AI tools create dangerous blind spots for security teams. Without real-time threat context, they’re limited to outdated knowledge and partial responses that can miss critical emerging threats.
With Feedly’s Threat Graph MCP Server, you can:
- Give your AI tools the context they need. Connect them directly to Feedly’s Real-time Threat Graph, eliminating blind spots with live visibility into the evolving threat landscape.
- Get rich actionable intelligence. Relationships between threats, actors, and campaigns from 10,000+ monitored sources in near real-time.
- Automate end-to-end CTI workflows. Orchestrate multiple MCP servers at once.
Let’s walk through four scenarios, from simple queries to complex workflows, that showcase how you can perform more accurate CTI resea…
AI tools create dangerous blind spots for security teams. Without real-time threat context, they’re limited to outdated knowledge and partial responses that can miss critical emerging threats.
With Feedly’s Threat Graph MCP Server, you can:
- Give your AI tools the context they need. Connect them directly to Feedly’s Real-time Threat Graph, eliminating blind spots with live visibility into the evolving threat landscape.
- Get rich actionable intelligence. Relationships between threats, actors, and campaigns from 10,000+ monitored sources in near real-time.
- Automate end-to-end CTI workflows. Orchestrate multiple MCP servers at once.
Let’s walk through four scenarios, from simple queries to complex workflows, that showcase how you can perform more accurate CTI research when connecting Claude to the Feedly Real-Time Threat Graph.
First, what is an MCP Server, and how can they help
An MCP (Model Context Protocol) server is a standardized interface that enables AI assistants to access tools and data sources directly in real-time. The Feedly MCP Server allows Claude AI to pull fresh intelligence directly from Feedly’s Real-Time Threat Graph.
For CTI analysts, this means you can ask Claude CTI research questions, such as “What are the latest TTPs associated with APT29?” and it will fetch current data from the Feedly Threat Graph, rather than relying solely on fragmented web search data. This improved context enables Claude to provide more timely, relevant, and actionable insights.
;’ href=‘https://cms-cdn.feedly.com/images/gw4l4nkb/production/5d71088e34aac1d6c59dd03bafbfe7869d3f2c81-1576x2354.png?w=64&blur=50&q=30&fit=clip&auto=format’/%3E%3C/svg%3E”))
Claude’s reasoning and use of specialized tools shows how it thinks like a CTI analyst: identifying and looking up APT29, extracting relationships, and synthesizing recent campaign intelligence with cited sources.
Demo 1: Tracking active ransomware campaigns
Prompt
What's trending in ransomware attacks this month?
Web search gives Claude and other AI tools a few articles to improve the currency of it’s LLM-trained answer. However, rarely does it give a comprehensive view of current and evolving cyber events. The Feedly MCP Server connects your AI tools directly to our Real-Time Threat Graph, giving you comprehensive, connected intelligence from 10,000+ sources with pre-mapped relationships between actors, campaigns, and vulnerabilities.
Result
When you ask Claude this question with the Feedly MCP Server enabled, it automatically queries our Threat Graph for ransomware activity from the last 30 days. The AI selects and chains multiple tools, pulling trending cyber attacks, filtering by attack type, and identifying the responsible threat actors.
What you get: Specific ransomware trends with attribution, affected sectors, ransom demands, and financial impact. Not fragments from random search results that miss the connections.
Why it matters: More complete and up-to-date context from the Real-Time Threat Graph, rather than a few articles that ranked well in search, helps the AI produce answers that reflect all known relationships and recent activity. The responses are more actionable so you can quickly move from question to action and start protecting your business.
Demo 2: Identifying actively exploited vulnerabilities
Prompt
What are the most dangerous vulnerabilities discovered in the past week that threat actors are already exploiting? For each one, tell me: who's exploiting it, what malware they're using, what industries they're targeting, and if there are any proof-of-concept exploits or Metasploit modules available.
Result
This query triggers complex reasoning. The MCP Server pulls trending vulnerabilities, cross-references them with threat actor activity, identifies associated malware families, and checks for available exploits—all automatically.
What you get: CVEs with active exploitation evidence, specific threat actor attribution, targeted sectors, associated malware families, and exploit availability status.
Why it matters: Instead of manually pivoting between NVD, threat feeds, and campaign reports, you get the full threat context in one query. You immediately know if a CVE is being weaponized, by whom, and against what sectors, so you can prioritize patching based on actual risk to your environment, not just CVSS scores.
Demo 3: Building actionable threat hunts
Prompt
Build me a threat hunt for Scattered Spider based on their last 3 months of activity.
Result
The MCP Server reasons through Scattered Spider’s recent campaigns, extracting their current TTPs, infrastructure patterns, and targeting preferences from reported incidents.
What you get:
- Current TTPs mapped to MITRE ATT&CK based on observed activity.
- Detection opportunities tied to their recent Salesforce and identity provider campaigns.
- Queries ready to run in your SIEM.
Why it matters: When investigating Scattered Spider, you need a full operational picture, not search results. The Feedly MCP Server gives you deduplicated intelligence from thousands of sources, temporally organized so you can see how their tactics evolved. You’re working with their complete recent activity profile, ready to operationalize.
Demo 4: Multi-tool orchestration for end-to-end workflows
Prompt
Research Scattered Spider's latest TTPs in Feedly, create a threat hunt for my Wazuh SIEM, document it in Notion using my threat hunting template, and share results to Slack.
Result
This demo shows true orchestration: the Threat Graph MCP Server working alongside other MCP tools to automate a complete threat hunting workflow.
The automated workflow:
- Feedly MCP queries the Threat Graph for Scattered Spider intelligence.
- Generates specific Wazuh queries based on extracted IoCs and TTPs.
- Structures findings using your Notion threat hunting template.
- Posts formatted results to your Slack channel.
What you get: A complete, documented threat hunt with:
- Intelligence context from Feedly’s Threat Graph
- Ready-to-run SIEM queries
- Structured documentation in your existing format
- Team notification with key findings
Why it matters: MCP isn’t just about querying data. It’s also about integrating real-time threat intelligence into your existing workflows. The context from Feedly’s Threat Graph flows directly into your security tools, eliminating the copy-paste shuffle between platforms and ensuring your hunts are based on current intelligence.
From signals to action in minutes
Context makes AI better. Web search gives you fragments, while the Feedly MCP Server, extracting context from the Feedly Threat Graph, gives you a complete, connected picture. By automating threat investigations that used to take hours, your team can prioritize faster, respond sooner, and reduce risk exposure. Your AI tools now operate with real-time context, making responses actionable, verifiable, and ready when threats emerge.
Automate CTI workflows with Claude and the Feedly Threat Graph
Feedly’s MCP Server gives AI tools the context they need to deliver more accurate CTI responses.
;’ href=‘https://cms-cdn.feedly.com/images/gw4l4nkb/production/add504826756cc87534e9a854e44f1c82a4bd8d5-1500x1500.png?w=64&blur=50&q=30&fit=clip&auto=format’/%3E%3C/svg%3E”))