive vis-network graph of IOC relationships, color-coded by verdict

Tech Stack

  • Framework - NitroStack (MCP server framework)
  • Language - TypeScript 5.3+ (strict mode)
  • Runtime - Node.js 18+
  • Database - SQLite 3 (WAL mode, foreign keys)
  • Validation - Zod
  • HTTP - Axios
  • Widget - Next.js 14 + vis-network + React 18
  • Build - NitroStack CLI

Third-Party APIs

API Purpose Free Tier
VirusTotal Hash/URL/IP reputation 600 req/min
AbuseIPDB IP reputation + abuse reports 1,000 req/day
URLhaus Malicious URL database Unlimited
Shodan Port/service enumeration 1 req/month (lite)

Deployment

NitroCloud

npm run deploy

The deployment script runs pre-flight checks, tests, type checking, and builds before deploying.

Local Production

npm run build
npm run start:prod

Environment Variables for Deployment

Set on NitroCloud Dashboard:

  • VIRUSTOTAL_API_KEY - for live VirusTotal queries
  • ABUSEIPDB_API_KEY - for live AbuseIPDB queries
  • DATABASE_PATH - use persistent volume path
  • OFFLINE_MODE - set to false for production

Future Improvements

  • Automated test suite (unit, integration, e2e)
  • Proactive rate limiting with request queuing
  • Offline mode with full fallback enrichment
  • MITRE ATT&CK automatic technique mapping from VT tags
  • File-based JSON logging
  • Sigma detection rule generation
  • Additional adapters (Censys, SecurityTrails)
  • CSV and PDF export formats
  • Redis caching for distributed deployments

Acknowledgements

Built for Amrita University MCP Hackathon 2026.

About

MCP-native threat investigation server built with NitroStack

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors