maltego-mcp

An MCP server that lets an LLM author Maltego graph files and run primitive OSINT lookups.

Website

maltego-mcp is a Model Context Protocol (MCP) server that lets an LLM author Maltego .mtgx graph files and run primitive OSINT lookups (whois, DNS, ASN, crt.sh) from inside an agent session. It exists because graph-driven OSINT investigation in Maltego Desktop is normally point-and-click work, and an agent that can already reason over indicators should be able to produce the graph directly instead of dictating clicks to a human. It differs from a Maltego transform pack by living in the agent layer first: the graph is built and saved to disk by tool calls, then opened in Maltego, so it works even on the Basic plan and without paid connectors. A second optional layer (Phase B) does add native right-click transforms inside Maltego Desktop for teams that want that too.

What it does

maltego-mcp is an MCP server for Maltego Desktop OSINT that gives an LLM agent a small, typed toolset for building Maltego graphs and enriching indicators of compromise. An agent calls these tools to create a graph, add entities and links, run whois / DNS / ASN / certificate-transparency lookups, expand an IP or domain into a pivot map, and write the result to a .mtgx file you open in Maltego Graph Desktop. Keywords: Maltego, MCP server, OSINT, threat intelligence, graph, whois, DNS, ASN, crt.sh, indicators of compromise.

It ships as two cooperating layers:

• Phase A (TypeScript MCP server): lets an LLM author Maltego .mtgx graph files and run primitive OSINT lookups (whois / DNS / ASN / crt.sh). Graphs land on disk and you open them in Maltego Desktop.
• Phase B (Python TRX transforms in a .mtz): adds right-click pivots into MISP, TheHive, Cortex, and the bundled MITRE ATT&CK dataset directly inside Maltego Desktop. See transforms/README.md.

The two phases share the repo, nothing else. Either layer can be uninstalled without breaking the other.

Quickstart

Install globally and register it with an MCP client:

npm install -g maltego-mcp

Add it to your MCP client config (Claude Desktop shown; the same command works in any stdio MCP client):

{
  "mcpServers": {
    "maltego": {
      "command": "maltego-mcp"
    }
  }
}

Restart the client and the maltego_* tools appear. From a source checkout, point the client at the built entrypoint instead:

{
  "mcpServers": {
    "maltego": {
      "command": "node",
      "args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
    }
  }
}

Status: the npm package is published (latest tag v0.3.0); 0.4.0 is in development and ships from a source build. Phase B transforms require a source checkout. See Install for all client recipes.

Tools (Phase A)

maltego-mcp registers 13 MCP tools, verified against src/tools/index.ts:

Graph authoring

• maltego_create_graph(name) — returns graphId
• maltego_add_entity(graphId, type, value, properties?) — returns entityId
• maltego_add_link(graphId, from, to, label?, properties?) — returns linkId
• maltego_save_graph(graphId, path, overwrite?) — writes .mtgx
• maltego_load_graph(path) — parses an existing .mtgx into a new handle

Primitive lookups

• maltego_whois(domain) — registrar, nameservers, dates
• maltego_dns(domain) — A/AAAA/MX/NS/TXT
• maltego_asn(ip) — Team Cymru ASN, prefix, country, org
• maltego_crtsh(domain) — certificate transparency entries

Convenience expanders

• maltego_expand_ip(ip, outputPath, overwrite?) — IP + ASN + netblock, saved as .mtgx
• maltego_expand_domain(domain, outputPath, overwrite?) — domain + whois + DNS + ASN per A record
• maltego_expand_hash(hash, outputPath, algorithm?, overwrite?) — hash entity (extend in later versions)
• maltego_build_ioc_graph(ioc, outputPath, ...) — one IOC plus enrichment summaries from other MCPs, saved as .mtgx

Entity types

Standard Maltego ontology: IPv4Address, IPv6Address, Domain, URL, Hash, EmailAddress, Netblock, AS, Website, Company, Person. For concepts without a standard type, use Phrase with a category prefix ([T1566] Phishing, [TheHive] Case #42).

