What is the OpenCTI MCP Server?

The OpenCTI MCP Server enables FlowHunt (and other AI platforms) to access and automate cyber threat intelligence workflows by acting as a bridge between AI agents and the OpenCTI database. It standardizes access to threat intelligence such as malware, indicators of compromise, attack patterns, and user management.

What are the main use cases for this integration?

Key use cases include automated threat intelligence retrieval, SOC tool integration, managing users/groups in OpenCTI, querying STIX objects, and enhancing AI-driven incident response with real-time data from OpenCTI.

Are there any built-in prompt templates or tools in this MCP server?

No specific prompt templates or explicit tool signatures are provided in this MCP server. The integration is focused on standardizing access to the OpenCTI API rather than providing prebuilt prompts or tools.

How is security handled for API credentials?

API credentials are secured using environment variables. Never hardcode your OpenCTI URL or token directly in configuration files. Always use a .env file or environment management system for sensitive data.

Can I use this MCP with multiple FlowHunt clients?

Yes, the OpenCTI MCP Server is compatible with Windsurf, Claude, Cursor, and Cline clients. Specific configuration steps are provided for each.

What is the overall completeness score for this MCP server?

Based on available documentation and MCP features, this MCP server rates a 5/10 for completeness and transparency, offering robust setup and security but lacking in detailed tool/resource exposure.

OpenCTI MCP Server Integration

Connect FlowHunt to OpenCTI with the OpenCTI MCP Server for powerful, automated threat intelligence and enhanced security workflows.

MCP Server Cybersecurity Threat Intelligence OpenCTI

Start Integrating Book a Demo

Contact us to host your MCP Server in FlowHunt

FlowHunt provides an additional security layer between your internal systems and AI tools, giving you granular control over which tools are accessible from your MCP servers. MCP servers hosted in our infrastructure can be seamlessly integrated with FlowHunt's chatbot as well as popular AI platforms like ChatGPT, Claude, and various AI editors.

support@flowhunt.io

What does “OpenCTI” MCP Server do?

OpenCTI MCP Server is a Model Context Protocol (MCP) server that enables seamless integration with the OpenCTI (Open Cyber Threat Intelligence) platform. By acting as a bridge between AI assistants and the OpenCTI threat intelligence database, it allows AI clients to query, retrieve, and interact with cyber threat intelligence data using a standardized interface. This server facilitates tasks such as searching for malware information, querying indicators of compromise, managing users and groups, and performing file operations. Developers can use it to automate security workflows, enrich LLM outputs with real-time threat data, and streamline access to actionable intelligence within their development and operational environments.

List of Prompts

No prompt templates are listed in the repository or documentation.

List of Resources

No explicit resources are described in the available documentation or repository files.

List of Tools

No specific tools are listed in the documentation or code. The documentation only describes high-level features and API capabilities, but does not enumerate MCP tools or their function signatures.

Use Cases of this MCP Server

Threat Intelligence Automation: Automate the retrieval and analysis of the latest threat intelligence reports, indicators of compromise, malware information, and threat actors from OpenCTI, enabling proactive security operations.
Security Operations Integration: Integrate with SOC tools to allow AI agents to fetch campaign information, list attack patterns, and provide actionable insights for incident response teams.
User and Group Management: Use AI assistants to list and manage users or groups within the OpenCTI instance, supporting administrative workflows and access audits.
STIX Object Operations: Query and manipulate STIX objects, such as campaigns and attack patterns, directly from development environments or automated workflows.
File and Reference Data Access: Enable AI to interact with files, marking definitions, and labels in OpenCTI, supporting advanced data enrichment and classification tasks.

How to set it up

Windsurf

Prerequisites: Ensure Node.js 16+ is installed and you have access to an OpenCTI instance with a valid API token.
Prepare Environment: Copy .env.example to .env and update with your OpenCTI credentials.

Configure MCP Server: Edit your Windsurf MCP configuration file to add the OpenCTI server:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

Save and Restart: Save your configuration and restart the Windsurf client.
Verify: Ensure the MCP server is listed and available in Windsurf.

Claude

Prerequisites: Install Node.js 16+ and obtain OpenCTI API credentials.
Environment Setup: Copy .env.example to .env and fill in your OpenCTI details.

Add MCP Server in Claude: Update MCP settings as follows:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

Restart Claude: Save configuration and restart Claude.
Check Connection: Confirm OpenCTI MCP is connected.

