OpenCTI MCP Server Integration
Connect FlowHunt to OpenCTI with the OpenCTI MCP Server for powerful, automated threat intelligence and enhanced security workflows.
What does “OpenCTI” MCP Server do?
OpenCTI MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform. By acting as a bridge between AI assistants and the OpenCTI threat intelligence database, it allows AI clients to query, retrieve, and interact with cyber threat intelligence data using a standardized interface. This server facilitates tasks such as searching for malware information, querying indicators of compromise, managing users and groups, and performing file operations. Developers can use it to automate security workflows, enrich LLM outputs with real-time threat data, and streamline access to actionable intelligence within their development and operational environments.
List of Prompts
No prompt templates are listed in the repository or documentation.
List of Resources
No explicit resources are described in the available documentation or repository files.
List of Tools
No specific tools are listed in the documentation or code. The documentation only describes high-level features and API capabilities, but does not enumerate MCP tools or their function signatures.
Use Cases of this MCP Server
- Threat Intelligence Automation: Automate the retrieval and analysis of the latest threat intelligence reports, indicators of compromise, malware information, and threat actors from OpenCTI, enabling proactive security operations.
- Security Operations Integration: Integrate with SOC tools to allow AI agents to fetch campaign information, list attack patterns, and provide actionable insights for incident response teams.
- User and Group Management: Use AI assistants to list and manage users or groups within the OpenCTI instance, supporting administrative workflows and access audits.
- STIX Object Operations: Query and manipulate STIX objects, such as campaigns and attack patterns, directly from development environments or automated workflows.
- File and Reference Data Access: Enable AI to interact with files, marking definitions, and labels in OpenCTI, supporting advanced data enrichment and classification tasks.
How to set it up
Windsurf
- Prerequisites: Ensure Node.js 16+ is installed and you have access to an OpenCTI instance with a valid API token.
- Prepare Environment: Copy
.env.exampleto.envand update with your OpenCTI credentials. - Configure MCP Server: Edit your Windsurf MCP configuration file to add the OpenCTI server:
{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" } } } } - Save and Restart: Save your configuration and restart the Windsurf client.
- Verify: Ensure the MCP server is listed and available in Windsurf.
Claude
- Prerequisites: Install Node.js 16+ and obtain OpenCTI API credentials.
- Environment Setup: Copy
.env.exampleto.envand fill in your OpenCTI details. - Add MCP Server in Claude: Update MCP settings as follows:
{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" } } } } - Restart Claude: Save configuration and restart Claude.
- Check Connection: Confirm OpenCTI MCP is connected.
Cursor
- Prerequisites: Make sure Node.js 16+ is present and you have OpenCTI access.
- Configure Environment: Duplicate
.env.exampleas.envand set your OpenCTI URL and token. - Edit Cursor Configuration: Insert the following in your MCP config:
{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" } } } } - Restart Cursor: Save and restart the application.
- Verify: Ensure OpenCTI MCP server is operational in Cursor.
Cline
- Prerequisites: Install Node.js 16+ and have OpenCTI instance credentials.
- Setup Environment File: Copy
.env.exampleto.envand update with your values. - Configure Cline MCP: Add OpenCTI MCP to your configuration:
{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" } } } } - Restart Cline: Save configuration and restart Cline.
- Validation: Check that OpenCTI MCP appears as expected.
Securing API Keys (applies to all platforms)
- Always use environment variables to store sensitive API credentials. Example configuration:
{ "mcpServers": { "opencti": { "command": "node", "args": ["path/to/opencti-server/build/index.js"], "env": { "OPENCTI_URL": "${OPENCTI_URL}", "OPENCTI_TOKEN": "${OPENCTI_TOKEN}" } } } }
How to use this MCP inside flows
Using MCP in FlowHunt
To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:
Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:
{
"opencti": {
"transport": "streamable_http",
"url": "https://yourmcpserver.example/pathtothemcp/url"
}
}
Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “opencti” to whatever the actual name of your MCP server is and replace the URL with your own MCP server URL.
Overview
| Section | Availability | Details/Notes |
|---|---|---|
| Overview | ✅ | Basic description in README |
| List of Prompts | ⛔ | No prompt templates listed |
| List of Resources | ⛔ | No explicit MCP resources described |
| List of Tools | ⛔ | No specific tool list in documentation |
| Securing API Keys | ✅ | Environment variable usage documented |
| Sampling Support (less important in evaluation) | ⛔ | No mention of sampling support |
Between the available documentation and code, OpenCTI MCP Server provides a clear overview and robust setup instructions, but lacks explicit details on resources, prompts, tools, and advanced MCP features like sampling or roots configuration.
Our opinion
Based on the evidence, this MCP server provides a good foundation for OpenCTI integration and has solid setup and security practices, but it lacks transparency around MCP-specific features (like tools, resources, prompts, and sampling). As such, we would rate this MCP implementation a 5/10 for overall completeness and usability for LLM integration.
MCP Score
| Has a LICENSE | ✅ (MIT) |
|---|---|
| Has at least one tool | ⛔ |
| Number of Forks | 10 |
| Number of Stars | 18 |
Frequently asked questions
- What is the OpenCTI MCP Server?
The OpenCTI MCP Server enables FlowHunt (and other AI platforms) to access and automate cyber threat intelligence workflows by acting as a bridge between AI agents and the OpenCTI database. It standardizes access to threat intelligence such as malware, indicators of compromise, attack patterns, and user management.
- What are the main use cases for this integration?
Key use cases include automated threat intelligence retrieval, SOC tool integration, managing users/groups in OpenCTI, querying STIX objects, and enhancing AI-driven incident response with real-time data from OpenCTI.
- Are there any built-in prompt templates or tools in this MCP server?
No specific prompt templates or explicit tool signatures are provided in this MCP server. The integration is focused on standardizing access to the OpenCTI API rather than providing prebuilt prompts or tools.
- How is security handled for API credentials?
API credentials are secured using environment variables. Never hardcode your OpenCTI URL or token directly in configuration files. Always use a .env file or environment management system for sensitive data.
- Can I use this MCP with multiple FlowHunt clients?
Yes, the OpenCTI MCP Server is compatible with Windsurf, Claude, Cursor, and Cline clients. Specific configuration steps are provided for each.
- What is the overall completeness score for this MCP server?
Based on available documentation and MCP features, this MCP server rates a 5/10 for completeness and transparency, offering robust setup and security but lacking in detailed tool/resource exposure.
Supercharge Your Threat Intelligence with OpenCTI MCP
Deploy the OpenCTI MCP Server with FlowHunt to automate cyber threat intelligence access, enrich LLM responses, and streamline SOC operations. Secure, scalable, and efficient.
Learn more
