Threat Hunting MCP Server

A next-generation Model Context Protocol (MCP) server that hunts for behaviors, not indicators. Built on the philosophy that effective threat hunting focuses on adversary Tactics, Techniques, and Procedures (TTPs) at the top of the Pyramid of Pain—the behaviors that are hardest for attackers to change.

Philosophy: Hunt Behaviors, Not Indicators

This MCP server is designed around a core principle from the Pyramid of Pain:

                            ▲
                           ╱ ╲
                          ╱   ╲ 🎯 TOUGH
                         ╱ TTPs╲ ← WE FOCUS HERE
                        ╱———————╲
                       ╱         ╲
                      ╱ 🛠️  Tools ╲
                     ╱—————————————╲
                    ╱               ╲
                   ╱ 📊 Host/Network ╲
                  ╱———————————————————╲
                 ╱                     ╲
                ╱  🌐 Domain Names      ╲
               ╱—————————————————————————╲
              ╱                           ╲
             ╱     🔢 IP Addresses         ╲
            ╱———————————————————————————————╲
           ╱                                 ╲
          ╱       #️⃣  Hash Values             ╲
         ╱—————————————————————————————————————╲

Why behavioral hunting?

• Hash values → Adversaries change in seconds
• IP addresses → Adversaries change in minutes
• Domain names → Adversaries change in hours
• Network/Host artifacts → Adversaries change in days
• Tools → Adversaries change in weeks
• TTPs (Behaviors) → Adversaries change in months/years ✅ Hunt for these!

When you hunt for how adversaries behave rather than what specific indicators they use, you create durable detections that survive indicator rotation and force adversaries to fundamentally change their operations.

Features

Behavioral Hunting Focus

• TTP-First Approach: All hunts prioritize behavioral patterns over atomic indicators
• MITRE ATT&CK Integration: Deep integration with technique-level behavioral analytics
• Behavior Pattern Library: Pre-built detection logic for common adversary behaviors
• Anti-Evasion Design: Hunt for behaviors that persist across tool/infrastructure changes

Core Hunting Frameworks

• PEAK Methodology: Prepare, Execute, Act with Knowledge - state-of-the-art framework
• SQRRL Framework: Hunting Maturity Model (HMM0-HMM4) progression
• TaHiTI Framework ⭐ NEW: Targeted Hunting integrating Threat Intelligence (3 phases, 6 steps)
• Intelligence-Driven: Hypothesis-driven hunting using behavioral threat intelligence

Advanced Cognitive Capabilities ⭐ NEW

• Bias Detection & Mitigation: Identifies confirmation, anchoring, and availability biases
• Competing Hypotheses Generation: Analysis of Competing Hypotheses (ACH) methodology
• Confidence Scoring: Multi-factor assessment prioritizing TTP-based detections
• Hunt Stopping Criteria: Prevents tunnel vision with objective completion metrics
• Expert Pattern Recognition: Built-in behavioral heuristics from elite threat hunters (88.3% accuracy)

Graph-Based Threat Detection ⭐ NEW

• Attack Path Analysis: Identifies critical paths from initial compromise to crown jewels
• Living-off-the-Land Detection: Behavioral detection of LOLBin abuse
• Pivot Point Identification: Betweenness centrality analysis for key attack nodes
• Provenance Tracking: Complete data lineage and ancestry chains
• Multi-Stage Attack Correlation: Reveals patterns invisible in isolation

Deception Technology Integration ⭐ NEW

• Honeytoken Deployment: Fake AWS keys, passwords, SSH keys, API tokens
• Strategic Placement: Browser history, .env files, config files, memory dumps
• Decoy Systems: Indistinguishable fake servers, workstations, databases
• Canary Files: Executive doc

... View full README on GitHub