MCP Servers for SOC Teams: 10 Threat Intelligence Use Cases

SOC teams are under constant pressure to investigate alerts, correlate intelligence, and respond to incidents quickly, all while switching between different tools and dashboards. Valuable data is frequently available, but manual enrichment and siloed workflows slow analysts down and increase the likelihood of missed threats.

MCP servers enable AI agents to translate natural-language queries into structured tool interactions, allowing analysts to pull together context from multiple sources without manually switching between platforms. SOC teams can use SOCRadar MCP Server to investigate infrastructure, identify critical incidents, retrieve IOCs, detect phishing domains, and more, all from a single interface.

The use cases below demonstrate how SOC analysts can incorporate SOCRadar MCP Server into their daily operations to accelerate triage, improve visibility, and strengthen response workflows.

SOCRadar MCP Server in SOC Operations

Security operations teams are under constant pressure to keep up with an expanding attack surface, rising alert volumes, and an ever-growing list of intelligence sources. Analysts are expected to pivot between dashboards, enrich indicators manually, and correlate data across multiple tools, all while maintaining rapid response times. The problem is rarely the lack of data; it’s the operational friction of turning that data into timely, actionable intelligence.

Model Context Protocol (MCP) servers offer a new way to streamline these workflows. By acting as a standardized interface, or protocol, between AI systems and external tools, MCP servers allow SOC analysts to run structured, natural language queries that pull, correlate, and act on intelligence in real time. This eliminates the need for custom scripts or endless tool-switching during investigations.

SOCRadar’s MCP Server brings this capability to the full spectrum of threat intelligence, attack surface data, vulnerability insights, and Dark Web monitoring. Analysts can issue a single query to:

• Run deep investigations on IPs, domains, and threat actors
• Surface critical incidents instantly across multiple sources
• Retrieve the latest IOCs for rapid blocking and hunting
• Detect phishing domains, leaked credentials, and code repository exposures without manual searching

The following sections outline 10 practical use cases plus a bonus scenario demonstrating how SOC teams can leverage SOCRadar MCP Server to accelerate investigations, triage threats more effectively, and maintain better visibility without drowning in fragmented data.

1. Investigate Malicious IPs Faster

SOC analysts often lose precious time switching between multiple tools to check IP reputation, correlated malware, breach records, and repository exposures. This fragmentation leads to delays in triage, incomplete context, and overlooked indicators.

With SOCRadar MCP Server, analysts can issue a single natural language query to perform a full CTI investigation on any IP address. The server aggregates threat intelligence from breach records, malware databases, code repositories, and reputation services.

Example prompt:

“Investigate the IP address 198.51.100.10 for any malicious activity. I need to see all related breach records, reputation alerts, and associated malware.”

Sample Findings:

Investigation results for IP 198.51.100.10, correlating threat score, malware associations, and code repository exposures through a single MCP-enabled query.

A recent investigation on IP 198.51.100.10 revealed a medium risk level despite its current whitelisted status.

• 100 malicious objects were linked to this IP through SOCRadar Threat Intelligence Services.
• The IP was associated with multiple malware samples, including Android APKs and Windows executables, indicating possible use in malware distribution or C2 operations.
• It appeared in 10 public code repositories, commonly in configuration files.
• AI analysis flagged the discrepancy between low threat score and high malicious associations as a critical concern, recommending enhanced monitoring and internal log correlation.

Why It Matters:

Instead of manually checking separate feeds and repositories, SOC teams can uncover this entire context in one step, enabling faster triage and more accurate prioritization.

2. Surface Open Critical Incidents Instantly

SOC teams often start their day sifting through multiple dashboards, ticketing systems, and alert queues to find which incidents need immediate attention. This manual triage is time-consuming, prone to oversight, and can delay the response to real threats.

With SOCRadar MCP Server, analysts can issue a single query to retrieve all open incidents with critical (or highest) severity across systems. Instead of toggling between tools, they get a consolidated, prioritized list within seconds, ready for action.

