A threat intelligence MCP server that gives AI security agents real-time access to security news, CVE vulnerability data, and indicators of compromise (IOCs).
Argus ingests from public threat feeds via automated crons and exposes the data through 10 structured MCP tools backed by a PostgreSQL + pgvector database with semantic search.
| Tier | Source | Data |
|---|---|---|
| News | BleepingComputer, Krebs on Security, CISA | Security articles, breach reports, advisories |
| CVEs | NIST NVD, CISA KEV, OSV.dev | Vulnerability records with severity and exploit status |
| IOCs | AlienVault OTX | IPs, domains, file hashes, URLs — with campaign context |
All three tiers support semantic search via Gemini embeddings stored as vector(768) columns in PostgreSQL.
- Node.js 20+
- PostgreSQL 16+ with pgvector extension
- PM2 —
npm install -g pm2 - Google Gemini API key — get one here
- AlienVault OTX API key — free account
- NIST NVD API key — optional, but raises rate limits (register here)
- GitHub classic PAT with
reposcope — for OSV dependency scanning of private repos
npm installcp .env.example .env
# Edit .env and fill in all required valuesSee docs/ARCHITECTURE.md §8 for the full variable reference.
cp config/repos.example.json config/repos.json
# Edit config/repos.json with your repos and dependency manifest paths# Requires a PostgreSQL superuser connection string
ARGUS_DB_ADMIN_URL="postgresql://postgres:password@localhost:5432/postgres" \
bash scripts/provision-db.shnpm run build
pm2 start ecosystem.config.js
pm2 save # persist process list across reboots
pm2 startup # follow the printed command to enable boot persistencecurl -H "Authorization: Bearer <your-token>" http://localhost:3006/health
# → {"status":"ok","service":"argus-mcp","version":"1.0.0"}
pm2 status # all 7 processes should show online or stopped (crons)All tools are available at POST /mcp via the MCP StreamableHTTP protocol. Every request requires a Bearer token.
| Tool | Description |
|---|---|
query_threat_news |
Semantic search over ingested security articles |
get_news_digest |
Summarized digest of recent security news |
query_cves |
Semantic search over CVE records with severity/exploit filters |
check_cve |
Direct lookup of a CVE by ID (e.g. CVE-2024-29041) |
scan_dependencies |
Check a dependency manifest snippet for known CVEs |
get_stack_exposure |
CVEs flagged as affecting your configured repos |
lookup_ioc |
Look up an IP, domain, hash, or URL against the IOC database |
get_active_campaigns |
IOC clusters grouped by threat actor / campaign |
get_security_brief |
Daily brief combining all three tiers |
get_threat_context |
Cross-tier semantic search around a single topic |
Full parameter reference: docs/ARCHITECTURE.md §4
Six crons keep the database current. All are managed by PM2.
| Cron | Schedule | Source |
|---|---|---|
cron-nvd-delta |
Daily 02:00 | NIST NVD API v2 — CVEs modified in last 24h |
cron-kev-sync |
Daily 04:00 | CISA KEV catalog — marks exploited CVEs |
cron-osv-scan |
Daily 05:00 | OSV.dev — tags CVEs affecting your repos |
cron-news-rss |
Daily 06:00 | BleepingComputer, Krebs, CISA RSS feeds |
cron-otx-pulses |
Every 6h | AlienVault OTX — IOCs from subscribed pulses |
cron-ioc-cleanup |
Weekly Sun 03:00 | Deletes expired IOCs (90-day TTL) |
All endpoints require a Bearer token:
Authorization: Bearer <ARGUS_MCP_AUTH_TOKEN>
Generate a token: openssl rand -hex 32
Set it in .env as ARGUS_MCP_AUTH_TOKEN. When rotating, update your MCP client config and restart PM2.
Full architecture, data model, embedding service details, and ADRs: docs/ARCHITECTURE.md
See SECURITY.md for the vulnerability disclosure policy.
MIT — Copyright (c) 2026 Input Output Labs