MCP Servers for Cybersecurity

Insights

MCP Servers for Cybersecurity: Smarter, Safer, and Ready to Work

The adoption of AI in cybersecurity is accelerating, but both integration and security remain challenges.

While large language models (LLMs) are great at understanding language, they don’t easily connect to structured threat data or existing tools. Prompting alone isn’t enough to make AI useful in the SOC.

That’s where MCP servers come in.

What Is an MCP Server?

MCP stands for Model Context Protocol. It’s an open standard that allows LLMs to interface with tools, APIs, and data sources in a secure, structured way. An MCP server acts as a bridge between a language model and the tools it needs to work with, such as a SIEM, threat intelligence platform, malware sandbox, or internal detection engine.

Instead of encoding instructions into long prompts, an LLM connected to an MCP server can:

  • Discover available tools and documentation
  • Select and call the right tool
  • Pass inputs and receive outputs in structured formats
  • Chain multiple actions for more complex workflows

It effectively gives LLMs real operational capabilities in the cybersecurity space.

How MCP Servers Work

At its core, an MCP server exposes tools in a standardized JSON format. Each tool has metadata, documentation, and security controls. The LLM can inspect available tools and choose which to call based on the user query and system context.

Example:

  1. A user asks, “Find indicators tied to APT29 in the last 90 days.”
  2. The model calls a threat intelligence search function through MCP.
  3. The tool returns matching IOCs from a database.
  4. The LLM interprets and summarizes the results.

The server handles routing, context tracking, and access controls, so the model only works within approved boundaries.

Why MCP Servers Matter in Cybersecurity

For LLMs to be useful in cybersecurity, they must interact with:

  • Threat intelligence platforms
  • Malware analysis tools
  • SIEMs and XDRs
  • Incident response workflows
  • Case management and alerting systems

Public models like ChatGPT or Copilot don’t offer secure access to any of these. MCP servers fill that gap by allowing LLMs to operate inside controlled environments with full traceability.

Real Use Cases for MCP in Security

Security teams are already exploring how MCP servers can:

  • Generate threat actor profiles from live data
  • Run malware samples in sandboxes and summarize behavior
  • Enrich alerts with correlated IOCs
  • Automate triage and investigation flows
  • Generate or validate YARA and Sigma rules

Projects and Tools Using MCP in Cybersecurity

Here are some MCP-related projects and offers currently available in the industry:

Secure-by-Design: What to Look For

As with any tool in cybersecurity, MCP servers should be built securely:

  • Role-based access control
  • Tool-specific authorization
  • Logging and auditing of all calls
  • Input validation
  • Session-aware context isolation
  • Support for on-prem or air-gapped deployment

The Bottom Line

MCP servers make it possible to safely combine the reasoning power of LLMs with real cybersecurity tools. They’re becoming a key part of how AI is being embedded into SOCs, IR platforms, and threat intel systems.

For AI to work in security, it must interact with tools and data in a controlled, auditable way. MCP is the protocol making that possible.

Want to see a real-world example? Check out Malware Patrol’s MCP Server.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Introducing the Malware Patrol MCP Server

Insights

Introducing the Malware Patrol MCP Server for Cybersecurity Teams

We recently wrote about how MCP servers are unlocking new ways to use AI in cybersecurity. If you missed it, start here to learn what MCP servers are and how they work.

Today, we’re excited to announce the beta launch of our own MCP server, purpose-built for security teams.

Why We Built It

Security professionals need AI that’s more than just a chatbot. The Malware Patrol MCP server connects a custom-trained LLM to structured data, IOCs, and security context, enabling real-world workflows like:

  • Threat actor profiling
  • IOC investigation and correlation
  • Campaign tracking and attribution
  • CVE and malware analysis
  • Infrastructure overlap detection
  • Alert enrichment

What Powers the Malware Patrol MCP Server

Our model has been trained on a curated set of cybersecurity industry content, including:

  • APT and threat group profiles
  • Campaign breakdowns
  • Post-incident investigation reports
  • Security research articles

From this content, we extract structured indicators such as:

  • Threat actor profiles
  • IP addresses
  • File hashes
  • Email addresses used to exfiltrate data and in phishing and other malicious campaigns
  • CVEs abused by threat actors
  • Cryptocurrency wallet addresses

This information is stored and made accessible through our MCP interface. You can query it using natural language.

