MCP Packs
Security/Threat Intel Pack
Hunt and respond with threat intel, scanning, and identity MCP servers.
Security/Threat Intel Pack
Hunt threats, analyze indicators, and respond to incidents with security-focused MCP integrations. Connect threat intelligence, scanning, and identity platforms.
Recommended Servers
| Server | Purpose |
|---|---|
| VirusTotal MCP | File/URL reputation, reports |
| Shodan MCP | Internet-exposed asset search |
| Okta MCP | Users, groups, policies (IdP/Auth) |
| CrowdStrike MCP | Detections and response |
Example Configuration
{
"mcpServers": {
"virustotal": {
"command": "npx",
"args": ["-y", "@virustotal/mcp-server"],
"env": { "VIRUSTOTAL_API_KEY": "${VIRUSTOTAL_API_KEY}" }
},
"shodan": {
"command": "npx",
"args": ["-y", "@shodan/mcp-server"],
"env": { "SHODAN_API_KEY": "${SHODAN_API_KEY}" }
},
"okta": {
"command": "npx",
"args": ["-y", "@okta/mcp-server"],
"env": {
"OKTA_ORG_URL": "${OKTA_ORG_URL}",
"OKTA_API_TOKEN": "${OKTA_API_TOKEN}"
}
}
}
}Common Workflows
- Investigate suspicious indicators across threat intel sources
- Check asset exposure via Shodan during incident response
- Audit user access and policies in identity platforms
Safety First
Use strict allowlists for security tools. Pin versions and use per-server tokens. Treat external servers as untrusted until reviewed. Never expose API keys or investigation data.
Security Hardening Checklist
- Use read-only API keys where possible
- Restrict tool access to specific operations
- Enable audit logging for all security tool calls
- Review and approve new tools before enabling
- Use separate credentials for production and testing
- Rotate API keys regularly