About this project
# ThreatWeaver – Intelligent Threat Investigation Through AI Reasoning ## What does it do? ThreatWeaver is an MCP-native threat investigation server enabling Claude to autonomously investigate indicators of compromise across multiple threat intelligence sources, detect coordinated attack patterns, and generate STIX 2.1-compliant reports. Given an IOC (IP, domain, URL, or hash), ThreatWeaver queries VirusTotal, AbuseIPDB, URLhaus, and Shodan in parallel, correlates findings to detect threat campaigns, maps evidence to MITRE ATT&CK techniques, and generates investigation reports with confidence scores and remediation guidance. ## Who is it for? Security Operations Center analysts, Incident Response teams, Threat Intelligence analysts, and organizations seeking to augment threat investigation with AI reasoning. ## What makes it special? **The problem:** Security analysts waste 15-20 minutes per investigation switching between fragmented tools, manually cross-referencing findings, and missing coordinated threat patterns. **The difference:** 1. **Agentic reasoning** — Claude reasons about multi-source findings and identifies patterns automatically, not just retrieving data 2. **Persistent context** — Investigation state persists across tool calls via MCP Resources, enabling natural follow-up questions without re-prompting 3. **Automatic correlation** — Detects campaigns by identifying shared ASNs, registrants, and malware families across investigation history 4. **MCP-native design** — Demonstrates that MCP enables complex reasoning in specialized domains like cybersecurity, beyond productivity use cases 5. **Enterprise output** — STIX 2.1 reports integrate directly into Splunk, Elastic, and Sentinel 6. **Offline capable** — Works without API keys using pre-loaded threat data **Result:** Approximately 90 second investigations instead of 15-20 minutes, with pattern detection humans would miss.
Open Innovation track
Solve any real-world problem with AI, regardless of industry or domain.