Sample Questions You Can Ask

  • What are all the known aliases of APT28?
  • What is the timeline of known activity for APT15?
  • Retrieve the latest IOCs associated with APT39.
  • Which threat actors are known to use Cobalt Strike and target retail?
  • Which CVEs are exploited by both APT15 and APT35?
  • Which actor is associated with the hash 7568062ad4b22963f3930205d1a14df7?

These are just a few of the hundreds of supported queries.

Built for Integration and Control

Malware Patrol MCP server supports:

  • Role-based access and authentication
  • Session-aware tool calling
  • Input validation and call logging
  • API integration with internal tools or threat intel platforms

As the system evolves, we will add more tools and workflows based on customer needs and feedback.

Join the Beta Program

AI is powerful. Connected to your tools, your intelligence, and your policies, it becomes operational. We’re offering early access to security teams, MSSPs, and researchers interested in:

  • Using LLMs for real-world threat research
  • Automating investigation workflows
  • Connecting AI to internal tools
  • Helping shape the next generation of cybersecurity copilots

Request beta access here.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Emerging Threats Intelligence: A Curated Signal with Predictive Power

Insights

The Value of Emerging Threats Intelligence

Threat campaigns often evolve too quickly for traditional defenses to catch them in time. Our Emergent Threats Domains feed is built to provide early visibility into domains that are likely to be used in malicious activity. By combining multiple data sources with advanced analysis techniques, we surface high-risk domains before they are operationalized in active campaigns. This allows security teams to move from reactive defense to proactive action, reducing exposure and improving response times.

Identifying Risk Before It’s Weaponized

To identify emerging threats, we combine several raw data sources, including newly registered domains (NRDs), newly observed domains (NODs) from DNS traffic and other signals from our global collection systems. On their own, these datasets are high-volume and unfiltered, but by applying multiple layers of analysis we can identify domains that are far more likely to be weaponized in malicious campaigns.

Each domain is scored based on the following (among other) criteria:

Structural analysis: Detecting randomness, entropy, and other patterns common in algorithmically generated domains (DGAs)

Infrastructure associations: Mapping connections to infrastructure from both current and previous malicious campaigns tracked in Malware Patrol’s extensive historical database, revealing reuse of attacker resources

Brand lookalikes: Spotting domains designed to impersonate trusted brands, a common precursor to phishing and fraud

TLD reputation: Factoring in the track record of top-level domains (for example, .xyz) that frequently appear in malicious campaigns

This combination of broad input data and layered analysis transforms raw domain activity into a curated feed of high-risk signals. Even though these domains may not yet appear on VirusTotal or in traditional intelligence feeds, they often carry subtle indicators of risk.

Key Benefits for Security Teams

By highlighting suspicious domains early, the feed gives defenders a head start. With emerging threats intelligence, security teams can:

  • Block high-risk domains before they are weaponized
  • Identify suspicious infrastructure earlier in the attack chain
  • Reduce attacker dwell time by acting faster
  • Strengthen DNS-layer defenses and detection systems with predictive data

Advantages and Limitations

Like any security solution, our Emergent Threats Domains feed has strengths and trade-offs that should be considered.

Advantages:

  • Pre-filtered and enriched, reducing noise and making it ready to deploy in firewalls, SIEMs, and DNS layers
  • Compact enough to work within the limits of tools that cannot process large blocklists
  • Includes enrichment and scoring, providing immediate context for faster decisions
  • Well-suited for smaller teams or those without capacity to build enrichment pipelines internally

Limitations:

  • Filtering and scoring are determined by vendor criteria, which may not fully align with every organization’s unique threat model
  • By design, not every domain is included, only those identified as suspicious, so some activity could be missed
  • Less flexible than raw feeds, making it less suitable for organizations that prefer to create custom detection logic

Comparison: Newly Registered Domains vs Emergent Threats Domains

Both NRDs and emerging threats intelligence provide valuable visibility, but they serve different needs as outlined in the table below.

