Prerequisites
/
Install package
/
Configure
/
Test
Agent Integration Guide

Connect via MCP (Model Context Protocol)

Give your MCP-compatible agent — Claude Code, Cursor, Goose, or any other — access to ThreatRecall's memory layer. One npm package, one config file, done.

Time: ~5 minutes
Works with: Claude Code, Cursor, Goose, any MCP client
Package: @threatrecall/mcp-server

What you'll need

  • Node.js 18 or later installed
  • A ThreatRecall workspace with an API key
  • An MCP-compatible agent (Claude Code, Cursor, or similar)
Don't have an API key yet? Sign in to your ThreatRecall dashboard and go to Settings → API Keys to create one.

Step-by-step setup

Step 1
Install the MCP server package

Open your terminal and install the ThreatRecall MCP server package.

Terminal 
npm install -g @threatrecall/mcp-server
The package is now installed globally and the threatrecall-mcp command is available in your terminal.
Step 2
Create your MCP settings file

Create a settings file for your agent. The location depends on your tool:

File: ~/.config/claude/mcp.json (Claude Code) 
{
  "mcpServers": {
    "threatrecall": {
      "command": "npx",
      "args": ["-y", "@threatrecall/mcp-server"],
      "env": {
        "THREATRECALL_API_KEY": "your_api_key_here",
        "THREATRECALL_WORKSPACE_URL": "https://app.threatrecall.ai"
      }
    }
  }
}
Your agent will now have access to ThreatRecall tools every time it starts. The config tells Claude Code where to find the MCP server and how to authenticate.
Cursor users: Add the same entry to ~/.cursor/mcp.json. For Goose, check the docs for ~/.config/goose/mcp.json — the format is identical.
Step 3
Restart your agent

Close and reopen Claude Code (or whichever agent you're using). It will discover the ThreatRecall MCP server on startup.

Terminal 
# Restart Claude Code — the MCP server will be detected automatically
claude
Claude Code discovers the ThreatRecall MCP server and makes its tools available to the agent.
Step 4
Query ThreatRecall from your agent

Once running, your agent can use these tools directly. Try asking it something like this:

Claude Code prompt 
Search ThreatRecall for any CVEs related to Log4Shell. Show me the affected actors and any associated IOCs.
The agent calls ThreatRecall's recall API, which searches your knowledge graph and returns matching entities with confidence scores and relationships.

Available MCP tools

Your agent gets these tools automatically:

Tool Description
threatrecall_recall Natural language search across your CTI knowledge base. Returns actors, CVEs, IOCs, TTPs with confidence scores.
threatrecall_get_node Look up a specific entity by ID or alias. Returns the node and all its outgoing edges.
threatrecall_query_graph Run a structured graph query: traverse relationships between nodes, filter by type.
threatrecall_add_node Create a new entity in your knowledge graph. Specify type, name, and optional metadata.
threatrecall_add_edge Add a relationship between two existing nodes. Specify relationship type and confidence.

Test your setup

Ask your agent to run this command to confirm everything is working:

Claude Code prompt 
Use threatrecall_recall to find any entities related to "ransomware" and tell me how many results came back.
If you see a list of ransomware-related actors, TTPs, or campaigns from your workspace — your connection is working.

Troubleshooting

Problem: "MCP server not found" error
Fix: Make sure the mcpServers key in your JSON file is plural. Also try running npx -y @threatrecall/mcp-server --version to verify the package installed.
Problem: "Invalid API key" response
Fix: Go to Settings → API Keys in your dashboard and copy the key exactly — no extra spaces. If you regenerated it, update your mcp.json file.
Problem: Agent doesn't show any ThreatRecall tools
Fix: Restart the agent completely. Some tools only load on startup. Also check that your config file is in the correct location for your specific agent.