opencti-mcp-server

skybersec/opencti-mcp-server

3.1

If you are the rightful owner of opencti-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to dayong@mcphub.com.

The OpenCTI MCP Server is a comprehensive Model Context Protocol server designed to enable AI assistants to interact with threat intelligence data from OpenCTI.

Tools
5
Resources
0
Prompts
0

OpenCTI MCP Server

npm version GitHub GitHub issues

ALPHA RELEASE - v1.0.6
This project is in active development. Core functionality is working but not all operations have been fully tested. Use at your own risk in production environments.

DISCLAIMER: This software is provided "as is", without warranty of any kind. The authors are not responsible for any damage or data loss that may occur from using this software. Always test thoroughly in a development environment before using with production OpenCTI instances.

A comprehensive Model Context Protocol (MCP) server for OpenCTI, enabling AI assistants to interact with threat intelligence data.

npm package: @skybersec/opencti-mcp

Development Status

  • Version: 1.0.6-alpha
  • Stability: Alpha - Core functionality working
  • Testing: Limited - community testing appreciated
  • Claude Integration: ✅ Fully working with Claude Code CLI
  • Production Ready: Not recommended for production use yet

Features

  • 50+ Tools: Complete coverage of OpenCTI functionality (not all tested)
  • Full CRUD Operations: Create, read, update, and delete entities (read operations most stable)
  • Advanced Analytics: Threat hunting and impact assessment
  • STIX Support: Full STIX 2.1 compliance
  • Real-time Operations: Live streams and subscriptions (experimental)
  • Multiple Transports: stdio and HTTP support

Quick Start

Prerequisites

  • Node.js 20+
  • Running OpenCTI instance (v6.0+)
  • OpenCTI API token (get from OpenCTI: Settings → Security → API Access)
  • Claude Desktop or Claude Code (Terminal) installed

Installation for Claude Code

Method 1: One-Line Install with NPX (Recommended)
claude mcp add opencti npx "@skybersec/opencti-mcp@alpha" \
  -e "OPENCTI_URL=http://localhost:8080" \
  -e "OPENCTI_TOKEN=your-api-token-here"

Replace your-api-token-here with your actual OpenCTI API token.

Method 2: Global Install (Faster Startup)
# Install globally
npm install -g @skybersec/opencti-mcp@alpha

# Add to Claude Code
claude mcp add opencti opencti-mcp \
  -e "OPENCTI_URL=http://localhost:8080" \
  -e "OPENCTI_TOKEN=your-api-token-here"
Method 3: Local Development
# Clone and build locally
git clone https://github.com/skybersec/opencti-mcp-server.git
cd opencti-mcp-server
npm install
npm run build

# Add to Claude
claude mcp add opencti "node $(pwd)/dist/stdio.js" \
  -e "OPENCTI_URL=http://localhost:8080" \
  -e "OPENCTI_TOKEN=your-api-token-here"
Verify Installation

After installation, verify the connection:

claude mcp list

You should see:

opencti: npx @skybersec/opencti-mcp@alpha - ✓ Connected
Method 4: Docker (Isolated Environment)
# Pull from Docker Hub and use with Claude
claude mcp add opencti docker -- run -i --rm \
  -e OPENCTI_URL=http://host.docker.internal:8080 \
  -e OPENCTI_TOKEN=your-api-token-here \
  skybersec/opencti-mcp:latest

Note: Use host.docker.internal instead of localhost when OpenCTI is running on your host machine.

Configuration

Create a .env file with:

OPENCTI_URL=http://localhost:8080
OPENCTI_TOKEN=your-api-token-here

Get your API token from OpenCTI: Settings → Security → API Access

All Installation Methods

Note: Methods 1-3 automatically handle the ~/.claude/mcp.json configuration file for you. Manual editing is only needed for Method 6.

Method 1: Claude Code - One Command (Recommended)

# Direct installation with npx (no install needed)
claude mcp add opencti npx @skybersec/opencti-mcp -e "OPENCTI_URL=http://localhost:8080" -e "OPENCTI_TOKEN=your-api-token-here"

Pros: No installation required, always uses latest version Cons: Downloads package each time (slower startup)

Method 2: Interactive Setup

# Run interactive setup wizard
npx @skybersec/opencti-mcp setup

Pros: Guided setup, automatic configuration, connection testing Cons: Requires manual input

Method 3: Global npm Install

# Step 1: Install globally
npm install -g @skybersec/opencti-mcp

# Step 2: Add to Claude Code
claude mcp add opencti node "$(npm root -g)/@skybersec/opencti-mcp/dist/index.js" -e "OPENCTI_URL=http://localhost:8080" -e "OPENCTI_TOKEN=your-api-token-here"