Newly Registered Domains (NRDs) Emergent Threats Domains
Broad coverage of all new domains Focused coverage of domains flagged as suspicious
High volume and unfiltered Pre-filtered, enriched, and scored
Requires custom enrichment and filtering by the user Includes enrichment such as entropy, brand lookalikes, infrastructure ties, and TLD reputation
Useful for hunting, research, and building custom detections Useful for immediate blocking and SOC operations
May overwhelm tools or teams without filtering Compact size avoids overwhelming security tools
Best for mature SOCs and research teams Best for smaller teams or those prioritizing operational efficiency

In short, NRDs give maximum visibility and flexibility, while Emergent Threats Domains provides ready-to-use intelligence that reduces noise and speeds up action.

Try Malware Patrol’s Emergent Threats Domains With a Free Trial

Whether you want the flexibility of raw NRDs or the convenience of enriched Emergent Threats Domains, we can help you choose the right approach for your environment. We also offer free evaluations so you can see the data in action and decide which feed best fits your security needs.

Get started today and take the first step toward staying ahead of tomorrow’s threats. We’d be happy to discuss options and set up a free trial. Use this link to schedule time with us.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Newly Registered Domains: A Raw Signal with Real Value

Insights

Working with Newly Registered Domains

We provide a Newly Registered Domains (NRDs) feed, and one of the most common questions we receive is: “How can this data be used?”

It is a valid question. By their very nature, NRDs are high-volume and unfiltered, which can make them challenging to work with at first glance. But that rawness is also what makes them powerful: they provide one of the most comprehensive snapshots of Internet activity you can get. After all, every malicious domain begins life as an NRD. For defenders who know how to work with this telemetry, that makes NRDs an invaluable early-stage signal.

With the right enrichment and filtering, what first looks like overwhelming noise can quickly turn into actionable intelligence. Organizations that invest in detection engineering or custom hunting workflows can use NRDs to spot attacker infrastructure before it’s weaponized in campaigns, often long before it ever appears in curated threat feeds.

Before we dive into how organizations can put NRDs to work, let’s take a step back. When we say “NRD feed,” what exactly does that include? And why is this raw data so valuable?

What is an NRD Feed?

A Newly Registered Domains (NRD) feed is a daily snapshot of every domain registered on a given date. It captures everything, from legitimate business sites and personal projects to the very first traces of attacker infrastructure.

Threat intelligence providers may structure NRD intelligence in different ways, but the most common fields include the domain name, the registration date, and related DNS records. These basic elements make up the raw dataset.

Malware Patrol takes it a step further. In addition to listing new domains, we resolve each one through DNS and check the resulting IP addresses against our current and historical databases of malicious infrastructure. The output is a simple indicator, presented by threat type, showing whether a domain has ever resolved to an IP tied to malicious activity. This doesn’t turn NRDs into a curated threat feed, but it does provide valuable context to help security teams prioritize where to look first.

Example NRD Feed Entry (Simplified)

{
“DOMAIN”: “zzzzbetjogos.com”,
“REGISTRATIONDATE”: 20250928,
“A_RECORD”: [
{
“IP”: “104.21.18.168”,
“HOSTINGC2”: 0,
“HOSTEDC2”: 0,
“HOSTEDDGA”: 0,
“HOSTINGMALWARE”: 0,
“HOSTEDMALWARE”: 0
}
],
“AAAA_RECORD”: [
{ “ADDRESS”: “2606:4700:3035::6815:12a8” }
],
“NS_RECORD”: [
{ “HOST”: “lennon.ns.cloudflare.com” },
{ “HOST”: “nelly.ns.cloudflare.com” }
]
}

Why Should You Care About NRDs?

Attackers depend on newly registered domains as a foundation for their operations. Whether establishing fresh infrastructure for malware delivery or spinning up lookalike sites that mimic trusted brands, new domains give adversaries a clean slate. With no reputation history and no presence on blocklists, they’re the perfect launchpad for malicious activity.

