Mlab - IOC & Threat Intelligence

@Sn0wAlice

访问 MCP Server

7 hours ago

# security

# threat-intelligence

Threat intelligence MCP server for SOC analysts, DFIR and security researchers. Scan and enrich IOCs directly from Claude, Cursor or any MCP client: IP addresses (IPv4/IPv6), domains, file hashes and blockchain addresses. Search CVEs by keyword, vendor or product, retrieve full CVE records, and explore a threat actor database (APTs, groups, TTPs) with reverse CVE-to-actor lookup. Includes scan history, bookmarks and quota management. Free tier available — no credit card required. Built by mlab.sh, the IOC & file intelligence platform.

概览工具评论

概览

Mlab MCP Server

Bring real-time threat intelligence into your AI workflow. The Mlab MCP server connects Claude, Cursor, or any MCP-compatible client to mlab.sh — an IOC & file intelligence platform built for SOC analysts, DFIR teams and security researchers.

Ask your AI assistant things like:

"Is this IP malicious? 45.155.xx.xx"
"Scan suspicious-domain.com and summarize the findings"
"Which threat actors are known to exploit CVE-2024-3400?"
"Search recent CVEs affecting Fortinet products"

No local install required — Mlab is a remote MCP server. Zero npm, zero Docker, just a URL.

⚡ Quick Start

Server URL: https://mlab.sh/mcp

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "mlab": {
      "url": "https://mlab.sh/mcp"
    }
  }
}

Claude.ai (web)

Settings → Connectors → Add custom connector → paste https://mlab.sh/mcp

Cursor / other MCP clients

Add a remote MCP server pointing to https://mlab.sh/mcp and authenticate with your Mlab account (free tier available).

📖 Full setup guide: mlab.sh/helpcenter/integrations/mcp

🛠️ Available Tools (17)

IOC Scanning & Enrichment

Tool	Description
`detect_ioc`	Auto-detect the type of any indicator (IP, domain, hash…) and return relevant threat intel
`scan_ip`	Threat intelligence lookup for IPv4 / IPv6 addresses
`start_domain_scan`	Launch a full domain scan
`get_domain_scan_results`	Retrieve domain scan results
`scan_crypto`	Threat intelligence for blockchain addresses

Vulnerability Intelligence

Tool	Description
`cve_search`	Search CVEs by keyword, product, vendor or CVE ID
`cve_detail`	Full record for a specific CVE
`actors_by_cve`	Reverse lookup — every threat actor known to exploit a given CVE

Threat Actor Database

Tool	Description
`search_actors`	Free-text search across APTs and threat groups
`get_actor`	Full actor profile — aliases, TTPs, campaigns

Workspace

Tool	Description
`add_bookmark` / `remove_bookmark` / `get_bookmarks`	Save and manage IOCs of interest
`get_scan_history`	Your recent scan activity
`get_scan_limits`	Remaining scan quotas
`get_account_info`	Account, organization & subscription info
`hello_world`	Connectivity test

💡 Example Workflows

Incident triage — paste a log excerpt and ask: "Extract the IOCs and check each one against Mlab". The assistant chains detect_ioc → scan_ip / start_domain_scan and gives you a verdict per indicator.

Vulnerability watch — "Any critical CVEs on Palo Alto this month? Who exploits them?" → cve_search + actors_by_cve.

Threat actor research — "Build me a one-page brief on APT28: TTPs, recent CVEs, aliases" → search_actors + get_actor.

🔑 Authentication & Pricing

Free tier — no credit card required: mlab.sh/auth/register
Quotas apply per organization (check anytime with get_scan_limits)
Pricing: mlab.sh/pricing

🔗 Links

🌐 Platform: mlab.sh
📚 API docs: mlab.sh/developer/documentation
🧩 Ecosystem (TPRM, IR, CVE tracking, threat hunting…): mlab.sh/ecosystem
🆓 Free security tools: mlab.sh/tools

Built by Mlab · Investigate threats, not noise.

在 Playground 中尝试

服务器配置

{
  "mcpServers": {
    "mlab": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mlab.sh/mcp",
        "--header",
        "Authorization: Bearer mcp_xxx"
      ]
    }
  }
}

Build with ShipAny.