MCP server exposing the OpenCTI threat-intelligence platform to AI assistants.
Project description
OpenCTI MCP Server
A Model Context Protocol server that exposes OpenCTI, the open-source threat-intelligence platform, to AI assistants. Built on the official pycti client, it registers 45 typed tools (91 when writes are enabled) across 15 threat-intel domains — indicators, observables, reports, malware, threat actors, intrusion sets, campaigns, attack patterns, tools, vulnerabilities, incidents, cases, relationships, identities, and labels/markings — plus platform/operations tools (connectors, users, groups, files), STIX bundle import/export, a graphql_query escape-hatch, and cross-cutting search/relationship/observable-lookup tools for anything the typed per-domain tools don't cover.
[!IMPORTANT] This is an unofficial, community-maintained project. It is not affiliated with, endorsed by, or supported by Filigran or the OpenCTI project.
[!WARNING] Ships read-only by default. With the default configuration, only list/get/query tools are registered and
graphql_queryrejects mutations. SettingOPENCTI_READ_ONLY=falseexposes*_create,*_update, and the destructive*_deletetools, and letsgraphql_queryrun mutations. Only enable writes with a least-privilege OpenCTI API token, and understand that an assistant with write access can create, modify, and permanently delete intelligence data in your instance.
Tools
| Domain | Reads | Writes | Notable tools |
|---|---|---|---|
| Indicators | 2 | 3 | indicators_list, indicators_get, indicators_create |
| Observables | 2 | 3 | observables_list, observables_get, observables_create |
| Reports | 2 | 3 | reports_list, reports_get, reports_create |
| Malware | 2 | 3 | malware_list, malware_get, malware_create |
| Threat actors | 2 | 3 | threat_actors_list, threat_actors_get, threat_actors_create |
| Intrusion sets | 2 | 3 | intrusion_sets_list, intrusion_sets_get, intrusion_sets_create |
| Campaigns | 2 | 3 | campaigns_list, campaigns_get, campaigns_create |
| Attack patterns | 2 | 3 | attack_patterns_list, attack_patterns_get, attack_patterns_create |
| Tools | 2 | 3 | tools_list, tools_get, tools_create |
| Vulnerabilities | 2 | 3 | vulnerabilities_list, vulnerabilities_get, vulnerabilities_create |
| Incidents | 2 | 3 | incidents_list, incidents_get, incidents_create |
| Cases | 2 | 3 | cases_list, cases_get, cases_create |
| Relationships | 2 | 3 | relationships_list, relationships_get, relationships_create |
| Identities | 2 | 2 | identities_list, identities_get, identities_create (organizations/individuals/systems/sectors), identities_delete |
| Labels & markings | 4 | 3 | labels_list, labels_create, markings_list, markings_get |
Every domain also has an _update and _delete tool once writes are enabled (markings are read-only; identities has _create/_delete but no _update). In addition, graphql_query runs a raw GraphQL query/mutation against the OpenCTI API for anything not covered by a typed tool above — reads always work, mutations are rejected unless OPENCTI_READ_ONLY=false. See docs/ENDPOINTS.md for the full tool-to-pycti-call mapping.
Every *_list tool also accepts order_by (a field name, e.g. "created_at") and descending (default true), so order_by="created_at" gives most-recent-first without any extra filtering.
observables_create also accepts StixFile.* observable keys (normalized to File.*), coerces Autonomous-System.number values to an integer, and takes an optional additional_hashes param (a list of "ALGO:VALUE" entries, e.g. "SHA-1:...") to attach extra hashes to a file observable alongside the primary one.
Cross-cutting read tools
search_all(query, types?, first?)— full-text search across all STIX object types at once, optionally restricted to specifictypes.relationships_for_entity(entity_id, relationship_type?, first?)— lists relationships touching an entity as either source or target, e.g. "what is related to X".observables_by_value(value, first?)— exact-value lookup for an observable (IP, domain, URL, hash, etc.) without knowing its id.
Platform & operations
connectors_list/connectors_get(connector_id)— list connectors and check one's status/health (active, state, queue details).users_list/users_get(id)— list/get OpenCTI users.groups_list/groups_get(id)— list/get OpenCTI groups.files_for_entity(entity_id)— list files/attachments on an entity.stix_export_entity(entity_type, entity_id, mode?)/stix_export_list(entity_type, first=25, mode?)— export a single entity, or up tofirstentities of a type (max 500), as a STIX 2 bundle; large exports are capped byfirst, and if the bundle is still too large a small note (_note,entity_type,first,object_count) is returned instead.stix_import_bundle(bundle_json, update?)— write, requiresOPENCTI_READ_ONLY=false— bulk create/update entities and relationships from a STIX bundle.entity_ask_enrichment(entity_id, connector_id)— write, requiresOPENCTI_READ_ONLY=false— trigger a connector to enrich an entity.
Two related capabilities are intentionally not exposed as typed tools and remain available via graphql_query: OpenCTI status templates, and connector start/stop/reset (pycti exposes no dedicated method for either).
Bundled skill
A Claude Skill lives at skills/opencti-usage/ that teaches an AI agent OpenCTI's model — the STIX data model, entity types, indicators vs observables, relationships, containers, TLP markings, confidence, connectors, and RBAC — and maps each concept to the right MCP tool above. An agent operating the opencti tools loads this skill to understand the platform before creating, relating, or reasoning about OpenCTI data.
skills/opencti-usage/SKILL.mdis the entry point; thereferences/folder holds the per-topic detail.- The content is distilled from the official OpenCTI docs (
docs.opencti.io/latest), distilled 2026-07-10. Each reference file has a## Sourcelink back to the docs it was drawn from, so it can be refreshed later.
