8. Use Cyberbro MCP for LLM - stanfrbd/cyberbro GitHub Wiki

Using Cyberbro MCP for LLM Integrations

Cyberbro MCP is a Model Context Protocol (MCP) server that enables Large Language Models (LLMs) to extract, analyze, and check the reputation of Indicators of Compromise (IoCs) from unstructured input, leveraging multiple threat intelligence sources.

What is Cyberbro MCP?

  • Purpose: Provides a standardized interface for LLMs (like Claude) to interact with Cyberbro, automating threat intelligence workflows.
  • Capabilities: Extracts IoCs (IPs, domains, hashes, URLs, Chrome extension IDs), checks their reputation, and integrates with platforms like Microsoft Defender, CrowdStrike, and OpenCTI.

Key Features

  • Multi-source reputation checks and reporting
  • Beginner-friendly and LLM-ready (no manual UI needed)
  • Unique support for Chrome extension IDs and advanced TLD handling
  • Exportable reports and search/visualization tools

Installation

Docker (Recommended)

export CYBERBRO_URL=http://localhost:5000
export API_PREFIX=api
docker pull ghcr.io/stanfrbd/mcp-cyberbro:latest

Local

git clone https://github.com/stanfrbd/mcp-cyberbro.git
cd mcp-cyberbro
pip install -r requirements.txt
export CYBERBRO_URL=http://localhost:5000
export API_PREFIX=api
python mcp-cyberbro-server.py

Integration with Claude Desktop

Add to your claude_desktop_config.json:

Docker:

"mcpServers": {
    "cyberbro": {
        "command": "docker",
        "args": [
            "run", "-i", "--rm", "-e", "CYBERBRO_URL", "-e", "API_PREFIX",
            "ghcr.io/stanfrbd/mcp-cyberbro:latest"
        ],
        "env": {
            "CYBERBRO_URL": "http://localhost:5000",
            "API_PREFIX": "api"
        }
    }
}

Local:

"mcpServers": {
    "cyberbro": {
        "command": "python",
        "args": [
            "C:\\Users\\path\\to\\mcp-cyberbro.py"
        ],
        "env": {
            "CYBERBRO_URL": "http://localhost:5000",
            "API_PREFIX": "api"
        }
    }
}

Note: Set CYBERBRO_URL and API_PREFIX as environment variables before starting Claude Desktop.

Available Tools

Tool Name Description
analyze_observable Extracts/analyzes IoCs from text
is_analysis_complete Checks if analysis is finished
get_analysis_results Retrieves results of completed analysis
get_engines Lists available analysis engines

Example Usage

  • "Cyberbro: Check indicators for target.com"
  • "Can you check this IP reputation with Cyberbro? 192.168.1.1"
  • "Analyze the domain example.com using max 3 engines."
  • "Submit this hash for analysis to Cyberbro and show the results."

Resources

Licensed under MIT. See the repo for details.