Open Innovation The UnpromptedSubmitted July 18, 2026

ThreatWeaver — Every IOC Tells a Story. We Let AI Tell It.

An MCP app on the Model Context Protocol built by The Unprompted at the Amrita University Amritapuri campus NitroStack × MCP To The Moon hackathon and deployed on NitroStack.

About this project

# ThreatWeaver – Intelligent Threat Investigation Through AI Reasoning ## What does it do? ThreatWeaver is an MCP-native threat investigation server enabling Claude to autonomously investigate indicators of compromise across multiple threat intelligence sources, detect coordinated attack patterns, and generate STIX 2.1-compliant reports. Given an IOC (IP, domain, URL, or hash), ThreatWeaver queries VirusTotal, AbuseIPDB, URLhaus, and Shodan in parallel, correlates findings to detect threat campaigns, maps evidence to MITRE ATT&CK techniques, and generates investigation reports with confidence scores and remediation guidance. ## Who is it for? Security Operations Center analysts, Incident Response teams, Threat Intelligence analysts, and organizations seeking to augment threat investigation with AI reasoning. ## What makes it special? **The problem:** Security analysts waste 15-20 minutes per investigation switching between fragmented tools, manually cross-referencing findings, and missing coordinated threat patterns. **The difference:** 1. **Agentic reasoning** — Claude reasons about multi-source findings and identifies patterns automatically, not just retrieving data 2. **Persistent context** — Investigation state persists across tool calls via MCP Resources, enabling natural follow-up questions without re-prompting 3. **Automatic correlation** — Detects campaigns by identifying shared ASNs, registrants, and malware families across investigation history 4. **MCP-native design** — Demonstrates that MCP enables complex reasoning in specialized domains like cybersecurity, beyond productivity use cases 5. **Enterprise output** — STIX 2.1 reports integrate directly into Splunk, Elastic, and Sentinel 6. **Offline capable** — Works without API keys using pre-loaded threat data **Result:** Approximately 90 second investigations instead of 15-20 minutes, with pattern detection humans would miss.

Open Innovation track

Solve any real-world problem with AI, regardless of industry or domain.

Team The Unprompted

  • H DEVANARAYANANLead

  • Maddi Hemanth Pramod

  • NIKHIL VINAYAKAM

  • MIDDEPALLI MAHIDHARA REDDY

Frequently asked questions

What does ThreatWeaver — Every IOC Tells a Story. We Let AI Tell It. do?
# ThreatWeaver – Intelligent Threat Investigation Through AI Reasoning ## What does it do? ThreatWeaver is an MCP-native threat investigation server enabling Claude to autonomously investigate indicators of compromise across multiple threat intelligence sources, detect coordinated attack patterns, and generate STIX 2.1-compliant reports. Given an IOC (IP, domain, URL, or hash), ThreatWeaver queries VirusTotal, AbuseIPDB, URLhaus, and Shodan in parallel, correlates findings to detect threat campaigns, maps evidence to MITRE ATT&CK techniques, and generates investigation reports with confidence scores and remediation guidance. ## Who is it for? Security Operations Center analysts, Incident Response teams, Threat Intelligence analysts, and organizations seeking to augment threat investigation with AI reasoning. ## What makes it special? **The problem:** Security analysts waste 15-20 minutes per investigation switching between fragmented tools, manually cross-referencing findings, and missing coordinated threat patterns. **The difference:** 1. **Agentic reasoning** — Claude reasons about multi-source findings and identifies patterns automatically, not just retrieving data 2. **Persistent context** — Investigation state persists across tool calls via MCP Resources, enabling natural follow-up questions without re-prompting 3. **Automatic correlation** — Detects campaigns by identifying shared ASNs, registrants, and malware families across investigation history 4. **MCP-native design** — Demonstrates that MCP enables complex reasoning in specialized domains like cybersecurity, beyond productivity use cases 5. **Enterprise output** — STIX 2.1 reports integrate directly into Splunk, Elastic, and Sentinel 6. **Offline capable** — Works without API keys using pre-loaded threat data **Result:** Approximately 90 second investigations instead of 15-20 minutes, with pattern detection humans would miss.
Who built ThreatWeaver — Every IOC Tells a Story. We Let AI Tell It.?
ThreatWeaver — Every IOC Tells a Story. We Let AI Tell It. was built by team The Unprompted at the Amrita University Amritapuri campus NitroStack × MCP To The Moon hackathon, in the Open Innovation track.
What is an MCP app and how is it built?
An MCP app is an application built on the Model Context Protocol — an open standard that lets AI agents connect to tools, data, and APIs. This project exposes MCP tools and resources that agentic AI systems can call. It was built and deployed on NitroStack, the full-stack platform for shipping MCP apps and servers.