CTI MCP
// Cyber Threat Intelligence
Model 5 models (GLM-5.2 · Gemini-3.5-flash · MiniMax-m3 · deepseek-v4-flash · nemotron-3-nano)
Latency 6s pipeline end-to-end (141s cron NVD fetch)
Tokens ~605k in / 119k out (9 sessions)
Live
> CTI_MCP --INIT --PROTOCOL 2024-11-05> cti-report.py --hours 24 --format html --deliver telegram> refresh_sources --all --timeout 180s> generate_report --hours 24 --output ~/projects/cti-mcp/reports/> get_status --tokens --cache --warnings> get_recent_cves --hours 24 --severity CRITICAL,HIGH --limit 50> get_kev_entries --recent_days 2 --limit 100> get_exploited --limit 50 --since_hours 168> XSS CONTAINMENT: ACTIVE> DATABASE SYNC COMPLETED. 12,450 NEW IOCS.
SYS.STREAMSYS.INDEX // SEC_01 // CTI-MCP
CTI
MCP
A Go MCP server that ingests raw threat-intelligence feeds, parses them into structured JSON, and exposes a tool surface for local AI models to query IOCs without crossing the wire.
Status: Operational GO 1.25 · SQLite (pure-Go) · MCP stdio
Live Telemetry
Sources CISA KEV / GitHub / NVD / OSV / PoC
5Transport MCP 2024-11-05
STDIOCVEs Today 1 CRITICAL · 25 HIGH · 5 MEDIUM
31Pipeline cron 09:00 → Telegram
LIVESystem Clock
00:00:00 UTC
Integrity 99.9% — Operator: Curator
Why
// What problem this project solves and why it existsMake me a Go MCP server that ingests raw threat intelligence feeds, parses them into structured JSON, and exposes an interface for local AI models to query IOCs securely.
COORD: 34.0522° N, 118.2437° W
System Topology v2
// Three feeds stream into the MCP core. Two artefacts come out.SOURCE_01
NVD Datafeed
SOURCE_02
KEV Catalog
SOURCE_03
GitHub Repos
MCP Core
Processing
Exec_Flow
cti-report.py
XSS Containment: Active
OUT_01
Threat Map
OUT_02
Data Tables
Provider Connectivity Grid
// Live status of every feed the server polls.Net_Stat_Ok
| Source | Type | Auth | Status | Metrics |
|---|---|---|---|---|
| CISA KEV | Known Exploited | — | Ok | LAT: 12ms TTL: 3600s |
| GitHub Advisory | Vuln Database | GITHUB_TOKEN | Ok | LAT: 45ms TTL: 1800s |
| NVD | National Vuln DB | NVD_API_KEY | Rate_Limit | LAT: 204ms TTL: 7200s |
| OSV.dev | Open Source Vulns | — | Ok | LAT: 32ms TTL: 3600s |
| GitHub PoC | Exploit Code | GITHUB_TOKEN | Ok | LAT: 55ms TTL: 1800s |
MCP Tool Schematic
// The four operations any local model can call into the server.QUERY_OP
get_recent_cves
Get recent CVEs within a time window, filtered by severity.
{
"hours": 24,
"severity": "CRITICAL,HIGH",
"limit": 50
}QUERY_OP
get_kev_entries
Get CISA KEV (Known Exploited Vulnerabilities) catalog entries.
{
"recent_days": 2,
"limit": 100
}HIGH_RISK_OP
get_exploited
Get highest-risk CVEs: actively exploited (KEV) and/or public PoC.
{
"limit": 50,
"since_hours": 168
}EXEC_OP
generate_report
Generate a full HTML threat intelligence report.
{
"hours": 24,
"format": "html"
}Environment Memory Audit
// What the server has accumulated since boot, and how risky it is to run heavy ops right now.383
Fact_Store Audit
96%
Load Incidents
Stability Protocols
- get_status before heavy ops
- Verify warnings empty
- SQLite pure-Go fallback
DECLASSIFIED_A9
Operational Artefacts
// The two things the server ships: a map and a table.Fig 01 // Global_Threat_Map Active: 142
Region Focus
NA / EU / ASIA
Fig 02 // Vuln_Datatables
| CVE ID | Severity | Status | Last Seen |
|---|---|---|---|
| CVE-2024-3094 | CRITICAL | EXPLOITED | 2024-10-27 |
| CVE-2023-4863 | HIGH | PATCHED | 2024-10-26 |
| CVE-2024-1086 | MEDIUM | ANALYZING | 2024-10-27 |
Snapshot_01 Threat Vectors
// Immediate-action alert when the server flags a new C2 endpoint.Immediate Action Required
New C2 Infrastructure
- Region
- Asia-Pacific
- IP
- 192.168.1.1105
- Threat Actor
- TA-412
Raw Readouts
// A peek at the live terminal that the server streams to stdio.> CTI_MCP --ANALYZE --TARGET 192.168.1.105
[08:42:15] Ingesting feeds from sources...
[08:42:18] Database sync completed. 12,450 new IOCs.
> ERROR: Connection timeout to secure_enclave_03. Retrying...
[08:43:01] Fetching GitHub Advisory database...
> Parsing JSON payload...
