Connect your AI agent to live threat intelligence. This MCP server gives any MCP-compatible agent — Claude, Cursor, Copilot, or your own — direct access to the Threat Landscape database of STIX 2.1 intelligence bundles and actionable IOCs.
- A Threat Landscape API key (from your account at threatlandscape.io)
- An MCP-compatible AI client (Claude Desktop, Cursor, Windsurf, Continue, or any client that supports remote MCP servers)
No installation. No backend to run. The server is already deployed.
https://mcp.threatlandscape.io/mcp
Your Threat Landscape API key authenticates you to this server. It goes in the Authorization header of every MCP connection request — exactly as you would use it with the REST API directly.
Authorization: Bearer tl_your_api_key_here
Keep your key secret. Anyone with your key can query the API on your behalf and consume your rate limit quota.
Edit your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
Add the following under mcpServers:
{
"mcpServers": {
"threat-landscape": {
"type": "streamable-http",
"url": "https://mcp.threatlandscape.io/mcp",
"headers": {
"Authorization": "Bearer tl_your_api_key_here"
}
}
}
}Restart Claude Desktop. You should see threat-landscape appear in the tools panel.
Open Settings → MCP and add a new server:
| Field | Value |
|---|---|
| Name | threat-landscape |
| Type | Streamable HTTP |
| URL | https://mcp.threatlandscape.io/mcp |
| Header | Authorization: Bearer tl_your_api_key_here |
In your config.json under mcpServers:
{
"mcpServers": [
{
"name": "threat-landscape",
"transport": {
"type": "streamable-http",
"url": "https://mcp.threatlandscape.io/mcp",
"requestInit": {
"headers": {
"Authorization": "Bearer tl_your_api_key_here"
}
}
}
}
]
}Any MCP client that supports Streamable HTTP transport can connect. Configure:
- Transport: Streamable HTTP
- URL:
https://mcp.threatlandscape.io/mcp - Header:
Authorization: Bearer tl_your_api_key_here
The server exposes 16 tools split across two APIs.
Full STIX 2.1 threat intelligence — bundles containing threat actors, malware families, campaigns, CVEs, attack patterns, victims, sectors, countries, and IOC arrays.
Flexible search across all intelligence bundles. Use this when you need a custom query that the workflow tools don't cover — filter by any combination of fields, date ranges, and array containment conditions.
Key parameters:
filters— structured filter object (threat actors, malware, vulnerabilities, sectors, countries, date ranges, IOC values, and more)order— sort column and direction, e.g.stix_latest_at.desclimit— number of results (default 10, max 200)offset— for pagination
Example prompts:
"Query darknet intelligence over the last 30 days involving targeting of the Finance sector" "Find all intelligence reports that extract the SHA-256 artifact abc123..."
Retrieve the complete STIX 2.1 bundle for a specific bundle_id. Returns the full object graph — every threat actor, malware, indicator, relationship, and report object.
When to use: After identifying a bundle via a search or workflow tool, use this to pull the full structured STIX payload for deep analysis or export.
Pivot on a threat actor name — returns all bundles mentioning that actor, ordered by most-recent activity first.
Parameters: actor_name (exact), limit
Example prompts:
"Provide recent C2 and infrastructure IOCs associated with Lazarus Group" "Extract the last 3 months of intelligence regarding APT29 tactics" "Compile a threat dossier for Storm-2755 including recent CVE exploitation"
All intelligence bundles mentioning a specific malware family, with associated actors, campaigns, sectors, and IOCs.
Parameters: malware_name (exact), limit
Example prompts:
"Which threat actors have deployed Cobalt Strike beacons in recent intrusions?" "Extract IOCs and staging tactics from recent BlackCat ransomware incidents"
Intelligence bundles referencing a specific CVE or vulnerability. Returns the full STIX bundle so you can see which actors are exploiting it, which sectors are targeted, and any associated IOCs.
Parameters: vulnerability (CVE ID or name), limit
Example prompts:
"Which actors are actively exploiting CVE-2025-27152 in the wild?" "Identify post-exploitation activity linked to Log4Shell compromises"
Threat intelligence feed scoped to a specific industry sector. Optionally filter to a recent time window for current-threats briefings.
Parameters: sector, since (ISO 8601 date), limit
Example prompts:
"Extract the top threats targeting the Healthcare sector over the last 60 days" "Identify actors and malware actively targeting the Energy sector" "Compile a threat landscape brief for Financial Services"
Bundles involving specific countries.
Parameters: countries (list), direction (target / source / both), limit
Example prompts:
"Identify state-sponsored campaigns targeting critical infrastructure in Germany" "Extract intelligence on advanced persistent threats operating out of North Korea" "Analyze regional targeting across Germany, Austria, and Switzerland over the last 90 days"
The most recently published intelligence bundles — your situational awareness feed. Optionally filter to osint or darknet sources only.
Parameters: source_type (osint / darknet), limit
Example prompts:
"Extract newly published threat intelligence for daily situational awareness" "Pull the 20 most recent extortion posts from darknet ransomware leak sites" "Summarize emerging threats and initial access vectors reported today"
Search threat intelligence natively via keyword across title, summary, and all extracted semantic arrays (threat actors, malware, campaigns, TTPs, vulnerabilities, victims, sectors, and countries).
Parameters: keyword, limit
Example prompts:
"Search for mentions of 'NTDS.dit extraction' or credential dumping" "Are there any reports discussing 'golden SAML' forging?" "Find intelligence discussing 'Living off the Land' tactics"
Retrieve threat intelligence bundles that reference a specific MITRE ATT&CK TTP or attack pattern.
Parameters: ttp, limit
Example prompts:
"Which threat actors actively use T1136.001 (Local Accounts) for persistence?" "Show me recent intelligence associated with T1078 (Valid Accounts)"
Retrieve threat intelligence bundles associated with a specific campaign. Pivots from a campaign name to related actors, malware, and IOCs.
Parameters: campaign, limit
Example prompts:
"What network IOCs are tied to Operation Ghost?" "Show me intelligence updates regarding the 'Volt Typhoon' campaign"
Retrieve threat intelligence bundles targeting a specific victim organization or identity.
Parameters: victim, limit
Example prompts:
"Has 'SolarWinds' been targeted or compromised in recent attacks?" "Show me intelligence discussing ransomware attacks on 'Change Healthcare'"
Lean indicator feeds for automated ingestion and real-time lookups. Each IOC is deduplicated by value — the same indicator is never stored twice.
Check whether a specific value is a known Threat Landscape IOC. Provide the ioc_type for a faster active-only lookup; omit it to search the full history including expired indicators.
Parameters: ioc_value, ioc_type (optional)
Example prompts:
"Query the database for the C2 IP 198.51.100.42 to identify active campaigns" "Check if the domain evil.example.com is an active staging or exfiltration node" "Validate this suspicious SHA-256 hash against known malware payloads: e3b0c44..."
Fetch currently active IOCs — indicators where valid_until is in the future. Optionally filter to a specific type (ipv4, domain, url, hash_sha256, etc.). Use for bulk ingestion into SIEMs, EDRs, or blocklists.
Parameters: ioc_type (optional), limit, order
Example prompts:
"Retrieve all active malicious domains for SIEM DNS sinkholing" "Export the current active IPv4 blocklist for firewall edge blocking"
Incremental sync using a seq_id watermark — designed for automated pipelines. Call with since_seq_id=0 for the initial full sync; save the returned next_since_seq_id and pass it on the next run to receive only new records.
Parameters: since_seq_id, limit
Use case: Automated nightly jobs, SIEM integration pipelines, blocklist refresh scripts.
Retrieve the full STIX 2.1 indicator bundle for a specific IOC value — includes the STIX pattern, valid_from, valid_until, TLP markings, and the source_bundle_id that links back to the full intelligence bundle.
Parameters: ioc_value
Example prompts:
"Retrieve the STIX pattern and TLP markings for the domain evil.example.com" "Pivot from this IPv4 indicator to trace its source report and threat context"
Below is a realistic multi-step threat intelligence workflow using the tools:
Prompt: "I need a threat brief on ransomware targeting US healthcare. Include any active IOCs and relevant CVEs."
- Agent calls
tl_sector_threatswithsector="Healthcare",since="2026-01-01T00:00:00Z" - Agent calls
tl_country_threatswithcountries=["United States"],direction="target" - Agent correlates results, identifies top ransomware groups and CVEs from the metadata
- Agent calls
tl_vulnerability_intelfor the CVEs found - Agent calls
tl_get_active_iocswithioc_type="domain"to pull current active indicators - Agent composes a structured brief with actors, campaigns, CVEs, and a live IOC list
Rate limits are enforced by your Threat Landscape API subscription tier. The MCP server does not impose additional limits. If you hit a rate limit, the tool will return an actionable error message.
"Unauthorized" error when connecting
→ Check that your API key is correct and hasn't expired. The key must match the format Authorization: Bearer <key> exactly.
Tool returns no results → The query returned zero matching records — not an error. Try broadening filters (remove date constraints, check spelling of actor/malware names).
"Rate limited" error → You've exceeded your plan's request quota. Reduce frequency or contact support to upgrade.
Tools don't appear in my client
→ Some clients require a restart after adding a new MCP server. Ensure the Authorization header is configured correctly — the server returns 401 before the MCP handshake completes if the key is missing.
© Threat Landscape — threatlandscape.io. All rights reserved.