MCP.so
Sign In

Mlab - IOC & Threat Intelligence

@mlab-sh

About Mlab - IOC & Threat Intelligence

Threat intelligence MCP server for SOC analysts, DFIR and security researchers. Scan and enrich IOCs directly from Claude, Cursor or any MCP client: IP addresses (IPv4/IPv6), domains, file hashes and blockchain addresses. Search CVEs by keyword, vendor or product, retrieve full C

Basic information

Category

Developer Tools

Transports

stdio

Publisher

mlab-sh

Submitted by

Alice Snow

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "mlab": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mlab.sh/mcp",
        "--header",
        "Authorization: Bearer mcp_xxx"
      ]
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Mlab - IOC & Threat Intelligence?

Mlab - IOC & Threat Intelligence is a remote MCP server that connects MCP-compatible clients like Claude and Cursor to the mlab.sh platform, providing real-time IOC scanning, vulnerability intelligence, and threat actor research for SOC analysts, DFIR teams, and security researchers. No local installation is required — it operates as a remote server accessible via a URL.

How to use Mlab - IOC & Threat Intelligence?

Configure your MCP client to point to the remote server URL https://mlab.sh/mcp and authenticate with a Mlab account (free tier available). For Claude Desktop, add the URL to claude_desktop_config.json under mcpServers. For Claude.ai (web), add it as a custom connector under Settings → Connectors. For other MCP clients, add a remote MCP server and authenticate.

Key features of Mlab - IOC & Threat Intelligence

  • 17 tools covering IOC scanning, CVE search, and threat actors
  • Auto-detect indicator type with detect_ioc
  • Full domain scans and IP enrichment
  • Reverse CVE lookup for threat actors
  • Workspace bookmarks, scan history, and account info
  • Remote server — no npm or Docker needed

Use cases of Mlab - IOC & Threat Intelligence

  • Incident triage: extract IOCs from logs and check each against Mlab
  • Vulnerability watch: search critical CVEs and discover which actors exploit them
  • Threat actor research: build briefs on APT groups with TTPs and aliases
  • Real-time intelligence queries via AI assistant

FAQ from Mlab - IOC & Threat Intelligence

Do I need to install anything locally?

No. Mlab is a remote MCP server — zero npm, zero Docker, just a URL.

How do I authenticate and is there a free tier?

Authentication is done with a Mlab account. A free tier is available with no credit card required; quotas apply per organization.

What tools are available?

The server provides 17 tools including detect_ioc, scan_ip, start_domain_scan, get_domain_scan_results, scan_crypto, cve_search, cve_detail, actors_by_cve, search_actors, get_actor, add_bookmark, remove_bookmark, get_bookmarks, get_scan_history, get_scan_limits, get_account_info, and hello_world.

How can I check my remaining scan quotas?

Use the get_scan_limits tool to view your remaining scan quotas.

What are the system requirements?

A MCP-compatible client (e.g., Claude Desktop, Claude.ai, Cursor) and internet access. No local dependencies.

Comments

More Developer Tools MCP servers