Pros: Faster startup, version control Cons: Requires global npm install

Method 4: From Source (Development)

# Clone repository
git clone https://github.com/skybersec/opencti-mcp-server.git
cd opencti-mcp-server

# Install and build
npm install
npm run build

# Add to Claude Code
claude mcp add opencti node "$(pwd)/dist/index.js" -e "OPENCTI_URL=http://localhost:8080" -e "OPENCTI_TOKEN=your-api-token-here"

Pros: Latest development version, can modify code Cons: Requires build step, manual updates

Method 5: Claude Desktop

Edit your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "opencti": {
      "command": "npx",
      "args": ["@skybersec/opencti-mcp"],
      "env": {
        "OPENCTI_URL": "http://localhost:8080",
        "OPENCTI_TOKEN": "your-api-token-here"
      }
    }
  }
}

Method 6: Manual Configuration

Edit ~/.claude/mcp.json directly:

{
  "servers": {
    "opencti": {
      "command": "npx",
      "args": ["@skybersec/opencti-mcp"],
      "env": {
        "OPENCTI_URL": "http://localhost:8080",
        "OPENCTI_TOKEN": "your-api-token-here",
        "MCP_TRANSPORT": "stdio"
      }
    }
  }
}

Available Tools

Entity Management

  • opencti.entity.search - Search entities
  • opencti.entity.get - Get entity details
  • opencti.entity.create - Create entities
  • opencti.entity.update - Update entities
  • opencti.entity.delete - Delete entities

Observables & Indicators

  • opencti.observable.create - Create observables
  • opencti.observable.search - Search observables
  • opencti.observable.enrich - Enrich with external data

Analysis & Reports

  • opencti.report.create - Create reports
  • opencti.analysis.run - Run analysis
  • opencti.stats.get - Get statistics

And 40+ more tools...

See for complete tool documentation.

Docker Support

Docker Image

The OpenCTI MCP Server is available on Docker Hub:

# Pull the latest image
docker pull skybersec/opencti-mcp:latest

# Or pull a specific version
docker pull skybersec/opencti-mcp:1.0.6-alpha

Running with Docker

# Test the server directly
echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}},"id":1}' | \
docker run -i --rm \
  -e OPENCTI_URL=http://host.docker.internal:8080 \
  -e OPENCTI_TOKEN=your-api-token \
  skybersec/opencti-mcp:latest

# Use with Claude CLI
claude mcp add opencti docker -- run -i --rm \
  -e OPENCTI_URL=http://host.docker.internal:8080 \
  -e OPENCTI_TOKEN=your-api-token \
  skybersec/opencti-mcp:latest

Building from Source

# Clone the repository
git clone https://github.com/skybersec/opencti-mcp-server.git
cd opencti-mcp-server

# Build the Docker image locally
docker build -t opencti-mcp .

Populating OpenCTI with Real Data

Quick Start - Import Threat Intelligence

cd connectors
./quick-start.sh

This imports real threat data from:

  • CISA Known Exploited Vulnerabilities
  • URLhaus Malicious URLs
  • AbuseIPDB IP Blacklist (optional)

See for detailed setup.

Testing

Important: Test data seeding is available but MUST NOT be used on production instances.

Safe testing commands:

# Test connection (read-only)
npm run test:connection

# List available tools
npm run list-tools

# Test queries (read-only)
npm run test:query

See for detailed testing guidelines and warnings about test data.

Development

# Run in development mode
npm run dev

# Run tests
npm test

# Lint code
npm run lint

# Type check
npm run typecheck

Documentation

  • - Detailed setup instructions
  • - Complete tool reference
  • - Platform integration guides
  • - Contribution guidelines

Known Limitations

  • Some entity types may require additional fields based on OpenCTI version
  • HTTP transport is experimental (stdio recommended)
  • Performance with large datasets has not been optimized
  • Some complex relationship types may need manual creation
  • Enrichment connectors require separate configuration

Contributing

As this is an alpha release, we welcome:

  • Bug reports and issues
  • Pull requests with fixes
  • Testing feedback
  • Documentation improvements

Please test thoroughly in a development environment before using with production data.

License

MIT - See file

Warranty Disclaimer

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

USE AT YOUR OWN RISK: This software is in alpha stage and may contain bugs that could potentially affect your OpenCTI instance. Always backup your data and test in a non-production environment first.

Support

Author

Created by skybersec

Acknowledgments