Quick start
Install
git clone https://github.com/Space-C0wboy/OpenCTI-MCP-Server.git
cd OpenCTI-MCP-Server
uv venv
uv pip install -e ".[dev]"
Or with plain pip:
pip install -e .
Get an API token
In OpenCTI, open your profile menu → API access, then copy your personal access token.
Configuration
Configuration is read from environment variables, or from a .env file in the working directory (either a standard KEY=value dotenv file or a JSON-style fragment). OS environment variables always take precedence over the file.
| Variable | Required | Default | Description |
|---|---|---|---|
OPENCTI_URL |
Yes | — | Base URL of your OpenCTI instance |
OPENCTI_TOKEN |
Yes | — | OpenCTI API token |
OPENCTI_READ_ONLY |
No | true |
When true, hides all write tools and blocks mutations |
OPENCTI_TIMEOUT |
No | 30 |
Request timeout in seconds |
OPENCTI_SSL_VERIFY |
No | true |
Verify TLS certificates |
LOG_LEVEL |
No | INFO |
Logging verbosity |
MCP_HTTP_HOST |
No | 127.0.0.1 |
Bind host when using --transport http |
MCP_HTTP_PORT |
No | 8765 |
Bind port when using --transport http |
Run
Stdio (default, for editor/IDE integrations):
uv run opencti-mcp
HTTP transport:
uv run opencti-mcp --transport http --host 127.0.0.1 --port 8765
Read-only mode
OPENCTI_READ_ONLY defaults to true. In read-only mode, only list/get tools and markings_list/markings_get are registered — no *_create, *_update, or *_delete tool is available for any domain, and graphql_query raises an error if the query document contains a mutation. Set OPENCTI_READ_ONLY=false to register the write tools and allow graphql_query to run mutations.
Editor integration
Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"opencti": {
"command": "uv",
"args": ["--directory", "/absolute/path/to/OpenCTI-MCP-Server", "run", "opencti-mcp"],
"env": {
"OPENCTI_URL": "https://your-opencti-instance.example.com/",
"OPENCTI_TOKEN": "your-api-token"
}
}
}
}
Claude Code
claude mcp add opencti -- uv --directory /absolute/path/to/OpenCTI-MCP-Server run opencti-mcp
Example prompts
- "List the 10 most recent indicators."
- "Search reports mentioning 'Emotet'."
- "Show me the MITRE ATT&CK technique T1059."
- "Create an IPv4 observable for 1.2.3.4." (requires
OPENCTI_READ_ONLY=false) - "Which threat actors are linked to intrusion set APT29?"
- "Get the full detail on case CASE-ID, including its labels and markings."
- "What are the 10 most recent reports?"
- "Is 1.2.3.4 in OpenCTI?"
- "What is this threat actor related to?"
- "Search across everything for 'Emotet'."
- "Are our OpenCTI connectors healthy?"
- "Export this report as a STIX bundle."
- "List the groups in OpenCTI."
- "Add the victim organization 'Acme Corp' to OpenCTI." (requires
OPENCTI_READ_ONLY=false) - "Create an individual identity for John Doe with a description."
Development
uv run pytest
uv run ruff check .
License
MIT — see LICENSE.
Support
This is a community-maintained project provided as-is, with no guaranteed support SLA. Issues and pull requests are welcome.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file opencti_mcp-0.1.0.tar.gz.
File metadata
- Download URL: opencti_mcp-0.1.0.tar.gz
- Upload date:
- Size: 202.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8e22bf52d80be5c2cf029d7eee3c8983c62bcb698a5f94bbaf0d3fe17c105030
|
|
| MD5 |
1c1e3f729367b675ceb5dafe77d7a9fe
|
|
| BLAKE2b-256 |
78c957f9b1c517b4d189c8b35df52992809aab1f20db791cf43f3b2d31c93fcd
|
Provenance
The following attestation bundles were made for opencti_mcp-0.1.0.tar.gz:
Publisher:
publish.yml on Space-C0wboy/OpenCTI-MCP-Server
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
opencti_mcp-0.1.0.tar.gz -
Subject digest:
8e22bf52d80be5c2cf029d7eee3c8983c62bcb698a5f94bbaf0d3fe17c105030 - Sigstore transparency entry: 2170286781
- Sigstore integration time:
-
Permalink:
Space-C0wboy/OpenCTI-MCP-Server@13d66f71e634267b647e21305a324dcd25d2efb3 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Space-C0wboy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@13d66f71e634267b647e21305a324dcd25d2efb3 -
Trigger Event:
release
-
Statement type:
File details
Details for the file opencti_mcp-0.1.0-py3-none-any.whl.
File metadata
- Download URL: opencti_mcp-0.1.0-py3-none-any.whl
- Upload date:
- Size: 27.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
efe8428210adc549b4a8b33f8089a30daa16d038ceebc20bc480fa98c6853dae
|
|
| MD5 |
92f4c5e68f91149c9023173e552082c8
|
|
| BLAKE2b-256 |
ecf1c08cfe8bbec3d65d10b7e0c23aabb8216e4d056e049112688cec2b957488
|
Provenance
The following attestation bundles were made for opencti_mcp-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on Space-C0wboy/OpenCTI-MCP-Server
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
opencti_mcp-0.1.0-py3-none-any.whl -
Subject digest:
efe8428210adc549b4a8b33f8089a30daa16d038ceebc20bc480fa98c6853dae - Sigstore transparency entry: 2170287052
- Sigstore integration time:
-
Permalink:
Space-C0wboy/OpenCTI-MCP-Server@13d66f71e634267b647e21305a324dcd25d2efb3 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/Space-C0wboy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@13d66f71e634267b647e21305a324dcd25d2efb3 -
Trigger Event:
release
-
Statement type: