# Threadlinqs Intelligence — MCP Server (v6) > Purple-tier feature. Every tool requires authentication AND a Purple or Gold subscription (tier >= 3). There is no free or anonymous MCP access. The Threadlinqs Intelligence MCP server exposes 49 read-only threat-intelligence tools over two transports that share one catalog: - **Remote (Streamable-HTTP)** — `POST https://intel.threadlinqs.com/mcp` (JSON-RPC 2.0, MCP protocolVersion 2025-06-18). For Claude Desktop, Claude.ai, and other connector hosts. - **Local (stdio)** — the npm package `intelthreadlinqs-mcp`. For Claude Code, Cursor, and CLI/code hosts. Both transports expose the same 49 tools and return full data (detection query text, IOC values) because every MCP user is Purple/Gold. ## Connect — Claude Desktop / Claude.ai (remote, OAuth 2.1) 1. Settings -> Connectors -> Add custom connector. 2. URL: `https://intel.threadlinqs.com/mcp` 3. Complete the OAuth sign-in (OAuth 2.1 + PKCE S256). Sign in with a Purple or Gold account and approve access. 4. The 49 tools appear once connected. A free/Blue account can sign in, but the tools stay gated. ## Connect — Claude Code / Cursor / CLI (local, stdio + API key) ```json { "mcpServers": { "threadlinqs-intel": { "command": "npx", "args": ["-y", "intelthreadlinqs-mcp"], "env": { "THREADLINQS_API_KEY": "tl_your_purple_or_gold_key" } } } } ``` Generate a `tl_` API key from your Purple/Gold account profile at https://intel.threadlinqs.com. ## Authentication & tiering - Remote: OAuth 2.1 + PKCE (S256) with Client ID Metadata Documents (CIMD), or a Bearer `tl_` API key. - Local: Bearer `tl_` API key via the `THREADLINQS_API_KEY` environment variable. - All MCP tools require tier >= 3 (Purple $11.99/mo, or Gold). Pricing: https://threadlinqs.com/landing.html#pricing ## Discovery - Manifest: https://intel.threadlinqs.com/.well-known/mcp.json - OAuth metadata: https://intel.threadlinqs.com/.well-known/oauth-protected-resource and https://intel.threadlinqs.com/.well-known/oauth-authorization-server - Human docs: https://intel.threadlinqs.com/mcp ## Tools (49) - `get_started` — **Get Started**: Start here. Returns the Threadlinqs Intelligence tool catalog, categories, tiering, and usage guidance. No API call — read this before using other tools. - `search_threats` — **Search Threats**: Search the threat catalog by free-text query, or filter by severity/category. Returns matching threat summaries. Paginated: pass limit (default 20, max 100) and offset to page; the result includes has_more and an opaque next_cursor (reusable as offset/cursor). NOTE: offset paging applies to the filter/browse path; the free-text query path is capped at the first 50 matches (has_more still flags when more may exist). - `get_threat` — **Get Threat**: Get the full detail for a single threat by its ID (e.g. TL-2026-0042): overview, MITRE techniques, IOCs, detections, timeline, and tags. - `get_recent_threats` — **Recent Threats**: List the most recently published threats. Paginated: pass limit (default 15, max 100) and offset to page through older threats; the result includes has_more and an opaque next_cursor (reusable as offset/cursor). - `get_detections` — **Get Detections**: List detection logic (Splunk SPL, Microsoft KQL, Sigma). Optionally filter by threat_id or detection type. Paginated: pass limit (default 15, max 100) and offset to page; the result includes has_more and an opaque next_cursor (reusable as offset/cursor). - `search_iocs` — **Search IOCs**: Search indicators of compromise (IPs, domains, hashes, URLs). Filter by value substring and/or category. Pass limit (default 25, max 100); the result includes has_more (true when the page is full, so more may exist). NOTE: the indicator endpoint does not yet honor offset — narrow with a more specific value/type substring rather than paging. - `get_mitre_coverage` — **MITRE Coverage**: Get MITRE ATT&CK coverage across the platform. Optionally filter by tactic. - `get_mitre_technique` — **MITRE Technique**: Get details for a specific MITRE ATT&CK technique by ID (e.g. T1059 or T1059.001). - `get_actor` — **Get Actor Profile**: Get a comprehensive threat-actor profile by name or alias: attributed threats, MITRE techniques, IOCs, detections, timeline, and shared infrastructure. - `search_actors` — **List Actors**: List all attributed threat actors with aggregate stats (threat_count, severity levels, categories, nation_state). Returns the full roster in one call — filter the results client-side, or use get_actor for a single actor's full profile. Not paginated (has_more is always false); the response carries a total count. - `get_cve` — **Get CVE**: Look up a CVE by identifier (e.g. CVE-2024-3400): description, CVSS, affected products, references, and linked threats. - `get_cwe` — **Get CWE**: Look up a CWE by identifier (e.g. CWE-79): weakness name, description, severity, related CVEs, and mitigation guidance. - `get_platform_stats` — **Platform Stats**: Get aggregate platform statistics: threat, detection, IOC, MITRE technique, and actor counts. - `get_similar_threats` — **Similar Threats**: Find threats similar to a given threat by precomputed similarity (shared TTPs / IOC overlap / actor attribution). - `get_landscape_briefing` — **Landscape Briefing**: Get the latest threat-landscape briefing — a synthesized posture summary of recent threat activity. - `get_daily_theme` — **Daily Theme**: Get the day's landscape theme and top threat tags. - `get_threat_level` — **Threat Level**: Get the computed current threat-landscape level (a 0–25 rating of overall posture). - `get_ioc_blast_radius` — **IOC Blast Radius**: Map the blast radius of one indicator: the threats that contain it, the MITRE techniques those threats use, and the actors + sibling IOCs in the same campaigns. Use this to scope impact of a single IOC; for a richer multi-source dossier on one indicator use get_ioc_intelligence instead. - `get_ioc_intelligence` — **IOC Intelligence Dossier**: Get the composite intelligence dossier for one indicator: linked threats, actor attribution, related IOCs, and enrichment context in a single call. Prefer this over search_iocs when you already have an exact indicator value and want its full story. - `get_ioc_dns` — **IOC DNS Enrichment**: Return stored DNS enrichment for an IP or domain indicator (reverse-IP and subdomain records previously resolved and cached in the platform dataset). This reads stored data — it is NOT a live lookup at call time. Use get_ioc_intelligence for the full stored dossier. - `get_infrastructure_pivots` — **Infrastructure Pivots**: For a given threat, surface cross-threat infrastructure links — shared IPs/domains and DNS-derived overlaps that tie it to other campaigns. Use to widen from a single threat to its infrastructure neighborhood; use get_similar_threats for TTP/actor-based similarity instead. - `get_c2` — **C2 Intelligence**: Query the live C2 (command-and-control) intelligence center. Pick a view: 'beacons' (active C2 beacon snapshots — default), 'configs' (full extracted C2 configs), 'operators' (operator clusters), 'watermarks' (Cobalt Strike watermark index), 'correlations' (cross-C2 correlations), 'timeline' (activity over time), 'stats' (aggregate counts). Use generate_c2_blocklist when you want firewall-ready output rather than raw records. - `generate_c2_blocklist` — **Generate C2 Blocklist**: Compile a firewall-ready C2 blocklist of active command-and-control IPs observed recently. Returns deduplicated network indicators ready to drop into a denylist. Use this for actionable blocking; use get_c2 with view="beacons" when you need the underlying beacon detail. - `get_correlations` — **Correlation Engine**: Read precomputed cross-dataset correlations. Choose an engine: 'overview' (rollup of all engines — default), 'mitre-heatmap', 'adversary-infra', 'ioc-consensus', 'cve-velocity', 'attribution', 'detection-debt', or 'enrichment'. Use 'overview' first to see what's available, then drill into a specific engine. - `predict_mitre_transitions` — **Predict MITRE Transitions**: Predict the MITRE ATT&CK techniques most likely to follow (or precede) a given technique, with observed probabilities and example threats. Use forward to anticipate the next step in a kill chain; reverse to infer what came before. Pair with get_mitre_technique for the technique definition. - `get_threat_simulations` — **Threat Simulations**: Get the adversary-emulation / simulation playbooks attached to a threat — step-by-step commands by platform for safely reproducing the behavior in a lab. Use to operationalize detection testing for a specific threat. - `list_debriefs` — **List Debriefs**: List recent daily intelligence debriefs (newest first) with their per-day rollups: new/updated threats, themes, MITRE techniques, IOC breakdown, actors, and severity counts. Use to scan recent days; use get_debrief for the full detail of one date. Pass limit (default 30, max 100); the result includes has_more (true when the page is full, so older debriefs may exist). NOTE: the debriefs endpoint does not yet honor offset — it serves the most recent window. - `get_debrief` — **Get Debrief**: Get the full daily intelligence debrief for a specific calendar date (YYYY-MM-DD): posture summary, themes, threats grouped by severity, MITRE coverage, IOC distribution, actor attribution, and detection status. Find available dates first with list_debriefs. - `export_stix` — **Export STIX 2.1 Bundle**: Export a threat, actor, or CVE as a STIX 2.1 bundle for ingestion into a TIP/SIEM. Provide at least one of threat_id, actor, or cve_id. Returns a {type:"bundle", objects:[...]