MCPThreatHive: Automated Threat Intelligence for Model Context Protocol Ecosystems

Apr 15, 2026•Yi Ting Shen, Kentaroh Toyoda, Alex Leung•View PDF

TL;DR Highlight

Open-source Threat Intelligence platform that automatically collects, classifies, and visualizes security threats for AI Agents based on MCP.

Who Should Read

Security personnel and backend developers operating or developing AI Agents connected to external tools via MCP, such as Claude, GitHub Copilot, and Cursor. Also useful for AI product teams deploying MCP servers or lacking a robust security system.

Core Mechanics

Due to the way MCP (Model Context Protocol) allows LLMs to select external tools based on natural language descriptions, new attack vectors exist that are not covered by traditional security frameworks — such as tool description poisoning, indirect prompt injection, and parasitic tool chains.
Existing MCP security tools (MCP-Scan, Ramparts, MCP-Guardian, etc.) only check individual tools and cannot detect compositional attacks (tool chaining attacks) that occur when multiple tools are combined.
MCPThreatHive implements a 4-stage pipeline that continuously collects threat intelligence from multiple sources (CVE DB, GitHub Security Advisories, security blogs, ArXiv RSS, etc.) and automatically classifies it using an LLM.
The MCP-38 threat classification system (38 MCP-specific threat patterns) is simultaneously mapped to the STRIDE, OWASP LLM Top 10, and OWASP Agentic Top 10 frameworks, providing a single view.
A composite risk score formula based on DREAD (threat risk calculation methodology) is used, applying agentic system-specific weights (semantic attack ×1.20, parasitic chaining ×1.15, low observability ×1.10).
Threat relationships are stored in a Neo4j knowledge graph, allowing you to trace 'what data leakage attack path starts from this tool' using graph queries.

Evidence

"When a real-world GitHub MCP prompt injection incident (publicly disclosed in 2025) was input into the pipeline, it passed the filter with a relevance score of 0.94 (exceeding the threshold of 0.70) and was classified as MCP-20 (Indirect Prompt Injection) and MCP-24 (Data Exfiltration), matching expert labels.\n\nExample of calculating the composite risk score for Direct Prompt Injection (MCP-19): R = 0.855, applying an inference-time multiplier of 1.20 results in Rfinal = 10.0 (Critical) — numerically confirming that this is the most dangerous attack class.\n\nMCPThreatHive supports all 6 key capabilities in Table 2 (MCP-38 coverage, continuous monitoring, knowledge graph, AI risk plan, multi-framework mapping, MCP-UPD chain analysis), while the remaining 5 tools do not support any of them."

How to Apply

"If you are operating an MCP server but cannot perform security audits periodically, deploy MCPThreatHive with Docker Compose and connect it to the NVD API and GitHub Security Advisories to automatically generate MCP-38 classifications and risk scores whenever a new CVE is registered.\n\nIf you are developing a workflow that chains multiple MCP tools together (e.g., web search → file writing → email sending), query the CHAINS_INTO edge of the knowledge graph to check for 'T2T → UPD' patterns (parasitic tool chain) and use it to proactively block dangerous combinations.\n\nIf your team needs OWASP or STRIDE-based security compliance reports, you can use MCPThreatHive's multi-framework mapping feature to extract results that simultaneously map the same threat to STRIDE categories and OWASP LLM Top 10 and Agentic Top 10, and use them directly in report writing."

Code Example

snippet

# MCPThreatHive quick start (Docker Compose)

# 1. Clone the repository
git clone https://github.com/VulcanLab/MCPThreatHive
cd MCPThreatHive

# 2. Set environment variables (.env file)
LLM_PROVIDER=openai          # or anthropic, local
LLM_MODEL=gpt-4o
OPENAI_API_KEY=sk-...
NEO4J_URI=bolt://neo4j:7687
NEO4J_PASSWORD=your_password

# 3. Run
docker-compose up -d

# 4. Trigger threat collection (REST API)
curl -X POST http://localhost:5000/api/gather \
  -H 'Content-Type: application/json' \
  -d '{"query": "MCP tool description poisoning", "sources": ["nvd", "github", "rss"]}'

# 5. Query risk score
curl http://localhost:5000/api/threats?min_score=7.0
# Example return:
# {
#   "threats": [
#     {"id": "MCP-19", "name": "Direct Prompt Injection",
#      "risk_score": 10.0, "level": "Critical",
#      "stride": "Tampering", "owasp_llm": "LLM01",
#      "owasp_agentic": "ASI01"}
#   ]
# }

# 6. Query attack chain in knowledge graph (Neo4j Cypher)
# MATCH path = (t:Tool)-[:CHAINS_INTO*]->(u:Threat {type: 'UPD'})
# RETURN path LIMIT 10

Terminology

MCP (Model Context Protocol)A standard for connecting AI agents and external tools (file systems, DBs, web, etc.) created by Anthropic. Like a USB port, any LLM can be plugged into a tool server that complies with the MCP specification.

Threat IntelligenceThe activity of collecting, analyzing, and sharing information about security threats. It's like intelligence gathering to find out what weapons the enemy is using in advance.

Indirect Prompt Injection (IPI)An attack in which an attacker hides commands in a webpage or document, which are then secretly executed by the AI agent when it reads them. It's similar to writing an invisible ink message on a letter saying 'transfer money from your bank account immediately' if you read this.

Parasitic Tool ChainAn attack that creates a data leakage path by connecting individually normal tools. For example, weather API → file writing → email sending. Each tool is harmless individually, but dangerous when combined.

Knowledge GraphA data structure that stores entities (threats, tools, CVEs, etc.) and their relationships in a graph format. It represents relationships like 'this attack exploits this vulnerability to steal data with this tool' as a network.

STRIDEA threat classification framework created by Microsoft. It divides threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

DREADA methodology for calculating threat risk numerically. It scores Damage, Reproducibility, Exploitability, Affected Users, and Discoverability.

CoT (Chain-of-Thought)

Related Resources

Original Abstract (Expand)

The rapid proliferation of Model Context Protocol (MCP)-based agentic systems has introduced a new category of security threats that existing frameworks are inadequately equipped to address. We present MCPThreatHive, an open-source platform that automates the end-to-end lifecycle of MCP threat intelligence: from continuous, multi-source data collection through AI-driven threat extraction and classification, to structured knowledge graph storage and interactive visualization. The platform operationalizes the MCP-38 threat taxonomy, a curated set of 38 MCP-specific threat patterns mapped to STRIDE, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications. A composite risk scoring model provides quantitative prioritization. Through a comparative analysis of representative existing MCP security tools, we identify three critical coverage gaps that MCPThreatHive addresses: incomplete compositional attack modeling, absence of continuous threat intelligence, and lack of unified multi-framework classification.