Threat Hunting MCP Server

A next-generation Model Context Protocol (MCP) server that hunts for behaviors, not indicators. Built on the philosophy that effective threat hunting focuses on adversary Tactics, Techniques, and Procedures (TTPs) at the top of the Pyramid of Pain—the behaviors that are hardest for attackers to change.

Philosophy: Hunt Behaviors, Not Indicators

This MCP server is designed around a core principle from the Pyramid of Pain:

                            ▲
                           ╱ ╲
                          ╱   ╲ 🎯 TOUGH
                         ╱ TTPs╲ ← WE FOCUS HERE
                        ╱———————╲
                       ╱         ╲
                      ╱ 🛠️  Tools ╲
                     ╱—————————————╲
                    ╱               ╲
                   ╱ 📊 Host/Network ╲
                  ╱———————————————————╲
                 ╱                     ╲
                ╱  🌐 Domain Names      ╲
               ╱—————————————————————————╲
              ╱                           ╲
             ╱     🔢 IP Addresses         ╲
            ╱———————————————————————————————╲
           ╱                                 ╲
          ╱       #️⃣  Hash Values             ╲
         ╱—————————————————————————————————————╲

Why behavioral hunting?

• Hash values → Adversaries change in seconds
• IP addresses → Adversaries change in minutes
• Domain names → Adversaries change in hours
• Network/Host artifacts → Adversaries change in days
• Tools → Adversaries change in weeks
• TTPs (Behaviors) → Adversaries change in months/years ✅ Hunt for these!

When you hunt for how adversaries behave rather than what specific indicators they use, you create durable detections that survive indicator rotation and force adversaries to fundamentally change their operations.

Features

Behavioral Hunting Focus

• TTP-First Approach: All hunts prioritize behavioral patterns over atomic indicators
• MITRE ATT&CK Integration: Deep integration with technique-level behavioral analytics
• Behavior Pattern Library: Pre-built detection logic for common adversary behaviors
• Anti-Evasion Design: Hunt for behaviors that persist across tool/infrastructure changes

Core Hunting Frameworks

• PEAK Methodology: Prepare, Execute, Act with Knowledge - state-of-the-art framework
• SQRRL Framework: Hunting Maturity Model (HMM0-HMM4) progression
• TaHiTI Framework ⭐ NEW: Targeted Hunting integrating Threat Intelligence (3 phases, 6 steps)
• Intelligence-Driven: Hypothesis-driven hunting using behavioral threat intelligence

Advanced Cognitive Capabilities ⭐ NEW

• Bias Awareness Checks: Heuristic prompts for confirmation, anchoring, and availability biases (rule-based, not ML — intended as analyst checklists, not automated judgment)
• Competing Hypotheses Generator: Generates benign / insider / external / supply-chain alternatives so ACH (Analysis of Competing Hypotheses) is forced before commitment
• Pyramid-of-Pain-weighted Confidence: TTP-level evidence anchors the score; lower-pyramid indicators (hashes, IPs) only add supplemental context and cannot dilute it
• Hunt Stopping Criteria: Coverage / diminishing-returns / time / confidence thresholds to prevent tunnel vision
• Investigation Question Generator: Standard skeptical prompts ("what would disprove this?", "what's missing?") to ensure thorough analysis

Graph-Based Threat Detection ⭐ NEW

• Attack Path Analysis: Identifies critical paths from initial compromise to crown jewels (domain controllers, databases, admin accounts)
• Living-off-the-Land Detection: Behavioral detection of LOLBin abuse via parent-child relationships and command-line patterns
• Pivot Point Identification: Brandes betweenness centrality (via NetworkX) over the attack graph; falls back to BFS short

... View full README on GitHub