VirusTotal MCP server
Enrich files, URLs, domains, and IPs with the Google Threat Intelligence corpus.
About
Connect Tracecat to VirusTotal to enrich files, URLs, domains, and IPs against the Google Threat Intelligence corpus for SOC analysts and incident responders working through IOCs. You can pull a file report by hash and review consolidated sandbox behavior across every detonation. From there, retrieve domain and IP reputation, run GTI threat collection searches, and fetch actor and campaign profiles with confidence.
Setup
- 1
Create an API key
The Google Threat Intelligence MCP server authenticates with a VirusTotal API key. The key is read from the `VT_APIKEY` environment variable. Premium GTI tools require a paid Google Threat Intelligence subscription.
- 2
Select the
VirusTotaltile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theVirusTotaltile, and paste your API key. - 3
Enable
VirusTotalin your agentIn your
ai.agentaction orAgents→toolstab, selectVirusTotalfrom theMCP integrationsdropdown.
Tools
get_file_reportFetch the VirusTotal analysis for a file by MD5, SHA-1, or SHA-256.
get_file_behavior_reportRetrieve sandbox behavior data for a specific file and sandbox combination.
get_file_behavior_summaryGet a consolidated summary across every sandbox that analyzed a file.
get_url_reportPull the VirusTotal report for a URL, including verdicts and categories.
get_domain_reportRetrieve domain reputation, WHOIS, and passive DNS data.
get_ip_address_reportLook up reputation, ASN, and historical resolutions for an IP.
search_iocsRun an intelligence search across files, URLs, domains, and IPs.
search_threatsQuery the GTI threat collection using Google Threat Intelligence syntax.
search_threat_actorsFind threat actor profiles tracked by Google Threat Intelligence.
get_collection_reportFetch a GTI collection report covering an actor, campaign, or malware family.