// what_is_mcp

What is the Model Context Protocol?

The Model Context Protocol (MCP) is an open standard created by Anthropic that defines how AI applications connect to external data sources and tools. Instead of copying data into prompts or writing one-off integrations, MCP provides a single protocol that any AI client can use to discover, read, and invoke tools from any compatible server.

The Threadlinqs MCP Server exposes the entire intelligence platform—threats, detections, IOCs, MITRE mappings, C2 intelligence, attack simulations, and advanced correlations—as 29 callable tools and 8 browsable resources. Your AI agent gets structured access to the same data analysts use on the web platform, with no API wrangling required.

Transport is stdio (local). The server runs on your machine via npx, communicates over standard input/output, and sends authenticated requests to the Threadlinqs API on your behalf. No open ports, no webhook configuration, no cloud relay.

// quick_start

Install in 30 Seconds

$ npx -y intelthreadlinqs-mcp

No global install needed. The package runs via npx on demand. Add it to your AI client configuration and it starts automatically when your agent needs threat intelligence.

claude_desktop_config.json

{
  "mcpServers": {
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp"],
      "env": {
        "THREADLINQS_API_KEY": "tl_your_key_here"
      }
    }
  }
}

Claude Code (CLI)

# Add the MCP server to Claude Code
claude mcp add threadlinqs-intel \
  -e THREADLINQS_API_KEY=tl_your_key_here \
  -- npx -y intelthreadlinqs-mcp

Cursor / VS Code (.cursor/mcp.json)

{
  "mcpServers": {
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp"],
      "env": {
        "THREADLINQS_API_KEY": "tl_your_key_here"
      }
    }
  }
}

The API key is optional for free-tier tools. Generate one in your profile settings to unlock all 29 tools. Omit the env block to use 16 free-tier tools without authentication.

// available_tools

29 MCP Tools

Every tool returns structured JSON. Your AI agent can chain tool calls—search for a threat, pull its detections, look up the associated MITRE techniques, and export a Sigma rule—all in a single conversation turn.

Threats (4 tools)

search_threatsKeyword, CVE, MITRE, actor searchfree

get_threatFull threat detail by IDfree

get_recent_threatsLatest published threatsfree

list_threat_categoriesAll categories with countsfree

Detections (2 tools)

get_detectionsSPL, KQL, Sigma rulesblue+

export_detectionExport in spl/kql/sigma/jsonblue+

IOCs (1 tool)

search_iocsIPs, domains, hashes, URLs, behavioralred+

MITRE ATT&CK (2 tools)

get_mitre_coverageFramework coverage + detection statsfree

get_mitre_techniqueTechnique detail + linked threatsfree

Simulations (2 tools)

list_simulationsAll simulation scenariospurple

get_threat_simulationsPer-threat simulation commandsfree

Debriefs (2 tools)

list_debriefsDaily intel briefings indexfree

get_debriefFull briefing by datefree

C2 Intelligence (7 tools)

list_c2_beaconsC2 beacon listingred+

get_c2_statsFramework distribution + geored+

get_c2_operatorsOperator cluster analysisred+

get_c2_cross_correlationsCross-intel correlationsred+

get_c2_watermarksWatermark cluster groupsred+

get_c2_timelineBeacon version timelinered+

get_c2_configsFull beacon configurationsred+

Correlations (2 tools)

get_correlations_overview7-engine analytics summarypurple

get_correlation_enginePer-engine detailed datapurple

CVE / CWE (2 tools)

get_cve_detailsCVE lookup with CVSS + refsfree

get_cwe_detailsCWE weakness + mitigationsfree

Transcripts (1 tool)

get_threat_transcriptsAgent analysis transcriptsfree

Platform (3 tools)

get_platform_statsCounts, coverage, statusfree

get_changelogRecent updates + featuresfree

get_roadmapPlanned features + statusfree

// available_resources

8 MCP Resources

Resources are read-only data feeds your AI agent can browse directly. Unlike tools, resources do not require input parameters—the agent requests a URI and receives the full dataset as structured JSON.

threadlinqs://threats

All Threats

Complete threat intel feed with severity, attribution, CVEs

threadlinqs://detections

Detection Library

All SPL, KQL, and Sigma detection rules

threadlinqs://iocs

Indicators of Compromise

IPs, domains, hashes, URLs, behavioral indicators

threadlinqs://stats

Platform Statistics

Threat counts, detection counts, coverage metrics

threadlinqs://mitre

MITRE ATT&CK Coverage

Technique and tactic coverage across all threats

threadlinqs://changelog

Platform Changelog

Recent updates, features, and improvements

threadlinqs://simulations

Attack Simulations

Simulation scenarios with platform coverage

threadlinqs://debriefs

Daily Debriefs

Daily threat intelligence briefings

// supported_clients

Works with Every MCP Client

The server uses the stdio transport—the most widely supported MCP transport layer. Any client that implements the Model Context Protocol specification can connect. These are the clients we test against:

Claude Code

Anthropic CLI

Cursor

AI Code Editor

Windsurf

AI Code Editor

Cline

VS Code Extension

Continue

Open-source AI IDE

OpenCode

Terminal Agent

// tier_access

API Tier Access

16 of 29 tools work on the free tier with no API key. Authenticated tiers unlock detections, IOCs, C2 intelligence, simulations, and advanced correlations.

Tier	Access	Tools Unlocked
Free	No API key required	Threat search, MITRE coverage, debriefs, CVE/CWE lookups, platform stats, changelog, roadmap, transcripts (16 tools)
Blue	Free verified account	+ Detection rules, export detections (18 tools)
Red	$4.99/mo	+ IOC search, C2 beacons, stats, operators, watermarks, timeline, configs, cross-correlations (26 tools)
Purple	$11.99/mo	+ Simulations list, correlations overview, correlation engine detail (29 tools)

// example_usage

What Your Agent Can Do

Once the MCP server is connected, your AI agent can answer threat intelligence questions directly:

Natural Language Queries

# Threat research
"Search for threats related to Cobalt Strike"
"Get full details on TL-2026-0288"
"What are the most recent critical threats?"

# Detection engineering
"Show me all SPL detections for ransomware threats"
"Export the Sigma rule for detection DET-0042"

# MITRE mapping
"What techniques does T1059.001 cover?"
"Show MITRE coverage for the Initial Access tactic"

# C2 intelligence
"List active C2 beacons with Cobalt Strike framework"
"Show operator clusters and shared infrastructure"

# Vulnerability lookup
"Look up CVE-2024-3400 and show linked threats"
"What is CWE-79 and how do I mitigate it?"

// technical_details

Architecture

Package: intelthreadlinqs-mcp on npm Version: 3.0.0 SDK: @modelcontextprotocol/sdk v1.26.0

Transport: stdio (local process, no open ports) Runtime: Node.js 18+

Data source: Cloudflare D1 via the Threadlinqs REST API (75+ endpoints)

Authentication: Bearer token via THREADLINQS_API_KEY environment variable

Timeout: 30s per API request with automatic abort controller

The server is stateless. Each tool call translates to one or more authenticated GET requests against the platform API. Responses are returned as structured JSON content blocks, ready for the AI model to parse and reason over.

Model Context Protocol Integration