Every day, threat actors register domains to:

  • Launch phishing and social engineering campaigns

  • Set up malware infrastructure like C2 servers and drop zones

  • Impersonate legitimate brands through typosquats and lookalikes

  • Avoid being caught by existing blocklists.

Of course, many newly registered domains are harmless, but the critical point is that every malicious domain starts as an NRD. This makes NRDs a powerful early-warning signal. By using them, security teams can detect attacker infrastructure before it’s weaponized in campaigns and long before it shows up in curated threat feeds.

Use Cases for Newly Registered Domains Feeds

Here’s what your team can do with this data:

  • Block NRDs for a fixed period (e.g., 3–7 days): Most legitimate sites aren’t operational immediately. Blocking during this window dramatically reduces exposure to phishing and malware campaigns.
  • Prioritize NRDs that resolve to suspicious infrastructure: Use Malware Patrol’s malicious-IP indicator as a filter to decide which domains may warrant closer inspection.
  • Monitor for brand impersonation or typo squatting: Detect lookalike domains before they appear in phishing emails.
  • Detect DGA or high-entropy domains: Flag domains likely generated by Domain Generation Algorithms. A DGA domain typically looks like a random string of characters, often unpronounceable, and statistically unlikely in natural language (e.g., xj3k9u2p.biz).
  • Retroactive incident analysis: Check which NRDs were queried during dwell time in an incident.
  • Security research: Track TTPs of threat actors by watching domain registration patterns. Investigate bulk registrations, suspicious registrars, or ASN patterns to spot attacker infrastructure.

NRDs: Raw Fuel for Custom Defenses

If you’re looking to enrich internal detection pipelines, protect your brand, or analyze emerging infrastructure at Internet scale, NRDs are where that work starts. While NRDs are not a plug-and-play threat feed, they empower organizations to hunt earlier, detect faster, and build detections tuned to their own threat models. (With our malicious-infrastructure correlations, subscribers also get a bit of extra context to help prioritize analysis!)

We understand that working with a raw NRD feed can be challenging, which is why we help our subscribers get the most out of it. Our team can customize the feed to align with your environment – at no cost – and provide guidance on setting internal parameters so you can filter, enrich, and prioritize domains in a way that fits your security goals.

And if your organization prefers not to manage this kind of data, we also offer an alternative: Emergent Threats Domains. This feed is informed in part by NRDs but is pre-filtered, enriched, and ready for immediate use in security controls.

Want to explore what your organization can do with NRDs? Let’s talk.

?

How big are your threat data gaps?

See for yourself.

Free Data Evaluation
?

Tor Exit Nodes: Risks, Monitoring, and Defensive Use

Insights

????

What Are Tor Exit Nodes?

Tor exit nodes frequently appear in cybersecurity discussions, and for good reason. This post explains why they matter so you can decide if your security team should take a closer look.

The Tor network is a powerful tool for enabling anonymity online, and like many privacy-preserving technologies, it has both legitimate and malicious uses (we’re looking at you, DoH!). While it supports privacy for users around the world, it also helps attackers hide their infrastructure, evade detection, and bypass traditional defenses. Understanding how Tor works and how it’s used across different stages of an attack can help defenders apply controls, such as traffic monitoring and access policies, more effectively.

The Tor (The Onion Router) network is a system designed to enable anonymous communication over the Internet. When a user routes their connection through Tor, their data is encrypted and bounced through a series of volunteer-operated nodes, also known as relays, in a layered manner, like peeling an onion. Tor exit nodes are the final relay in the Tor network through which traffic emerges before reaching its destination.

Here’s how it works:

  1. Client Encryption and Path Building:
    When a user initiates a connection via the Tor Browser, the client software selects a random path through the Tor network, consisting of three relays:

    • Entry (Guard) Node – The first hop; it knows the user’s IP address.
    • Middle Node – The second hop; it connects the entry and exit nodes.
    • Exit Node – The final hop; it decrypts the traffic and sends it out to the public Internet.
  2. Onion Routing:
    Each relay only knows the previous and next hop, not the full path, and traffic is encrypted in multiple layers. As each relay receives the data, it peels away one layer of encryption (hence “onion routing”) until the exit node forwards the plaintext traffic to the destination website or server.
  3. Exit Node Role:
    The exit node is where the traffic appears to originate from as far as the destination is concerned. It sees the content of the request (unless it’s encrypted with HTTPS), but not the origin IP address of the user. This is why exit nodes are a focus in both privacy discussions and cybersecurity operations.

