
Mlab - IOC & Threat Intelligence
@mlab-sh
Threat intelligence MCP server for SOC analysts, DFIR and security researchers. Scan and enrich IOCs directly from Claude, Cursor or any MCP client: IP addresses (IPv4/IPv6), domains, file hashes and blockchain addresses. Search CVEs by keyword, vendor or product, retrieve full C
Overview
What is Mlab - IOC & Threat Intelligence?
Mlab - IOC & Threat Intelligence is a remote MCP server that connects MCP-compatible clients like Claude and Cursor to the mlab.sh platform, providing real-time IOC scanning, vulnerability intelligence, and threat actor research for SOC analysts, DFIR teams, and security researchers. No local installation is required — it operates as a remote server accessible via a URL.
How to use Mlab - IOC & Threat Intelligence?
Configure your MCP client to point to the remote server URL https://mlab.sh/mcp and authenticate with a Mlab account (free tier available). For Claude Desktop, add the URL to claude_desktop_config.json under mcpServers. For Claude.ai (web), add it as a custom connector under Settings → Connectors. For other MCP clients, add a remote MCP server and authenticate.
Key features of Mlab - IOC & Threat Intelligence
- 17 tools covering IOC scanning, CVE search, and threat actors
- Auto-detect indicator type with
detect_ioc - Full domain scans and IP enrichment
- Reverse CVE lookup for threat actors
- Workspace bookmarks, scan history, and account info
- Remote server — no npm or Docker needed
Use cases of Mlab - IOC & Threat Intelligence
- Incident triage: extract IOCs from logs and check each against Mlab
- Vulnerability watch: search critical CVEs and discover which actors exploit them
- Threat actor research: build briefs on APT groups with TTPs and aliases
- Real-time intelligence queries via AI assistant
FAQ from Mlab - IOC & Threat Intelligence
Do I need to install anything locally?
No. Mlab is a remote MCP server — zero npm, zero Docker, just a URL.
How do I authenticate and is there a free tier?
Authentication is done with a Mlab account. A free tier is available with no credit card required; quotas apply per organization.
What tools are available?
The server provides 17 tools including detect_ioc, scan_ip, start_domain_scan, get_domain_scan_results, scan_crypto, cve_search, cve_detail, actors_by_cve, search_actors, get_actor, add_bookmark, remove_bookmark, get_bookmarks, get_scan_history, get_scan_limits, get_account_info, and hello_world.
How can I check my remaining scan quotas?
Use the get_scan_limits tool to view your remaining scan quotas.
What are the system requirements?
A MCP-compatible client (e.g., Claude Desktop, Claude.ai, Cursor) and internet access. No local dependencies.