} with indicator (per IOC), attack-pattern (per MITRE technique), intrusion-set (actor), vulnerability (CVE), malware/threat-actor, and relationship objects. The bundle is capped (≤200 objects / ≤80KB); a note object is appended if truncated. - `export_attack_navigator` — **Export ATT&CK Navigator Layer**: Export a MITRE ATT&CK Navigator layer (enterprise-attack) for visualization. Pass actor= to score techniques attributed to one actor, or all=true for platform-wide coverage. Returns {name, versions, domain, techniques:[{techniqueID, score, color, comment}]}, capped at 600 techniques. - `list_threat_categories` — **List Threat Categories**: List every threat category with its threat count across the whole corpus. Use to discover valid category filters for search_threats. - `search_detections` — **Search Detections**: Keyword search across detection logic (SPL/KQL/Sigma) by rule text, technique, or threat. Optionally filter by type (spl|kql|sigma) or severity. Paginated via limit (default 25, max 200) + offset. - `get_detection_detail` — **Get Detection Detail**: Get the full detail for one detection rule by its ID, including the complete query text (SPL/KQL/Sigma), metadata, and the threat it maps to. - `list_simulations` — **List Simulations**: List adversary-emulation simulation scenarios across the platform (atomic test commands grouped by threat). Pass limit (default 50, max 200). - `get_threat_transcripts` — **Get Threat Transcripts**: Get the AI agent analysis transcripts for a threat — the step-by-step reasoning the research agents produced while profiling it. - `get_mitre_gap_analysis` — **MITRE Gap Analysis**: Prioritized list of MITRE ATT&CK techniques with the weakest detection coverage (detection debt), so you can target where to build detections next. Optionally filter by tactic. - `get_enrichment_overview` — **Enrichment Overview**: Health and coverage overview of the enrichment sources (CVE/EPSS/KEV, IOC reputation, DNS, etc.) feeding the platform. - `get_roadmap` — **Get Roadmap**: Get the Threadlinqs Intelligence platform roadmap — shipped, in-progress, and planned capabilities. - `get_changelog` — **Get Changelog**: Get the recent platform changelog (new threats, detections, features). Pass limit (default 20, max 100). - `export_detection` — **Export Detection**: Export one detection rule in a specific format. format=spl|kql|sigma returns the raw query text for that flavor; format=json returns the full detection object. - `get_latest_debrief` — **Get Latest Debrief**: Get the most recent daily intelligence debrief in full detail (resolves the latest date for you). - `get_threat_bundle` — **Get Threat Bundle**: One-shot dossier for a threat: the full threat detail plus its simulations and analysis transcripts (include="summary" returns just the threat). Fewer round-trips than calling get_threat + get_threat_simulations + get_threat_transcripts separately. - `get_threat_hunting_bundle` — **Threat Hunting Bundle**: Flagship one-call hunting dossier for a threat: full detail + similar threats + simulations + infrastructure pivots, composed server-side. Best single tool to scope a hunt around one threat. - `get_daily_intel_bundle` — **Daily Intel Bundle**: One-shot "what happened" bundle: the day's debrief (latest by default, or pass date) plus platform stats, the top recent threats, and the correlations overview. - `bulk_get_threats` — **Bulk Get Threats**: Fetch up to 20 threats by ID in one call. Returns {threats, missing, count}. Use when you already have a list of threat IDs. - `bulk_get_cves` — **Bulk Get CVEs**: Fetch up to 20 enriched CVEs by ID in one call. Returns {cves, missing, count}. - `get_actor_intelligence` — **Actor Intelligence**: Composite intelligence picture for a threat actor: the full actor profile plus cross-actor attribution correlations in one call. - `get_cve_intelligence` — **CVE Intelligence**: Composite CVE dossier: the enriched CVE detail plus exploitation-velocity context and any detections that reference it, in one call. - `health` — **Health Check**: Lightweight liveness probe: confirms the API is reachable and your key is valid, and returns platform counts + the latest debrief date.