CTI MCP

// Cyber Threat Intelligence

Model 5 models (GLM-5.2 · Gemini-3.5-flash · MiniMax-m3 · deepseek-v4-flash · nemotron-3-nano)
Latency 6s pipeline end-to-end (141s cron NVD fetch)
Tokens ~605k in / 119k out (9 sessions)
Live
> CTI_MCP --INIT --PROTOCOL 2024-11-05> cti-report.py --hours 24 --format html --deliver telegram> refresh_sources --all --timeout 180s> generate_report --hours 24 --output ~/projects/cti-mcp/reports/> get_status --tokens --cache --warnings> get_recent_cves --hours 24 --severity CRITICAL,HIGH --limit 50> get_kev_entries --recent_days 2 --limit 100> get_exploited --limit 50 --since_hours 168> XSS CONTAINMENT: ACTIVE> DATABASE SYNC COMPLETED. 12,450 NEW IOCS.
SYS.STREAM
SYS.INDEX // SEC_01 // CTI-MCP

CTI
MCP

A Go MCP server that ingests raw threat-intelligence feeds, parses them into structured JSON, and exposes a tool surface for local AI models to query IOCs without crossing the wire.

Status: Operational GO 1.25 · SQLite (pure-Go) · MCP stdio
Live Telemetry
Sources CISA KEV / GitHub / NVD / OSV / PoC
5
Transport MCP 2024-11-05
STDIO
CVEs Today 1 CRITICAL · 25 HIGH · 5 MEDIUM
31
Pipeline cron 09:00 → Telegram
LIVE
System Clock
00:00:00 UTC
Integrity 99.9% — Operator: Curator

Why

// What problem this project solves and why it exists
Make me a Go MCP server that ingests raw threat intelligence feeds, parses them into structured JSON, and exposes an interface for local AI models to query IOCs securely.
COORD: 34.0522° N, 118.2437° W

System Topology v2

// Three feeds stream into the MCP core. Two artefacts come out.
SOURCE_01
NVD Datafeed
SOURCE_02
KEV Catalog
SOURCE_03
GitHub Repos
MCP Core
Processing
Exec_Flow
cti-report.py
XSS Containment: Active
OUT_01
Threat Map
OUT_02
Data Tables

Provider Connectivity Grid

// Live status of every feed the server polls.
Net_Stat_Ok
SourceTypeAuthStatusMetrics
CISA KEVKnown ExploitedOkLAT: 12ms TTL: 3600s
GitHub AdvisoryVuln DatabaseGITHUB_TOKENOkLAT: 45ms TTL: 1800s
NVDNational Vuln DBNVD_API_KEYRate_LimitLAT: 204ms TTL: 7200s
OSV.devOpen Source VulnsOkLAT: 32ms TTL: 3600s
GitHub PoCExploit CodeGITHUB_TOKENOkLAT: 55ms TTL: 1800s

MCP Tool Schematic

// The four operations any local model can call into the server.
QUERY_OP
get_recent_cves

Get recent CVEs within a time window, filtered by severity.

{
  "hours": 24,
  "severity": "CRITICAL,HIGH",
  "limit": 50
}
QUERY_OP
get_kev_entries

Get CISA KEV (Known Exploited Vulnerabilities) catalog entries.

{
  "recent_days": 2,
  "limit": 100
}
HIGH_RISK_OP
get_exploited

Get highest-risk CVEs: actively exploited (KEV) and/or public PoC.

{
  "limit": 50,
  "since_hours": 168
}
EXEC_OP
generate_report

Generate a full HTML threat intelligence report.

{
  "hours": 24,
  "format": "html"
}

Environment Memory Audit

// What the server has accumulated since boot, and how risky it is to run heavy ops right now.
383
Fact_Store Audit
96%
Load Incidents
Stability Protocols
  • get_status before heavy ops
  • Verify warnings empty
  • SQLite pure-Go fallback
DECLASSIFIED_A9

Operational Artefacts

// The two things the server ships: a map and a table.
Fig 01 // Global_Threat_Map Active: 142
Region Focus
NA / EU / ASIA
Fig 02 // Vuln_Datatables
CVE IDSeverityStatusLast Seen
CVE-2024-3094CRITICALEXPLOITED2024-10-27
CVE-2023-4863HIGHPATCHED2024-10-26
CVE-2024-1086MEDIUMANALYZING2024-10-27
CTI MCP — threat intelligence dashboard with global map and CVE data tables Snapshot_01

Threat Vectors

// Immediate-action alert when the server flags a new C2 endpoint.
Immediate Action Required
New C2 Infrastructure
Region
Asia-Pacific
IP
192.168.1.1105
Threat Actor
TA-412

Raw Readouts

// A peek at the live terminal that the server streams to stdio.
> CTI_MCP --ANALYZE --TARGET 192.168.1.105
[08:42:15] Ingesting feeds from sources...
[08:42:18] Database sync completed. 12,450 new IOCs.
> ERROR: Connection timeout to secure_enclave_03. Retrying...
[08:43:01] Fetching GitHub Advisory database...
> Parsing JSON payload...
{
  "id": "GHSA-xxxx-xxxx-xxxx",
  "summary": "Remote Code Execution",
  "severity": "CRITICAL"
}
> Waiting for input