Composing with other MCPs

maltego-mcp does not embed third-party threat-intel clients. For MISP events, ATT&CK techniques, Cortex reports, etc., call the dedicated MCPs (misp-mcp, mitre-mcp, cortex-mcp, etc.) and pipe results into maltego_add_entity / maltego_add_link. Or, for in-Maltego pivots, install Phase B (below).

For the common "one IOC, many enrichments" case, use
maltego_build_ioc_graph: call misp-mcp, thehive-mcp, cortex-mcp, and
mitre-mcp first, summarize their results into the tool's mispEvents,
thehiveCases, cortexReports, and attackTechniques arrays, then save one
combined .mtgx. The tool keeps service calls out of this package while still
making the graph bridge a single MCP call.

Why not a Maltego transform pack alone?

Native Maltego transforms are great once an investigation is already open in the
Desktop client, but they assume a human is driving the canvas and, for live
remote data, often a paid plan or connector. maltego-mcp puts graph authoring in
the agent layer so an LLM can build and save a .mtgx from indicators it is
already reasoning about, with no canvas clicks and no connector requirement. If
you also want in-Maltego right-click pivots, Phase B ships them as a .mtz you
import. You are not forced to choose: run the MCP server, the transforms, or
both.

Why not just hand the LLM raw whois/DNS tooling?

You can, but then the model has to remember the Maltego .mtgx XML format,
entity ontology, and link wiring on every call. maltego-mcp encodes that once:
the lookups return normalized fields, and the graph tools emit a valid .mtgx
that opens cleanly in Maltego Desktop. The expanders bundle the common pivots
(IP to ASN to netblock, domain to whois to DNS to ASN) into one call so the
agent does not re-derive them each time.

What maltego-mcp is not

• Not a Maltego replacement. It produces .mtgx files; you still open and
  drive them in Maltego Graph Desktop.
• Not a threat-intel platform. It does not embed MISP, TheHive, Cortex, or
  VirusTotal clients. It composes with the dedicated MCPs for those.
• Not a paid-connector bypass. Live transform results are still bound by your
  Maltego plan and connector limits.
• Not a bulk scanner. The lookups are primitive, single-target enrichments
  meant to build a graph, not a high-volume reconnaissance engine.

Requirements

• Node.js 20+
• Maltego Graph Desktop (Basic, Pro, or Enterprise) for either layer to be useful
• Phase B only: Python 3.11+ on the Maltego host

Maltego Basic compatibility

The default workflow is Basic-friendly: generate .mtgx files with Phase A,
then open or import them in Maltego Graph Desktop. The included demo graph is
kept under 24 entities so it stays useful on the Basic plan's per-transform
result limit. Local TRX transforms are supported on Basic, but their live
results are still subject to your Maltego plan and connector limits. See
Maltego's current products and plans
and Basic data access notes.

Install

npm install -g maltego-mcp

Or from source (required for Phase B transforms):

git clone https://github.com/solomonneas/maltego-mcp.git
cd maltego-mcp
npm install
npm run build

Basic-friendly demo graph

Generate a no-network .mtgx demo that shows how an IOC can connect to MISP,
TheHive, Cortex, MITRE ATT&CK, and a triage playbook without requiring API keys
or paid Maltego connectors:

npm run demo:basic

Output defaults to dist/maltego-mcp-basic-soc-demo.mtgx. Open that file in
Maltego Graph Desktop. To choose a different path:

npm run demo:basic -- --output ~/MaltegoGraphs/basic-soc-demo.mtgx

The demo uses documentation-safe indicators such as 203.0.113.42 and
example.invalid; it is meant to prove the graph format and visual workflow,
not to perform live enrichment.

Configuration

Both env vars are optional.

