MCP Server for Cortex – exposes Cortex analyzers as Model Context Protocol tools.
https://github.com/gbrigandi/mcp-server-cortexStop context-switching between your AI assistant and threat intelligence tools. The MCP Server for Cortex connects your existing Cortex analyzers directly to Claude and other MCP clients, letting you run IP reputation checks, domain analysis, and malware scanning without leaving your conversation.
You're investigating a suspicious domain in Claude, but need to check it against AbuseIPDB, VirusTotal, and other threat feeds. Instead of copying indicators, opening browser tabs, and manually correlating results, you want your AI assistant to handle the heavy lifting while you focus on analysis.
This server solves that by exposing your configured Cortex analyzers as native MCP tools. Your existing threat intelligence infrastructure becomes directly accessible within AI conversations.
Reuse Your Existing Setup: If you're already running Cortex with configured analyzers, this server immediately makes them available to MCP clients. No duplicate API keys or reconfiguration required.
Structured Results: Instead of parsing raw API responses, you get structured analysis reports that Claude can interpret and correlate across multiple indicators.
Centralized Analysis: Run threat intelligence queries through your existing Cortex instance, maintaining audit trails and consistent analysis workflows.
Incident Response: Paste a list of suspicious IPs into Claude and ask it to "analyze these with AbuseIPDB and correlate the results." The server handles the API calls while Claude provides the analysis.
Threat Hunting: During a conversation about attack patterns, reference domains or URLs and immediately get VirusTotal scanning results without switching tools.
IOC Enrichment: Feed threat intelligence reports to Claude and have it automatically enrich indicators using your configured analyzers, then summarize findings.
The server exposes three core tools that map to common Cortex analyzers:
analyze_ip_with_abuseipdb: IP reputation analysis using your configured AbuseIPDB analyzeranalyze_with_abusefinder: Multi-type analysis (IP, domain, URL, email) through AbuseFinderscan_url_with_virustotal: URL scanning via VirusTotal analyzersEach tool accepts the target indicator and optionally the specific analyzer name, giving you flexibility in how you've configured your Cortex instance.
You'll need a running Cortex instance with:
The server expects these via environment variables (CORTEX_ENDPOINT and CORTEX_API_KEY), making it straightforward to deploy in containerized environments.
Download the pre-built binary for your platform from the releases, or build from source with cargo build --release. Configure your MCP client (like Claude Desktop) to launch the server with your Cortex credentials:
{
"mcpServers": {
"cortex": {
"command": "/path/to/mcp-server-cortex",
"env": {
"CORTEX_ENDPOINT": "http://your-cortex:9000/api",
"CORTEX_API_KEY": "your_api_key"
}
}
}
}
Once connected, you can immediately start asking Claude to analyze threat indicators using your existing Cortex infrastructure.
This server fills a specific gap for security teams already invested in Cortex who want to bring that analysis capability into their AI workflows. If you're handling threat intelligence and using MCP-compatible tools, it belongs in your toolkit.