Because exit nodes are the only points in the Tor network that interact with the open Internet, they are a key observation point for defenders monitoring suspicious traffic. You can download a current list of active exit nodes and as well as find more technical detail about changes to the service on their official blog.

Why Tor Exit Nodes Matter in Cybersecurity

While Tor has many legitimate uses, its anonymity makes it attractive to threat actors. Attackers frequently leverage Tor for:

  • Exfiltration of data after compromising a system
  • Command-and-control (C2) communications
  • Scanning and probing for vulnerabilities anonymously
  • Anonymized web scraping or credential stuffing

Traffic emerging from Tor exit nodes presents challenges for attribution, enforcement, and even rate-limiting. Monitoring or blocking these nodes can help reduce noise and risk in certain environments.

MITRE ATT&CK TTPs

To further the discussion about Tor’s significance in cybersecurity, it’s helpful to look at how the MITRE ATT&CK framework classifies the different ways attackers abuse it. We compiled the following list to emphasize the broad utility of Tor (or similar services) across the threat landscape. From infrastructure obfuscation and anonymous scanning to covert data theft, Tor enables a wide spectrum of malicious operations. By showcasing its versatility, we aim to help defenders implement more effective detection and mitigation strategies in their environments.

Tactic Technique ID Technique Name Description Use Case
Command and Control T1090.003 Proxy: Multi-hop Proxy Multi-hop proxy chains are used to conceal the true source and destination of network traffic. Tor acts as a multi-hop encrypted proxy. Operators route C2 traffic through it to hide their infrastructure and bypass perimeter defenses.
Command and Control T1102 Web Service Legitimate web services can be leveraged to carry out C2 communications while blending with normal traffic. Tor hidden services (.onion domains) are used to host C2 endpoints anonymously, making them harder to block or trace.
Command and Control T1102.001 Dead Drop Resolver Commands or payloads are stored at web-accessible locations and retrieved by malware. Malware connects over Tor to .onion pages that host instructions (dead drops), reducing the need for persistent C2 channels.
Command and Control T1102.002 Bidirectional Communication Two-way communication channels are established using web services, allowing command issuance and response retrieval. Tor provides encrypted, anonymous communication between infected systems and their controller using hidden services.
Command and Control T1572 Protocol Tunneling Malicious traffic is encapsulated within another protocol, such as HTTPS, to evade detection mechanisms. Communication is tunneled through Tor using standard protocols like HTTPS or SOCKS to blend with legitimate activity.
Command and Control T1001 Data Obfuscation Traffic is modified or disguised to make it more difficult to analyze or detect. Tor’s encrypted routing layers hide both the content and the destination of communications, helping obscure intent.
Exfiltration T1041 Exfiltration Over C2 Channel Data is embedded within command and control traffic for covert transmission out of the environment. Tor-based C2 channels are frequently used to exfiltrate stolen data along with commands due to encryption and anonymity.
Exfiltration T1567.002 Exfiltration to Cloud Storage Data is exfiltrated using cloud storage or web services, often over encrypted channels. Tor is used to anonymize the transfer of stolen data to attacker-controlled storage or .onion servers.
Resource Development T1583.006 Acquire Infrastructure: Web Services Web infrastructure such as domains or servers is obtained for later operational use. .onion domains and hidden services are registered and deployed over Tor to host malware, C2 servers, or phishing kits anonymously.
Defense Evasion T1027 Obfuscated Files or Information Code or data is hidden or encoded to prevent detection by security tools. Traffic routed over Tor benefits from inherent encryption and anonymization, making it harder to inspect or attribute.
Discovery T1595 Active Scanning Target networks are scanned to gather information such as open ports, services, or potential vulnerabilities. Scanning activities are conducted over Tor to mask the source of probes against target infrastructure.
Discovery T1595.001 Scanning IP Blocks Large address spaces are scanned to locate accessible systems and services. Tor exit nodes are used to scan wide IP ranges, identifying exposed assets while remaining anonymous.
Discovery T1595.002 Vulnerability Scanning Specific systems are scanned to identify known vulnerabilities or misconfigurations. Vulnerability scanning tools route traffic through Tor to identify weaknesses in targets without revealing the attacker’s origin.
Credential Access T1110 Brute Force Repeated login attempts are made to gain unauthorized access by guessing or using common passwords. Login brute-force attacks are launched via Tor to bypass IP restrictions and avoid detection.
Credential Access T1110.004 Credential Stuffing Previously leaked credentials are used to attempt logins across services. Tor is used to distribute these login attempts across many IPs, increasing stealth and success while avoiding rate limits.
Reconnaissance T1589.003 Gather Victim Identity Information: Credentials Username and password data is collected from public or breached sources to inform follow-on targeting. Tor is used to scrape credential leaks from forums, dumps, or pastes while hiding the requester’s identity.

