OpenCTI MCP Server

MCP server for OpenCTI — an open-source threat intelligence platform for storing, analyzing, and sharing cyber threat intelligence. Enables AI agents to query threat indicators, retrieve threat actor profiles, search IOCs (Indicators of Compromise), and interact with OpenCTI's knowledge graph for AI-assisted threat analysis and SOC workflows.

Evaluated Mar 07, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security opencti threat-intelligence cti security ioc mcp-server authorized-use
⚙ Agent Friendliness
70
/ 100
Can an agent use this?
🔒 Security
82
/ 100
Is it safe for agents?
⚡ Reliability
71
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
68
Documentation
68
Error Messages
65
Auth Simplicity
78
Rate Limits
72

🔒 Security

TLS Enforcement
90
Auth Strength
85
Scope Granularity
80
Dep. Hygiene
72
Secret Handling
82

Sensitive CTI data. API token. HTTPS. Least-privilege roles. CTI includes attribution data.

⚡ Reliability

Uptime/SLA
75
Version Stability
70
Breaking Changes
68
Error Recovery
70
AF Security Reliability

Best When

A security team using OpenCTI for threat intelligence management wants AI agents to query CTI data, retrieve threat indicators, and assist with automated threat analysis during SOC investigations.

Avoid When

You use other TI platforms (MISP, ThreatConnect, Recorded Future). Community tool — not official Filigran integration. Also: CTI data sensitivity — implement proper access controls.

Use Cases

  • Querying threat intelligence indicators from AI SOC analysis agents
  • Retrieving threat actor TTPs from threat hunting agents
  • Searching IOCs and malware signatures from incident response agents
  • Integrating OpenCTI CTI data into AI-driven security operations workflows

Not For

  • Teams without OpenCTI deployed
  • Non-security use cases (CTI-specific platform)
  • Real-time threat blocking (CTI is for intelligence, not prevention)

Interface

REST API
Yes
GraphQL
Yes
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

OpenCTI API token required. Generate in OpenCTI user profile. Use least-privilege roles for agent access.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

OpenCTI Community Edition is free open source. MCP server is community tool. Enterprise Filigran has support.

Agent Metadata

Pagination
cursor
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • OpenCTI uses GraphQL API — ensure MCP handles GraphQL query construction correctly
  • CTI data sensitivity: threat indicators are security-sensitive — restrict agent access carefully
  • Community tool (CooperCyberCoffee) — not official Filigran integration
  • OpenCTI data quality depends on your TI feeds and team curation — garbage in, garbage out

Alternatives

misp-mcp-server virustotal-mcp-server

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for OpenCTI MCP Server.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-07.

6464
Packages Evaluated
26150
Need Evaluation
173
Need Re-evaluation
Community Powered