gti -standalone

The Google Threat Intelligence MCP Server (Standalone) provides an interface for interacting with Google Threat Intelligence tooling through the MCP protocol. It exposes a suite of capabilities including threat intelligence searches, file analysis, domain/IP/URL reputation checks, IOC searches, and threat profiles. This server is designed for local development and cloud deployment, enabling clients like Claude Desktop, Cline, Cursor, or custom frontends to issue structured tool calls and receive rich threat intelligence results. When running locally, the server reads environment variables (such as VT_APIKEY) to authenticate with the VirusTotal API and returns results from GTI-powered analyses. In cloud deployments, the server handles API key management and security through an authentication layer while delegating API calls to VirusTotal as needed. The MCP tools and VT API client communicate through the MCP transport layer, enabling clients to execute commands like get_file_report, get_domain_report, search_threats, and more, with results tailored to each query.

To use it, start the MCP server in your environment, then connect an MCP client (e.g., Claude, Cline, Cursor) to the server’s MCP endpoints. Use the available tool calls such as search_threats(query), search_iocs(query), get_file_report(hash), get_domain_report(domain), get_url_report(url), and get_threat_profile(profile_id) to retrieve structured threat intelligence data. For local development, ensure VT_APIKEY is set in your environment so file, domain, and URL analyses can access VirusTotal data during requests.

Prerequisites:

• Python 3.11 or higher
• uv package manager (uv) installed
• VirusTotal API key (for VT API access)

1. Clone the repository

git clone https://github.com/yourusername/gti-mcp-standalone.git
cd gti-mcp-standalone

2. Install the MCP server with uv (local development mode)

# Install the package in editable mode
uv tool install -e .

3. Set required environment variables

export VT_APIKEY=your-virustotal-api-key

4. Run the MCP server (local development)

uv run gti-mcp-standalone

5. Verify the server starts and is reachable via MCP clients. For production or cloud deployment, follow the cloud deployment steps and ensure authentication and API keys are configured per your environment.

Environment variables and configuration tips:

• VT_APIKEY is required for VirusTotal requests in local development. Ensure it is exported before starting the server.
• In cloud deployments, the MCP_AUTH_TOKEN handles client authentication while API keys for third-party services (like VirusTotal) can be scoped per client or per request as per your security model.
• If you encounter issues with uv tool installation, ensure Python 3.11+ and the latest uv version are installed, and that your environment PATH includes the uv executable.
• The server exposes a rich set of functions (e.g., search_threats, get_file_report, get_domain_report, get_url_report, get_threat_profile, analyse_file); consult the GTI MCP documentation for syntax and quota considerations for VirusTotal limits.