Defensive Applications of Tor Exit Node Intelligence

There are multiple defensive use cases for tracking and leveraging Tor exit node IPs in a security program:

  1. Blocking Tor Exit Traffic

Many security teams choose to block inbound or outbound traffic involving known Tor exit nodes, especially in environments that do not serve anonymous users. This can be done via:

  • Firewall rules
  • Web application firewalls (WAFs)
  • DNS-based filtering
  • SIEM correlation rules

Keep in mind, this approach may generate false positives if your service intentionally serves Tor users.

  1. Threat Hunting and Monitoring

By monitoring network traffic to and from Tor exit nodes you can uncover suspicious or malicious behavior such as:

  • Beaconing to C2 infrastructure
  • Unauthorized data transfers
  • Anonymized access attempts

This is particularly useful in SOC environments that log DNS queries, proxy traffic, or NetFlow/Zeek logs.

  1. Threat Intelligence Enrichment

Ingesting and enriching alert data with Tor exit node intelligence can improve triage workflows. For example:

  • Flagging alerts from exit node IPs with a higher risk score
  • Adding context during incident investigations
  • Enhancing SOAR playbooks with automated risk annotations

Where to Get Reliable Tor Exit Node Data

There are a few trustworthy sources for up-to-date Tor exit node information:

Considerations and Cautions

Blocking or monitoring Tor exit traffic is not always the right choice. For organizations supporting user privacy, activism, or global accessibility, outright blocking could limit service availability or raise ethical concerns. Any implementation should be aligned with your organization’s risk posture and user profile. Also, IP addresses of Tor exit nodes can change frequently. This means real-time updates and automation are essential if you’re maintaining blocklists or alerts.

Here are a few good resources for advice about developing a Tor security policy:

Final Thoughts

Using Tor exit node IPs as part of your threat intelligence strategy adds visibility into a common vector for anonymous, and potentially malicious, traffic. Whether you’re blocking, monitoring, or enriching alerts, Tor exit node intelligence is a flexible and valuable tool, but it should be used thoughtfully and in context. Not all Tor traffic is malicious, and indiscriminate blocking can lead to unintended consequences. Instead, aligning Tor intelligence with your organization’s risk tolerance and use cases ensures it contributes meaningfully to detection, response, and threat hunting efforts.

For our customers, Tor exit node data can also be integrated directly into existing threat intelligence subscriptions upon request. Contact your account manager to learn more about integration options or additional enrichment.

As part of our commitment to empowering defenders, we offer several free OSINT feeds, one of which includes a regularly updated list of active Tor exit nodes. Click below to sign up for free access.

Leslie Dawn

Technical Account Manager

Leslie Dawn is a Technical Account Manager / Threat Intelligence Analyst at Malware Patrol. Her background of nearly a decade in cyber threat intelligence provides her with a nuanced understanding of threat landscapes and client security needs.

 

?