# Cyber Threat Intelligence MCP — CVE, EPSS & Phishing (`ntriqpro/cyber-threat-intelligence-mcp`) Actor Claude MCP server: 7 cybersecurity tools. CVE search (NVD), CISA KEV alerts, EPSS exploit prediction, multi-factor CVE prioritization, phishing detection, domain trust scoring, brand monitoring. Free US government data. No API keys needed. - **URL**: https://apify.com/ntriqpro/cyber-threat-intelligence-mcp.md - **Developed by:** [daehwan kim](https://apify.com/ntriqpro) (community) - **Categories:** AI, Business, Automation - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per event + usage This Actor is paid per event and usage. You are charged both the fixed price for specific events and for Apify platform usage. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Cyber Threat Intelligence MCP Server All-in-one cybersecurity threat intelligence for AI agents. 7 tools covering vulnerability management, exploit prediction, phishing detection, and brand protection — powered by free US government data sources. ### Tools | Tool | Description | Data Source | Price | |------|-------------|-------------|-------| | `search_cve` | Search CVE vulnerabilities by keyword | NIST NVD | $0.03 | | `cisa_kev_alerts` | Known exploited vulnerabilities with deadlines | CISA KEV | $0.03 | | `epss_score` | Exploit prediction probability (30-day window) | FIRST EPSS | $0.03 | | `prioritize_cves` | Multi-factor CVE risk ranking | NVD + CISA + EPSS | $0.05 | | `phishing_detect` | URL/domain phishing analysis | DNS/SSL analysis | $0.05 | | `domain_trust` | Domain trustworthiness score (0-100) | DNS/SPF/DKIM/DMARC | $0.05 | | `brand_monitor` | Find lookalike domains targeting a brand | DNS + typosquat gen | $0.10 | ### Use Cases - **Vulnerability Management**: Search NVD, check CISA KEV status, get EPSS exploit probability, prioritize patches - **Threat Intelligence**: Monitor actively exploited CVEs, track ransomware-linked vulnerabilities - **Anti-Phishing**: Detect phishing URLs, verify domain trust, monitor brand impersonation - **Compliance**: CISA BOD 22-01 compliance (KEV remediation deadlines), vendor risk assessment ### Claude Desktop MCP Setup ```json { "mcpServers": { "cyber-threat-intel": { "type": "sse", "url": "https://ntriqpro--cyber-threat-intelligence-mcp.apify.actor?token=YOUR_APIFY_TOKEN" } } } ```` ### Example Queries **Search for Log4j vulnerabilities:** ``` Tool: search_cve Input: { "keyword": "apache log4j", "severity": "CRITICAL" } ``` **Check CISA actively exploited CVEs (last 7 days):** ``` Tool: cisa_kev_alerts Input: { "days": 7 } ``` **Get exploit prediction for a CVE:** ``` Tool: epss_score Input: { "cveId": "CVE-2021-44228" } ``` **Prioritize a list of CVEs:** ``` Tool: prioritize_cves Input: { "cveIds": "CVE-2021-44228,CVE-2023-44487,CVE-2024-3094" } ``` **Check if a URL is phishing:** ``` Tool: phishing_detect Input: { "url": "https://paypa1-secure.com/login" } ``` **Check domain trustworthiness:** ``` Tool: domain_trust Input: { "domain": "example.com" } ``` **Monitor brand impersonation:** ``` Tool: brand_monitor Input: { "brand_domain": "stripe.com", "limit": 10 } ``` ### Data Sources All data comes from free, publicly available government and non-profit sources: - **NIST NVD** (National Vulnerability Database) — CVE details, CVSS scores - **CISA KEV** (Known Exploited Vulnerabilities) — Confirmed in-the-wild exploits - **FIRST EPSS** (Exploit Prediction Scoring System) — ML-based exploit probability - **DNS/SSL** — Domain infrastructure analysis (built-in, no external API) No API keys required. No rate-limited commercial APIs. ### Prioritization Scoring The `prioritize_cves` tool uses a multi-factor scoring model: ``` Priority Score = (CVSS × 0.3) + (EPSS × 10 × 0.3) + KEV bonus (+3) + Ransomware bonus (+1) CRITICAL: score ≥ 6 | HIGH: score ≥ 4 | MEDIUM: score ≥ 2 | LOW: < 2 ``` ### Legal Disclaimer This tool provides cybersecurity intelligence for **informational and defensive purposes only**. Results should be used as part of a comprehensive security program, not as the sole basis for security decisions. The data is sourced from public government databases and may not reflect the most recent updates. No warranty is provided regarding the completeness or accuracy of the information. Users are responsible for verifying results and complying with applicable laws and regulations. **Not a substitute for professional security assessment.** Always consult qualified cybersecurity professionals for critical decisions. # Actor input Schema ## `tool` (type: `string`): Tool to test: search\_cve, cisa\_kev\_alerts, epss\_score, prioritize\_cves, phishing\_detect, domain\_trust, brand\_monitor ## `keyword` (type: `string`): Search keyword for search\_cve (e.g., 'apache log4j', 'windows smb') ## `cveId` (type: `string`): CVE identifier for epss\_score (e.g., 'CVE-2021-44228') ## `cveIds` (type: `string`): Comma-separated CVE IDs for prioritize\_cves ## `days` (type: `integer`): Time window in days for cisa\_kev\_alerts ## `severity` (type: `string`): CVSS severity filter for search\_cve ## `url` (type: `string`): URL or domain for phishing\_detect / domain\_trust ## `brandDomain` (type: `string`): Brand domain for brand\_monitor (e.g., 'paypal.com') ## `limit` (type: `integer`): Maximum results to return ## Actor input object example ```json { "tool": "search_cve", "keyword": "apache log4j", "cveId": "CVE-2021-44228", "cveIds": "CVE-2021-44228,CVE-2023-44487,CVE-2024-3094", "days": 30, "severity": "HIGH", "url": "paypa1-secure.com", "brandDomain": "paypal.com", "limit": 10 } ``` # Actor output Schema ## `results` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "tool": "search_cve", "keyword": "apache log4j", "cveId": "CVE-2021-44228", "cveIds": "CVE-2021-44228,CVE-2023-44487,CVE-2024-3094", "days": 30, "severity": "HIGH", "url": "paypa1-secure.com", "brandDomain": "paypal.com", "limit": 10 }; // Run the Actor and wait for it to finish const run = await client.actor("ntriqpro/cyber-threat-intelligence-mcp").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "tool": "search_cve", "keyword": "apache log4j", "cveId": "CVE-2021-44228", "cveIds": "CVE-2021-44228,CVE-2023-44487,CVE-2024-3094", "days": 30, "severity": "HIGH", "url": "paypa1-secure.com", "brandDomain": "paypal.com", "limit": 10, } # Run the Actor and wait for it to finish run = client.actor("ntriqpro/cyber-threat-intelligence-mcp").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "tool": "search_cve", "keyword": "apache log4j", "cveId": "CVE-2021-44228", "cveIds": "CVE-2021-44228,CVE-2023-44487,CVE-2024-3094", "days": 30, "severity": "HIGH", "url": "paypa1-secure.com", "brandDomain": "paypal.com", "limit": 10 }' | apify call ntriqpro/cyber-threat-intelligence-mcp --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=ntriqpro/cyber-threat-intelligence-mcp", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Cyber Threat Intelligence MCP — CVE, EPSS & Phishing", "description": "Claude MCP server: 7 cybersecurity tools. CVE search (NVD), CISA KEV alerts, EPSS exploit prediction, multi-factor CVE prioritization, phishing detection, domain trust scoring, brand monitoring. Free US government data. No API keys needed.", "version": "1.0", "x-build-id": "9ewGkvItgNjt4zKrK" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/ntriqpro~cyber-threat-intelligence-mcp/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-ntriqpro-cyber-threat-intelligence-mcp", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/ntriqpro~cyber-threat-intelligence-mcp/runs": { "post": { "operationId": "runs-sync-ntriqpro-cyber-threat-intelligence-mcp", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/ntriqpro~cyber-threat-intelligence-mcp/run-sync": { "post": { "operationId": "run-sync-ntriqpro-cyber-threat-intelligence-mcp", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "tool" ], "properties": { "tool": { "title": "Tool Name", "enum": [ "search_cve", "cisa_kev_alerts", "epss_score", "prioritize_cves", "phishing_detect", "domain_trust", "brand_monitor" ], "type": "string", "description": "Tool to test: search_cve, cisa_kev_alerts, epss_score, prioritize_cves, phishing_detect, domain_trust, brand_monitor" }, "keyword": { "title": "Keyword", "type": "string", "description": "Search keyword for search_cve (e.g., 'apache log4j', 'windows smb')" }, "cveId": { "title": "CVE ID", "type": "string", "description": "CVE identifier for epss_score (e.g., 'CVE-2021-44228')" }, "cveIds": { "title": "CVE IDs", "type": "string", "description": "Comma-separated CVE IDs for prioritize_cves" }, "days": { "title": "Days", "type": "integer", "description": "Time window in days for cisa_kev_alerts" }, "severity": { "title": "Severity Filter", "enum": [ "ALL", "LOW", "MEDIUM", "HIGH", "CRITICAL" ], "type": "string", "description": "CVSS severity filter for search_cve" }, "url": { "title": "URL / Domain", "type": "string", "description": "URL or domain for phishing_detect / domain_trust" }, "brandDomain": { "title": "Brand Domain", "type": "string", "description": "Brand domain for brand_monitor (e.g., 'paypal.com')" }, "limit": { "title": "Result Limit", "type": "integer", "description": "Maximum results to return" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```