VirusTotal MCP server
Enrich files, URLs, domains, and IPs with the Google Threat Intelligence corpus.
About
Connect Tracecat to VirusTotal to enrich files, URLs, domains, and IPs against the Google Threat Intelligence corpus for SOC analysts and incident responders working through IOCs. You can pull a file report by hash and review consolidated sandbox behavior across every detonation. From there, retrieve domain and IP reputation, run GTI threat collection searches, and fetch actor and campaign profiles with confidence.
Setup
- 1
Create an API key
The Google Threat Intelligence MCP server authenticates with a VirusTotal API key. The key is read from the `VT_APIKEY` environment variable. Premium GTI tools require a paid Google Threat Intelligence subscription.
- 2
Select the
VirusTotaltile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theVirusTotaltile, and paste your API key. - 3
Enable
VirusTotalin your agentIn your
ai.agentaction orAgents→toolstab, selectVirusTotalfrom theMCP integrationsdropdown.
Tools
get_file_report | Fetch the VirusTotal analysis for a file by MD5, SHA-1, or SHA-256. |
get_file_behavior_report | Retrieve sandbox behavior data for a specific file and sandbox combination. |
get_file_behavior_summary | Get a consolidated summary across every sandbox that analyzed a file. |
get_url_report | Pull the VirusTotal report for a URL, including verdicts and categories. |
get_domain_report | Retrieve domain reputation, WHOIS, and passive DNS data. |
get_ip_address_report | Look up reputation, ASN, and historical resolutions for an IP. |
search_iocs | Run an intelligence search across files, URLs, domains, and IPs. |
search_threats | Query the GTI threat collection using Google Threat Intelligence syntax. |
search_threat_actors | Find threat actor profiles tracked by Google Threat Intelligence. |
get_collection_report | Fetch a GTI collection report covering an actor, campaign, or malware family. |