CTI Chat Timeline

// 9 sessions, 5 models, 1 fabrication bust. Every row is a real conversation we had about this server.
#Date / TimeChannelPhaseModelOperational TasksTokens in/outBadge
01
2026-06-21
~22:00
TUIINIT_01GLM-5.2
Foundation günü
go.mod (Go 1.25, Runaho/cti-mcp) · cmd/cti-mcp/main.go (flags, SQLite, stdio serve) · internal/store (modernc.org/sqlite, no CGO) · 5 provider stub (CISA KEV, GitHub Advisory, GitHub PoC, NVD, OSV) · Source interface, HTTPClient (20s→45s timeout) · MCP Go SDK'ya geçiş planı
~120k / 18kFEAT
EXTREME
02
2026-06-22
18:54
TUIDEBUG_01Gemini-3.5-flash
NVD/OSV test + debugging
12 NVD + 11 OSV mock test (34/34 PASS) · NVD severity filter kaldırıldı, client-side filter · NVD API key header'a taşındı · HTTP timeout 20s→45s · opencode environment→command array fix · OSV /v1/query ecosystem desteği yok — karar bekleniyor
~95k / 22kFIX
HIGH
03
2026-06-22→23
gece
TUIXSS_FIXgemini3.5→M3
🔐 XSS keşfi (alert(1))
CVE description raw HTML olarak basılıyordu · html.EscapeString() önce çağrılacak, sonra markdown transform · Test payload: <script>, <img onerror>, <svg onload>, javascript: URL · Double-escape önleme · safeHTML funcMap bypass yerine input-level escape-first
~60k / 12kFIX
MEDIUM
04
2026-06-23
~22:00
TelegramPIPELINE_V9MiniMax-m3
cti-report.py yazımı
cti-report.py minimal stdio JSON-RPC client · initialize→notifications/initialized→get_status→refresh_sources→generate_report · select() ile aynı anda stderr drain + stdout read (deadlock önleme) · İlk cron run 22:48, 22:50 · REPORT_DIR/cti-report-YYYY-MM-DD_HHMM.html standardı
~85k / 18kFEAT
HIGH
05
2026-06-24
12:47
TelegramMEMORY_AUDITGLM-5.2
Bellek + fact_store audit
Fact 137 → 383 (37 ek, 17 silinen) · Lessons: NVD API 2.0 final, XSS pattern, cron constraints, FetchWithContext Colly, debugging methodology · Stale CTI v8→v9 migration · Cron 9 resolved · Behavioral mirror corrections (358+360) silindi · Stale builder profile (fact 34) silindi
~70k / 16kCHORE
MEDIUM
06
2026-06-24
21:52
TelegramRELEASE_V9.2.0MiniMax-m3
README v9 + skill v9.2.0
README.md MCP Tools bölümü (8 tool parametre tablosu) · Cron Job Example: hermes cron create --name cti-threat-report --schedule 0 9 * * * --script cti-report.py · AI Agent Workflow doc · go test ./... -count=1 PASS · Skill cti-threat-report@9.2.0 aktif (5 source fresh, deliver telegram)
~50k / 10kREL
MEDIUM
07
2026-06-15
günlük cron
CronCRON_FIRST_RUNdeepseek-v4-flash:cloud
İlk daily cron run (deepseek-v4-flash)
delegate_task ile NVD fetch (4 URL × 7s delay) → /tmp/nvd_*.json · browser_navigate ile CISA KEV (1.5 MB döndü) · 31 CVE toplam: 1 CRITICAL + 25 HIGH + 5 MEDIUM · P1: 16, P2: 3, P3: 12 · WordPress ekosistem yoğunlaşma (8 SQLi/RCE/path traversal) · Outlier: GL.iNet GL-MT3000, Ruijie EG105G-P · 16 budget'ın 9-10'unu kullandı
~45k / 9kCRON
MEDIUM
08
2026-06-15
günlük cron
CronFABRICATE_BUSTnemotron-3-nano:30b-cloud
🔴 Nano fabricate olayı (nemotron-3-nano)
73 satır / 4 KB HTML üretti (sahte dolu rapor) · Tüm CVE ID'leri uydurmaydı (CVE-2018-25436, CVE-2026-35273) · 'Baggage Freight Shipping Australia' gibi var olmayan plugin isimleri · delegate_task hiç çağrılmamıştı · 9/16 budget self-patching · Policy sıkılaştırma: Kendi Sistemimizde Test SADECE düz metin, shell komutu/kod bloğu YOK
~50k / 8kALERT
EXTREME
09
2026-06-30
12:01
TelegramPUBLIC_RELEASEMiniMax-m3
Skill v9.2.0 + repo public niyeti
Pipeline onayı: Cron (09:00) → cti-report.py → cti-mcp subprocess (stdio) → refresh_sources() + generate_report(hours=24) → ~/projects/cti-mcp/reports/cti-report-YYYY-MM-DD_HHMM.html · 5 kaynak fresh (CISA KEV + GitHub Advisory + GitHub PoC + NVD + OSV) · Telegram'a teslim · Hero public release adayı (skill v9.2.0 stabil)
~30k / 6kREL
LOW