Cursor

Prerequisites: Make sure Node.js 16+ is present and you have OpenCTI access.
Configure Environment: Duplicate .env.example as .env and set your OpenCTI URL and token.

Edit Cursor Configuration: Insert the following in your MCP config:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

Restart Cursor: Save and restart the application.
Verify: Ensure OpenCTI MCP server is operational in Cursor.

Cline

Prerequisites: Install Node.js 16+ and have OpenCTI instance credentials.
Setup Environment File: Copy .env.example to .env and update with your values.

Configure Cline MCP: Add OpenCTI MCP to your configuration:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

Restart Cline: Save configuration and restart Cline.
Validation: Check that OpenCTI MCP appears as expected.

Securing API Keys (applies to all platforms)

Always use environment variables to store sensitive API credentials. Example configuration:

{
  "mcpServers": {
    "opencti": {
      "command": "node",
      "args": ["path/to/opencti-server/build/index.js"],
      "env": {
        "OPENCTI_URL": "${OPENCTI_URL}",
        "OPENCTI_TOKEN": "${OPENCTI_TOKEN}"
      }
    }
  }
}

How to use this MCP inside flows

Using MCP in FlowHunt

To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:

Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:

{
  "opencti": {
    "transport": "streamable_http",
    "url": "https://yourmcpserver.example/pathtothemcp/url"
  }
}

Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “opencti” to whatever the actual name of your MCP server is and replace the URL with your own MCP server URL.

Overview

Section	Availability	Details/Notes
Overview	✅	Basic description in README
List of Prompts	⛔	No prompt templates listed
List of Resources	⛔	No explicit MCP resources described
List of Tools	⛔	No specific tool list in documentation
Securing API Keys	✅	Environment variable usage documented
Sampling Support (less important in evaluation)	⛔	No mention of sampling support

Between the available documentation and code, OpenCTI MCP Server provides a clear overview and robust setup instructions, but lacks explicit details on resources, prompts, tools, and advanced MCP features like sampling or roots configuration.

Our opinion

Based on the evidence, this MCP server provides a good foundation for OpenCTI integration and has solid setup and security practices, but it lacks transparency around MCP-specific features (like tools, resources, prompts, and sampling). As such, we would rate this MCP implementation a 5/10 for overall completeness and usability for LLM integration.

MCP Score

Has a LICENSE	✅ (MIT)
Has at least one tool	⛔
Number of Forks	10
Number of Stars	18

Frequently asked questions

: The OpenCTI MCP Server enables FlowHunt (and other AI platforms) to access and automate cyber threat intelligence workflows by acting as a bridge between AI agents and the OpenCTI database. It standardizes access to threat intelligence such as malware, indicators of compromise, attack patterns, and user management.
: Key use cases include automated threat intelligence retrieval, SOC tool integration, managing users/groups in OpenCTI, querying STIX objects, and enhancing AI-driven incident response with real-time data from OpenCTI.
: No specific prompt templates or explicit tool signatures are provided in this MCP server. The integration is focused on standardizing access to the OpenCTI API rather than providing prebuilt prompts or tools.
: API credentials are secured using environment variables. Never hardcode your OpenCTI URL or token directly in configuration files. Always use a .env file or environment management system for sensitive data.
: Yes, the OpenCTI MCP Server is compatible with Windsurf, Claude, Cursor, and Cline clients. Specific configuration steps are provided for each.
: Based on available documentation and MCP features, this MCP server rates a 5/10 for completeness and transparency, offering robust setup and security but lacking in detailed tool/resource exposure.

Supercharge Your Threat Intelligence with OpenCTI MCP

Deploy the OpenCTI MCP Server with FlowHunt to automate cyber threat intelligence access, enrich LLM responses, and streamline SOC operations. Secure, scalable, and efficient.

Start Integrating Book a Demo

Learn more

Model Context Protocol (MCP) Server

The Model Context Protocol (MCP) Server bridges AI assistants with external data sources, APIs, and services, enabling streamlined integration of complex workfl...

Jun 18, 2025 3 min read

AI MCP +4

OpenAPI MCP Server

The OpenAPI MCP Server connects AI assistants with the ability to explore and understand OpenAPI specifications, offering detailed API context, summaries, and e...

Jun 18, 2025 5 min read

API OpenAPI +5

OpenCTI MCP

Integrate FlowHunt with OpenCTI MCP to automate threat intelligence collection, enrichment, and response. Enable real-time data ingestion, centralized intellige...

Aug 12, 2025 3 min read

AI OpenCTI +3