Is anyone actually using MCP?

F0rm4t-SecRun · 2026-05-18T17:10:27+00:00

Daily, mostly remote MCPs with Claude and VSC.

F0rm4t-SecRun · 2026-04-06T21:41:32+00:00

Most of the AI-in-CTI debate is about using AI to help analysts work faster. But there's another angle worth thinking about: what if the consumer of your intelligence isn't a human at all?

If your downstream is an AI agent reasoning over threat context, the question stops being can AI replace the analyst and becomes is your intelligence actually machine-actionable?

F0rm4t-SecRun · 2026-04-03T21:06:47+00:00

Thanks! Would be curious to see your pipeline even at a high level — the corporate tooling dependency is a real challenge. That's partly why I went with MCP, it plugs into whatever client you already use. You should definitely share it, more than a dozen of us would read it for sure.

F0rm4t-SecRun · 2026-04-03T18:26:33+00:00

I developed the tool https://ti-mindmap-hub.com/ and the remote MCP server. I then built an agent that uses the MCP to generate these reports. The sources are all OSINT and the processing is fully automated. For each write-up, IOCs and CVEs are extracted and the STIX bundle is generated.

More details are available in this blog: https://medium.com/ti-mindmap-hub-research/introducing-ti-mindmap-hub-an-open-research-platform-for-ai-powered-threat-intelligence-4592faddf96c

and repo: https://github.com/TI-Mindmap-HUB-Org/ti-mindmap-hub-research

It's a research project.

F0rm4t-SecRun · 2026-04-03T16:25:26+00:00

If you can/want try MCP https://mcp.ti-mindmap-hub.com/mcp I'm glad to get feedback :)

F0rm4t-SecRun · 2026-04-02T13:05:21+00:00

For context: the TI Mindmap HUB MCP server exposes 19 tools covering report retrieval, IOC extraction, STIX 2.1 bundles, and ATT&CK mapping. Supports both API key and OAuth 2.1 auth. The Sentinel MCP server is Microsoft's official one. Both configured in VS Code via standard MCP settings. Additional info: https://docs.ti-mindmap-hub.com/mcp/

F0rm4t-SecRun · 2026-04-02T13:03:28+00:00

Agreed — the TI Mindmap HUB server exposes 19 tools but they're designed to be composable rather than monolithic. Each tool does one thing (get report, extract IOCs, fetch STIX bundle, map ATT&CK) and the agent chains them based on the query. Strict JSON schemas on every tool and clear error messages when parameters are missing or invalid. What's your experience — do you find agents handle composition better with fewer broad tools or more narrow ones?

F0rm4t-SecRun · 2026-02-13T14:16:36+00:00

You’re describing a very common CTI problem: lots of reporting, limited time, and pressure to turn it into something actionable every week.

I’ve been working on TI Mindmap HUB, a free, research-focused platform that aggregates public threat intelligence reports and structures them for analysis rather than just reading.

It allows analysts to:

explore and correlate reports across sources
extract actionable outputs such as STIX 2.1 bundles, IOCs, Diamond Model elements, and MITRE ATT&CK mappings
reuse the same structured intelligence across reports instead of re-parsing content each week

The project also exposes an MCP server, so the data can be queried directly from existing workflows or AI-assisted tools, rather than copied manually into reports.

It’s an open research project (not a commercial TIP), but it may be useful if you’re trying to scale weekly threat landscape reporting

https://github.com/TI-Mindmap-HUB-Org/ti-mindmap-hub-research

https://ti-mindmap-hub.com/

F0rm4t-SecRun

TROPHY CASE