Member-only story
Featured
Building a Threat Intelligence GenAI Reporter with ORKL and Claude
Using Model Context Protocol (MCP)
Anthropic has released the Model Context Protocol (MCP), an open protocol designed to facilitate the integration between LLM applications and external data sources or tools. In short, it is a standardized way to connect external data or tooling capabilities to an LLM or an agent.
There’s nothing groundbreaking about it — it is like creating an agent with function-calling capabilities or with prompt templates— but MCP provides a clean and structured approach to standardizing interactions and may also add a layer of security for your GenAI system. One of the interesting thing is that it is using the client server model.
I wanted to explore how MCP works and what we can build for a practical use case in threat intelligence.
By now, you’re probably familiar with my work around Generative AI and Cybersecurity (mainly Threat Intelligence). I created the Threat Report Summarization tool and mindmap, developed a RAG system for CTI, used LLM Vision for intelligence analysis, created DOCYara a RAG agent for all things YARA, and leveraged agents for enrichment and threat intelligence capabilities among others applications.
In this blog, I am going to leverage MCP with the ORKL database which is a CTI library that contains public threat reports and IOCs. We will see how MCP and ORKL can be used to create a system that allows users to interact with CTI reports. By the end of this blog, you’ll be able to create your own CTI Assistant tool! 👇
🤔 What Is MCP?
The Model Context Protocol (MCP) is an open standard designed to connect large language models (LLMs) with external data sources and tools. The goal of this model is to provide a standardized method for integrating LLM applications with the necessary context for the related workflow.
MCP has five core components: resources, prompts, tools, sampling, and transports, which allow efficient communication between clients, servers, and LLMs. It operates using a client/server architecture that facilitates interaction with these components.
