Server data from the Official MCP Registry
Threadlinqs threat-intelligence MCP — 49 tools: threats, detections, IOCs, actors, C2, MITRE, CVEs
Threadlinqs threat-intelligence MCP — 49 tools: threats, detections, IOCs, actors, C2, MITRE, CVEs
Valid MCP server (2 strong, 3 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
4 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: THREADLINQS_API_KEY
Environment variable: THREADLINQS_API_URL
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-threadlinqs-cmd-intelthreadlinqs-mcp": {
"env": {
"THREADLINQS_API_KEY": "your-threadlinqs-api-key-here",
"THREADLINQS_API_URL": "your-threadlinqs-api-url-here"
},
"args": [
"-y",
"intelthreadlinqs-mcp"
],
"command": "npx"
}
}
}From the project's GitHub README.
MCP server for Threadlinqs Intelligence — 49 tools across threat intelligence, detections, IOCs, threat actors, MITRE attack-chains, C2 infrastructure, and Purple-tier composite intelligence. Drop-in for Claude Code, Claude Desktop, Cursor, and any MCP-compatible client.
# No install needed — npx will fetch it
npx -y intelthreadlinqs-mcp
claude mcp add threadlinqs-intel \
-e THREADLINQS_API_KEY=tl_your_key_here \
-- npx -y intelthreadlinqs-mcp
The -e THREADLINQS_API_KEY is required. The Threadlinqs Intelligence MCP server is a Purple-tier feature — it verifies your key is Purple or Gold (tier ≥ 3) at startup and refuses to start otherwise. There is no free or anonymous mode.
~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"threadlinqs-intel": {
"command": "npx",
"args": ["-y", "intelthreadlinqs-mcp"],
"env": {
"THREADLINQS_API_KEY": "tl_your_key_here"
}
}
}
}
.cursor/mcp.json:
{
"mcpServers": {
"threadlinqs-intel": {
"command": "npx",
"args": ["-y", "intelthreadlinqs-mcp"],
"env": {
"THREADLINQS_API_KEY": "tl_your_key_here"
}
}
}
}
.vscode/mcp.json:
{
"servers": {
"threadlinqs-intel": {
"type": "stdio",
"command": "npx",
"args": ["-y", "intelthreadlinqs-mcp"],
"env": {
"THREADLINQS_API_KEY": "tl_your_key_here"
}
}
}
}
Sign up at intel.threadlinqs.com, verify your email, and head to Profile → API Key. New accounts get a 7-day Purple-tier free trial that unlocks all 49 tools.
The MCP server is a Purple-tier feature: all 49 tools require a Purple or Gold subscription (tier ≥ 3). The server verifies your key's tier at startup and refuses to run otherwise — there is no free or anonymous mode.
| Tier | Price | MCP access |
|---|---|---|
| Purple | $11.99/mo | ✅ All 49 tools |
| Gold | Custom | ✅ All 49 tools (enterprise — contact sales) |
| Lower tiers | — | ❌ No MCP access (the public website + REST API keep their own free Blue tier) |
New accounts get a 7-day Purple-tier free trial that unlocks all 49 tools. Tool calls also enforce the tier server-side and return a structured 403 if your subscription lapses.
The composite tools are the reason most people upgrade to Purple — each one replaces 5–7 single-purpose MCP calls.
get_threat_hunting_bundle ⭐Input: threat_id (e.g. "TL-2026-0599")
Returns: complete hunt dossier in one shot — threat metadata, full IOC list, SPL/KQL/Sigma detection queries, similar threats, simulation commands, and cross-threat infrastructure pivots. The single most useful tool in the platform.
get_actor_intelligenceInput: actor name (e.g. "Lazarus Group", "APT29")
Returns: comprehensive adversary picture — actor profile, attributed threats, MITRE techniques, IOCs (200 cap), detection rules (100 cap), activity timeline, active C2 infrastructure correlated to the actor, and cross-actor shared entities.
get_ioc_intelligenceInput: ioc_value (IP, domain, hash, URL)
Returns: every threat that touches the IOC + actor attribution + DNS enrichment trail + cross-IOC infrastructure pivots + consensus confidence score across 7 external feeds (Pulsedive, GreyNoise, YARAify, MalwareBazaar, URLScan, VxVault, OpenPhish). The "I found this in a log — tell me everything" workflow.
get_cve_intelligenceInput: cve_id (e.g. "CVE-2024-3400")
Returns: CVE detail + linked threats + EPSS exploitation velocity + KEV status + detection coverage % + available attack simulations + first-weaponization timeline.
get_mitre_gap_analysisInput: optional tactic filter, limit
Returns: prioritized list of MITRE techniques without detection coverage, sorted by debt score (threat exposure + KEV count + EPSS). Each entry includes example threats and recommended detection types. Answers "what should I write detections for next?"
predict_attack_pathInput: technique_id (e.g. "T1566"), top_n, direction (forward | reverse)
Returns: ranked next-technique predictions with probability and observation count, plus example threats showing the chain. Built from 4,271 observed transitions across the corpus.
generate_c2_blocklistInput: optional framework, since_days (default 30, max 365), format (cidr | hosts | plain)
Returns: firewall-ready blocklist of active C2 IPs with country, ASN, version, watermark, and last-seen metadata. Currently tracking Cobalt Strike beacons; framework filter is forward-compatible.
search_actors — Find threat actors by name, alias, nation-state, or motivation.get_actor_profile — Full actor dossier in a single call.get_similar_threats — Precomputed-similarity matches by shared TTPs, IOC overlap, and same-actor attribution.For the complete list of 49 tools with parameters and example invocations, see the interactive MCP documentation page.
THREADLINQS_API_KEY environment variable (Bearer token to the worker API)@modelcontextprotocol/sdk@^1.26.0MIT © Threadlinqs
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.