MCP Server

Secure AI for Threat Intelligence

Beta Enrollment

Introducing Our MCP Server

The strongest defense against modern cyber threats is the ability to act on reliable intelligence in real time. Large language models (LLMs) have made it easier to query and interpret data using natural language, but their knowledge is static, and their responses are only as accurate as the information they were trained on.

That’s where the Model Context Protocol (MCP) comes in. MCP is an open standard that allows AI-enabled tools and systems to securely access live, external data. The Malware Patrol MCP Server connects your LLM or AI workflows directly to current, curated threat intelligence, delivering the precision and speed that general-purpose GPT models can’t match. The MCP standard allows for seamless integration between our threat data and your favorite LLM via natural language queries, without the need for custom APIs or complex tooling.

Built on nearly two decades of threat intelligence experience and a continuously updated, expert-verified dataset, our MCP Server is backed by a purpose-trained language model built specifically for cybersecurity. It provides focused, trustworthy insights on threat actors, associated IOCs, MITRE ATT&CK TTPs, and CVEs. This model has been trained on a curated set of articles, reports, and analysis from across the cybersecurity industry including:

  • Malware analysis writeups
  • Threat actor profiles
  • Campaign tracking reports
  • CVE breakdowns
  • Post-incident investigations
  • Defensive strategy guides

From these sources, our platform extracts and organizes details and indicators of compromise (IOCs) such as:

  • IP addresses
  • File hashes
  • Email addresses used in campaigns
  • CVEs exploited
  • Cryptocurrency addresses

Introduction
Use Cases
How It Works
Video Guide
Beta Enrollment
FAQ

Join the MCP Beta

Register Now

This information is stored and made queryable directly through the MCP interface, allowing users to interact with it naturally through the LLM. This is not a public GPT model; it’s a cybersecurity-focused LLM with structured access to current and relevant indicators grounded in authoritative industry sources. 

By connecting through the Malware Patrol MCP Server, analysts, SOC teams, and other AI-enabled systems can securely query complete profiles of 200+ threat actors, including

  • Aliases, motivations, techniques, tools/software, and timelines, targeted regions & industries
  • Associated IOCs
  • MITRE ATT&CK TTPs
  • CVEs correlated with CWE, CAPEC, DEFEND, and MITRE ATT&CK.

Our MCP Server gives you real-time, secure, and specialized intelligence to bridge the gap between AI capability and trusted data. (And there’s more to come as we develop connections with our threat data feeds and integrations with other tools!)

What You Can Ask: Real-World Use Cases and Queries

Below are examples of the types of queries supported by our MCP Server, organized by role and use case. SOCs can use these to accelerate investigations, correlate indicators, and surface connections that might otherwise take hours to uncover. The same data can also be used to generate threat actor profiles, summaries, and reports suitable for management and board-level briefings. All intelligence served through the MCP is curated and continuously updated by our team to ensure accuracy, relevance, and consistency across use cases.

SOC Analysts and Threat Researchers

Use the MCP Server to accelerate investigations and enrich ongoing monitoring with up-to-date threat context.

  • What is the profile or summary of APT29, including aliases, tactics, and timeline?
  • List all known IPs and hashes related to APT41 and OceanLotus.
  • Which actors use Cobalt Strike and target government institutions?
  • Get the latest IOCs associated with APT41.
  • Which threat actors are known to be currently active?

Threat Hunting and Attribution

Correlate campaigns, shared infrastructure, and overlapping tools to uncover links between threat actors.

  • Which TTPs are shared by Turla and Cozy Bear?
  • Has APT33 ever used the same malware as APT34?
  • Are Bronze Butler and APT10 the same threat actor?
  • Any there any infrastructure overlaps between Wizard Spider and APT29?
  • Considering APT15 and APT35, what CVEs do they use in common?
  • Provide CWE, CAPEC and DEFEND information on CVE-2025-23366.

CISOs and Report Authors

Generate executive-level summaries and track trends across campaigns and threat actor activity.

  • Who are the most active threat actors at the moment?
  • Summarize campaigns tied to UNC2452 and APT29.
  • What sectors are most frequently targeted by FIN7?
  • Show all significant changes in behavior for the Lazarus Group over time.

Incident Responders

Quickly attribute activity and validate indicators during investigations and containment.

  • Which actor is associated with the hash ab09f6a249ca88d1a036eee7a02cdd16?
  • Are these IPs linked to any known threat activity: 139.59.60.116, 172.105.114.27?
  • Are there crypto addresses related to Lazarus Group?
  • What threat actors are known to use the crypto address 1HvEZ1jZ7BWgBYPxqCvWtKja3a9hsNa9Eh?
  • What are mitigation strategies for T1134.001?

Malware and Detection Analysts

Identify malware families, tools, and TTPs associated with known adversaries for better detection engineering.

  • What malware family is associated with MuddyWater?
  • Show email addresses linked to APT41.
  • Please provide information on the MITRE ATT&CK technique T1111.
  • What threat actors are known to exploit CVE-2025-7775?
  • Retrieve file hashes related to Gamaredon Group.
  • What are defense strategies for T1102?

Geopolitical and Strategic Intelligence Teams

Assess actor motivations, targeting, and alignment with regional or global developments.

  • What regions are targeted by TA505?
  • Where is Charming Kitten based, and what are its motivations?
  • Has Scattered Spider shifted its target geography recently?
  • Which threat actors have information theft as their motivation?
  • What is the timeline of known activities for Nobelium?

Exactly How Does It Work?

The Malware Patrol MCP Server acts as a bridge between our threat actor intelligence and your AI-powered tools. All you have to do is configure your AI agent or tool to access our MCP endpoint using the API key provided. From that point on, your LLM securely contacts our MCP server whenever it requires information we have available. The integration is seamless for users, and the responses from your tools become significantly more accurate, timely, and relevant.

Under the hood, the MCP Server uses structured schemas to format data exchanges between the LLM and our intelligence sources, ensuring consistent, machine-readable output. Each request is authenticated through an API key, and all communications are encrypted end to end. Because the MCP standard supports session-based context sharing, queries can evolve, allowing the LLM to refine or expand on previous responses without losing continuity.

We host the MCP Server within our own infrastructure, eliminating the need for local installation or maintenance on your side. This design ensures speed, uptime, and strict control over data integrity and access. It’s more than just a query endpoint, it’s an intelligence layer optimized for interoperability, precision, and performance.

Built for Security Teams and Developers

Whether you’re an analyst in a SOC or a developer building AI workflows, the MCP Server makes integration simple and secure:

  • SOC Teams can plug it into chatops tools, analyst consoles, or no-code platforms to ask real-time intelligence questions.
  • Threat Intel Teams can use it to automate enrichment, cross-actor analysis, and campaign mapping through scripts or internal dashboards.
  • Developers and AI Engineers can integrate it as an LLM context source, enabling agents to dynamically fetch and inject relevant data during multi-step reasoning.

Compatible with Your Security Stack

It works seamlessly with:

  • SIEMs: Enrich alerts and correlate IOCs within Splunk, QRadar, and Microsoft Sentinel.
  • SOAR Platforms: Automate incident triage and response via integrations with Cortex XSOAR, IBM Resilient, and others.
  • Threat Intelligence Platforms: Add contextual search and natural language access to MISP, ThreatConnect, or custom TIPs.
  • LLM Agents: Serve as a live context engine for LangChain, Dust, semantic pipelines, or Claude’s AutoMCP workflows.

Video Guide: Connecting and Running Your First Query

This short video demonstrates how to connect to our MCP Server using the API key provided by Malware Patrol. The example uses Witsy, a lightweight interface that lets you interact with models and MCP tools without additional setup. Witsy is one of several available MCP-compatible clients, sometimes referred to as model interfaces or AI connectors, that can be used to run queries, test integrations, or explore results. You can use any tool that supports the MCP protocol in a similar way; many open-source and commercial options are available depending on your workflow and environment.

Join the MCP Server Beta

Empower your AI with real-time, actionable threat intelligence. Our MCP Server transforms how your teams investigate, report, and act on cyber threats to reduce time-to-insight and eliminate tool sprawl.

Unlike generic solutions, this offering is built, supported, and maintained by the Malware Patrol team, a vetted and trusted provider with deep expertise in cyber threat intelligence. That means you gain a strategic partner committed to keeping the LLM sharp, relevant, and secure.

Interested? Enroll in our beta today!

?

Frequently Asked Questions (FAQ)

Do I need to install the MCP on my computer?

No, Malware Patrol’s MCP server runs remotely on our infrastructure. All you need to do is point your AI-enabled tool to our MCP server address.

Why a remote MCP server?

Remote MCP servers are a more secure and easier way to use MCP. All you need is to copy & paste the server URL; it is not necessary to install any NPM packages. Remote MCPs are the only ones that can be used with web based clients.

Why isn’t my LLM using your MCP?

This is a common issue because the LLM ‘decides’ whether or not to call on an MCP to gather information. We can, however, remind the LLM to do so. Simply append the following text to your question: “Use external tools.” 

Note: Not all tools show “MCP command” when they are connecting to a remote server. Check your specific client for details about how to determine what is being used to answer your query.   

For a detailed and technical troubleshooting guide, this article discusses the discrepancies that can occur when an LLM doesn’t properly interpret or prioritize external data sources such as MCP outputs. It outlines several steps you can take to troubleshoot, including verifying your tool’s configuration, checking model context limits, and ensuring your MCP data connection is correctly initialized.

If you’ve followed these steps and still think the LLM is not using the MCP server, we’d like to hear from you

What should I do if I think information returned by my AI-enabled tool + your MCP isn’t accurate?

Please contact our support team with the following information so we can determine whether the issue originates in your setup or on our server side:

  • The name and version of your AI-enabled tool
  • The name and version of the LLM you’re using
  • The complete query, including both question and answer
  • A note describing what you believe isn’t accurate.

Our team will review the details to help identify and resolve the problem.

?