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "maltego": {
      "command": "maltego-mcp"
    }
  }
}

Or, when running from a source checkout instead of the global npm install:

{
  "mcpServers": {
    "maltego": {
      "command": "node",
      "args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
    }
  }
}

Restart Claude Desktop. The maltego_* tools should appear.

Claude Code

claude mcp add maltego -- maltego-mcp

Or from a source checkout:

claude mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js

Add --scope user to make it available from any directory instead of only the current project.

OpenClaw

Recommended: install as an OpenClaw plugin via ClawHub.

openclaw plugins install clawhub:maltego
openclaw plugins list   # confirm "maltego" is registered

This installs the same package as a native OpenClaw plugin — tool calls go through the plugin SDK directly instead of spawning a separate stdio MCP process. Configure outputDir and lookupTimeoutMs in OpenClaw's plugin config UI or via the JSON config file. Restart the OpenClaw gateway after installing so the plugin is picked up.

Or, register as a stdio MCP server (manual):

openclaw mcp set maltego '{
  "command": "maltego-mcp"
}'

Or, when running from a source checkout:

openclaw mcp set maltego '{
  "command": "node",
  "args": ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]
}'

Then restart the OpenClaw gateway so the new server is picked up and confirm registration with openclaw mcp list.

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  maltego:
    command: "maltego-mcp"

Or, when running from a source checkout:

mcp_servers:
  maltego:
    command: "node"
    args: ["/absolute/path/to/maltego-mcp/dist/mcp-server.js"]

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add maltego -- maltego-mcp

Or from a source checkout:

codex mcp add maltego -- node /absolute/path/to/maltego-mcp/dist/mcp-server.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.maltego]. Verify with codex mcp list.

Phase B: in-Maltego transforms (.mtz)

A separate Python transform layer ships right-click pivots into MISP, TheHive, Cortex, and ATT&CK directly inside Maltego Desktop. See transforms/README.md for full setup.

Quick start (from a source checkout, on the Maltego host):

npm run setup:transforms     # creates transforms/.venv with maltego-trx pinned
npm run build:mtz            # writes dist/maltego-mcp-transforms.mtz
# Then in Maltego: Import -> Configuration -> dist/maltego-mcp-transforms.mtz

The build bakes the absolute path of transforms/.venv into the manifest, so the .mtz is tied to the host that built it. Re-run npm run build:mtz if the repo moves.

Example prompts

Build me a Maltego graph for the domain example.com with whois, DNS, and ASN expansion.

Calls maltego_expand_domain and returns the path to the saved .mtgx.

Pivot from this IP — give me ASN + netblock as a Maltego graph.

Calls maltego_expand_ip.

Look up the cert transparency log for example.com.

Calls maltego_crtsh and returns matching certificates.

Build a Maltego graph for this hash using the MISP events, TheHive cases,
Cortex reports, and ATT&CK techniques we already gathered.

Calls maltego_build_ioc_graph with an input shaped like:

{
  "ioc": {
    "type": "Hash",
    "value": "d41d8cd98f00b204e9800998ecf8427e",
    "properties": { "algorithm": "md5" }
  },
  "outputPath": "hash-investigation.mtgx",
  "mispEvents": [{ "id": 1001, "info": "demo phishing cluster" }],
  "thehiveCases": [{ "id": 42, "title": "Phishing triage", "severity": "high" }],
  "cortexReports": [{ "analyzer": "HashLookup", "verdict": "suspicious" }],
  "attackTechniques": [{ "id": "T1566", "name": "Phishing", "tactic": "Initial Access" }]
}

Development

npm test                # Phase A unit tests (vitest)
npm run test:integration
npm run test:all
npm run typecheck
npm run test:transforms # Phase B pytest suite

Contributing

Issues and pull requests are welcome. See CONTRIBUTING.md for what lands easily, SECURITY.md for how to report a vulnerability privately, and CODE_OF_CONDUCT.md.

License

MIT