OpenCTI MCP Server Integration

Connect FlowHunt to OpenCTI with the OpenCTI MCP Server for powerful, automated threat intelligence and enhanced security workflows.

OpenCTI MCP Server Integration

What does “OpenCTI” MCP Server do?

OpenCTI MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform. By acting as a bridge between AI assistants and the OpenCTI threat intelligence database, it allows AI clients to query, retrieve, and interact with cyber threat intelligence data using a standardized interface. This server facilitates tasks such as searching for malware information, querying indicators of compromise, managing users and groups, and performing file operations. Developers can use it to automate security workflows, enrich LLM outputs with real-time threat data, and streamline access to actionable intelligence within their development and operational environments.

List of Prompts

No prompt templates are listed in the repository or documentation.

List of Resources

No explicit resources are described in the available documentation or repository files.

List of Tools

No specific tools are listed in the documentation or code. The documentation only describes high-level features and API capabilities, but does not enumerate MCP tools or their function signatures.

Use Cases of this MCP Server

  • Threat Intelligence Automation: Automate the retrieval and analysis of the latest threat intelligence reports, indicators of compromise, malware information, and threat actors from OpenCTI, enabling proactive security operations.
  • Security Operations Integration: Integrate with SOC tools to allow AI agents to fetch campaign information, list attack patterns, and provide actionable insights for incident response teams.
  • User and Group Management: Use AI assistants to list and manage users or groups within the OpenCTI instance, supporting administrative workflows and access audits.
  • STIX Object Operations: Query and manipulate STIX objects, such as campaigns and attack patterns, directly from development environments or automated workflows.
  • File and Reference Data Access: Enable AI to interact with files, marking definitions, and labels in OpenCTI, supporting advanced data enrichment and classification tasks.

How to set it up

Windsurf

  1. Prerequisites: Ensure Node.js 16+ is installed and you have access to an OpenCTI instance with a valid API token.
  2. Prepare Environment: Copy .env.example to .env and update with your OpenCTI credentials.
  3. Configure MCP Server: Edit your Windsurf MCP configuration file to add the OpenCTI server:
    {
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}
  4. Save and Restart: Save your configuration and restart the Windsurf client.
  5. Verify: Ensure the MCP server is listed and available in Windsurf.

Claude

  1. Prerequisites: Install Node.js 16+ and obtain OpenCTI API credentials.
  2. Environment Setup: Copy .env.example to .env and fill in your OpenCTI details.
  3. Add MCP Server in Claude: Update MCP settings as follows:
    {
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}
  4. Restart Claude: Save configuration and restart Claude.
  5. Check Connection: Confirm OpenCTI MCP is connected.

Cursor

  1. Prerequisites: Make sure Node.js 16+ is present and you have OpenCTI access.
  2. Configure Environment: Duplicate .env.example as .env and set your OpenCTI URL and token.
  3. Edit Cursor Configuration: Insert the following in your MCP config:
    {
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}
  4. Restart Cursor: Save and restart the application.
  5. Verify: Ensure OpenCTI MCP server is operational in Cursor.

Cline

  1. Prerequisites: Install Node.js 16+ and have OpenCTI instance credentials.
  2. Setup Environment File: Copy .env.example to .env and update with your values.
  3. Configure Cline MCP: Add OpenCTI MCP to your configuration:
    {
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}
  4. Restart Cline: Save configuration and restart Cline.
  5. Validation: Check that OpenCTI MCP appears as expected.

Securing API Keys (applies to all platforms)

  • Always use environment variables to store sensitive API credentials. Example configuration:
    {
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

How to use this MCP inside flows

Using MCP in FlowHunt

To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:

FlowHunt MCP flow

Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:

{
  "opencti": {
    "transport": "streamable_http",
    "url": "https://yourmcpserver.example/pathtothemcp/url"
  }
}

Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “opencti” to whatever the actual name of your MCP server is and replace the URL with your own MCP server URL.

Overview

SectionAvailabilityDetails/Notes
OverviewBasic description in README
List of PromptsNo prompt templates listed
List of ResourcesNo explicit MCP resources described
List of ToolsNo specific tool list in documentation
Securing API KeysEnvironment variable usage documented
Sampling Support (less important in evaluation)No mention of sampling support

Between the available documentation and code, OpenCTI MCP Server provides a clear overview and robust setup instructions, but lacks explicit details on resources, prompts, tools, and advanced MCP features like sampling or roots configuration.

Our opinion

Based on the evidence, this MCP server provides a good foundation for OpenCTI integration and has solid setup and security practices, but it lacks transparency around MCP-specific features (like tools, resources, prompts, and sampling). As such, we would rate this MCP implementation a 5/10 for overall completeness and usability for LLM integration.

MCP Score

Has a LICENSE✅ (MIT)
Has at least one tool
Number of Forks10
Number of Stars18

Frequently asked questions

What is the OpenCTI MCP Server?

The OpenCTI MCP Server enables FlowHunt (and other AI platforms) to access and automate cyber threat intelligence workflows by acting as a bridge between AI agents and the OpenCTI database. It standardizes access to threat intelligence such as malware, indicators of compromise, attack patterns, and user management.

What are the main use cases for this integration?

Key use cases include automated threat intelligence retrieval, SOC tool integration, managing users/groups in OpenCTI, querying STIX objects, and enhancing AI-driven incident response with real-time data from OpenCTI.

Are there any built-in prompt templates or tools in this MCP server?

No specific prompt templates or explicit tool signatures are provided in this MCP server. The integration is focused on standardizing access to the OpenCTI API rather than providing prebuilt prompts or tools.

How is security handled for API credentials?

API credentials are secured using environment variables. Never hardcode your OpenCTI URL or token directly in configuration files. Always use a .env file or environment management system for sensitive data.

Can I use this MCP with multiple FlowHunt clients?

Yes, the OpenCTI MCP Server is compatible with Windsurf, Claude, Cursor, and Cline clients. Specific configuration steps are provided for each.

What is the overall completeness score for this MCP server?

Based on available documentation and MCP features, this MCP server rates a 5/10 for completeness and transparency, offering robust setup and security but lacking in detailed tool/resource exposure.

Supercharge Your Threat Intelligence with OpenCTI MCP

Deploy the OpenCTI MCP Server with FlowHunt to automate cyber threat intelligence access, enrich LLM responses, and streamline SOC operations. Secure, scalable, and efficient.

Start Integrating Book a Demo

Learn more

OpenSearch MCP Server Integration
OpenSearch MCP Server Integration

OpenSearch MCP Server Integration

The OpenSearch MCP Server enables seamless integration of OpenSearch with FlowHunt and other AI agents, allowing programmatic access to search, analytics, and c...

4 min read
AI OpenSearch +5
OpenAPI MCP Server
OpenAPI MCP Server

OpenAPI MCP Server

The OpenAPI MCP Server connects AI assistants with the ability to explore and understand OpenAPI specifications, offering detailed API context, summaries, and e...

4 min read
API OpenAPI +5
Model Context Protocol (MCP) Server
Model Context Protocol (MCP) Server

Model Context Protocol (MCP) Server

The Model Context Protocol (MCP) Server bridges AI assistants with external data sources, APIs, and services, enabling streamlined integration of complex workfl...

3 min read
AI MCP +4