{
"id": "GHSA-xxxx-xxxx-xxxx",
"summary": "Remote Code Execution",
"severity": "CRITICAL"
}
"id": "GHSA-xxxx-xxxx-xxxx",
"summary": "Remote Code Execution",
"severity": "CRITICAL"
}
> Waiting for input
CTI Chat Timeline
// 9 sessions, 5 models, 1 fabrication bust. Every row is a real conversation we had about this server.| # | Date / Time | Channel | Phase | Model | Operational Tasks | Tokens in/out | Badge |
|---|---|---|---|---|---|---|---|
| 01 | 2026-06-21 ~22:00 | TUI | INIT_01 | GLM-5.2 | Foundation günü go.mod (Go 1.25, Runaho/cti-mcp) · cmd/cti-mcp/main.go (flags, SQLite, stdio serve) · internal/store (modernc.org/sqlite, no CGO) · 5 provider stub (CISA KEV, GitHub Advisory, GitHub PoC, NVD, OSV) · Source interface, HTTPClient (20s→45s timeout) · MCP Go SDK'ya geçiş planı | ~120k / 18k | FEAT EXTREME |
| 02 | 2026-06-22 18:54 | TUI | DEBUG_01 | Gemini-3.5-flash | NVD/OSV test + debugging 12 NVD + 11 OSV mock test (34/34 PASS) · NVD severity filter kaldırıldı, client-side filter · NVD API key header'a taşındı · HTTP timeout 20s→45s · opencode environment→command array fix · OSV /v1/query ecosystem desteği yok — karar bekleniyor | ~95k / 22k | FIX HIGH |
| 03 | 2026-06-22→23 gece | TUI | XSS_FIX | gemini3.5→M3 | 🔐 XSS keşfi (alert(1)) CVE description raw HTML olarak basılıyordu · html.EscapeString() önce çağrılacak, sonra markdown transform · Test payload: <script>, <img onerror>, <svg onload>, javascript: URL · Double-escape önleme · safeHTML funcMap bypass yerine input-level escape-first | ~60k / 12k | FIX MEDIUM |
| 04 | 2026-06-23 ~22:00 | Telegram | PIPELINE_V9 | MiniMax-m3 | cti-report.py yazımı cti-report.py minimal stdio JSON-RPC client · initialize→notifications/initialized→get_status→refresh_sources→generate_report · select() ile aynı anda stderr drain + stdout read (deadlock önleme) · İlk cron run 22:48, 22:50 · REPORT_DIR/cti-report-YYYY-MM-DD_HHMM.html standardı | ~85k / 18k | FEAT HIGH |
| 05 | 2026-06-24 12:47 | Telegram | MEMORY_AUDIT | GLM-5.2 | Bellek + fact_store audit Fact 137 → 383 (37 ek, 17 silinen) · Lessons: NVD API 2.0 final, XSS pattern, cron constraints, FetchWithContext Colly, debugging methodology · Stale CTI v8→v9 migration · Cron 9 resolved · Behavioral mirror corrections (358+360) silindi · Stale builder profile (fact 34) silindi | ~70k / 16k | CHORE MEDIUM |
| 06 | 2026-06-24 21:52 | Telegram | RELEASE_V9.2.0 | MiniMax-m3 | README v9 + skill v9.2.0 README.md MCP Tools bölümü (8 tool parametre tablosu) · Cron Job Example: hermes cron create --name cti-threat-report --schedule 0 9 * * * --script cti-report.py · AI Agent Workflow doc · go test ./... -count=1 PASS · Skill cti-threat-report@9.2.0 aktif (5 source fresh, deliver telegram) | ~50k / 10k | REL MEDIUM |
| 07 | 2026-06-15 günlük cron | Cron | CRON_FIRST_RUN | deepseek-v4-flash:cloud | İlk daily cron run (deepseek-v4-flash) delegate_task ile NVD fetch (4 URL × 7s delay) → /tmp/nvd_*.json · browser_navigate ile CISA KEV (1.5 MB döndü) · 31 CVE toplam: 1 CRITICAL + 25 HIGH + 5 MEDIUM · P1: 16, P2: 3, P3: 12 · WordPress ekosistem yoğunlaşma (8 SQLi/RCE/path traversal) · Outlier: GL.iNet GL-MT3000, Ruijie EG105G-P · 16 budget'ın 9-10'unu kullandı | ~45k / 9k | CRON MEDIUM |
| 08 | 2026-06-15 günlük cron | Cron | FABRICATE_BUST | nemotron-3-nano:30b-cloud | 🔴 Nano fabricate olayı (nemotron-3-nano) 73 satır / 4 KB HTML üretti (sahte dolu rapor) · Tüm CVE ID'leri uydurmaydı (CVE-2018-25436, CVE-2026-35273) · 'Baggage Freight Shipping Australia' gibi var olmayan plugin isimleri · delegate_task hiç çağrılmamıştı · 9/16 budget self-patching · Policy sıkılaştırma: Kendi Sistemimizde Test SADECE düz metin, shell komutu/kod bloğu YOK | ~50k / 8k | ALERT EXTREME |
| 09 | 2026-06-30 12:01 | Telegram | PUBLIC_RELEASE | MiniMax-m3 | Skill v9.2.0 + repo public niyeti Pipeline onayı: Cron (09:00) → cti-report.py → cti-mcp subprocess (stdio) → refresh_sources() + generate_report(hours=24) → ~/projects/cti-mcp/reports/cti-report-YYYY-MM-DD_HHMM.html · 5 kaynak fresh (CISA KEV + GitHub Advisory + GitHub PoC + NVD + OSV) · Telegram'a teslim · Hero public release adayı (skill v9.2.0 stabil) | ~30k / 6k | REL LOW |