Example prompt:

“Search for all open incidents with ‘CRITICAL’ severity. I need a list to begin immediate triage.”

Sample Findings:

A high-severity incidents report generated through MCP queries, consolidating alerts, dark web activity, and immediate triage actions into one view.

The query returned 150+ open incidents, including:

• 41+ high-severity alerts (27%) requiring urgent attention.
• Dark Web exposure incidents, including hacker forum posts containing company data detected just one hour earlier.
• Brand impersonation campaigns, with multiple phishing domains actively being configured and targeting the organization’s brand.
• A mass GitHub data leak involving 31+ separate incidents tied to repository exposures, posing risks of source code and credential leaks.

The system also generated a triage checklist, outlining actions to be taken within the next 1 hour, 4 hours, and 24 hours, covering incident investigation, takedown procedures, and repository secret scanning.

Why It Matters:

Instead of chasing incidents across fragmented tools, SOC teams can focus immediately on the most dangerous threats. MCP-driven queries give analysts real-time visibility and structured triage workflows, accelerating incident response and reducing the risk of overlooked critical alerts.

3. Retrieve the Latest Threat Actor IOCs for Rapid Blocking and Monitoring

When major threat actors become active, SOC teams must quickly obtain updated Indicators of Compromise (IoCs) to update blocklists, enrich alerts, and initiate proactive threat hunting. Doing this manually across multiple intelligence platforms can take hours, delaying the organization’s ability to detect or prevent intrusions.

With SOCRadar MCP Server, analysts can use a single query to retrieve the latest domains, cloud infrastructure, IP addresses, file hashes, and intelligence reports associated with specific threat actors. This enables SOC teams to feed actionable data into firewalls, DNS filters, SIEMs, and EDR platforms almost immediately.

Example prompt:

“Are there any new IOCs for Lazarus Group in the last 24 hours? I need the latest hashes, domains, and IPs for our blocklists.”

Findings:

A Lazarus Group IOC summary generated through MCP queries, consolidating active indicators, C2 infrastructure details, and blocklist-ready domains

The investigation focused on the Lazarus Group’s recent activity between October 9–10, 2025, revealing active infrastructure and related intelligence.

• Current activity (Oct 9–10):
  • 37 active threat indicators detected
  • 27 findings from recent C2 infrastructure investigations
  • 50+ security incidents tagged with Lazarus activity
  • Most recent activity: October 9, 2025 at 20:53
• Confirmed domains (for blocklists):
  • lazarusrat.net – Active C2 domain. First seen October 1; still flagged as critical despite a whitelisted score.
    • Source: SOCRadar Attack Surface Intelligence

    • Assessment: Critical IOC for C2 activity, phishing, or malware distribution
  • static.lazarusrat.net – Staging subdomain likely used for payload distribution.
    • Associated AWS bucket: static.lazarusrat.net.s3.amazonaws.com (5 files exposed)
• Cloud infrastructure (for monitoring/blocking):
  • static.lazarusrat.net.s3.amazonaws.com – AWS S3 bucket, exposed, likely malware staging.
  • africarare-metaverse.fra1.digitaloceanspaces.com/lazarus-group/ – DigitalOcean bucket with 40 files (JS and GLB types), last modified July 10, 2025.
• IP addresses: No new IPs were extracted in the last 24 hours, but DNS monitoring for lazarusrat.net and static.lazarusrat.net is recommended to capture any resolutions.
• File hashes: Recent malware samples were observed in the last week through:
  • AlienVault OTX (last updated Oct 6) – 2 recent indicators
  • Any.Run submissions (Sept 29)
  • MalwareBazaar (recent Lazarus-tagged Windows samples)
• Recent incidents (Oct 10):
  • Incident #76474406: Black market botnet detection on Russian forums involving credential sales.
  • Incident #76472131: Company information found on exploit.in forums.
• Common tags & malware families:
  • Tags: windows (40), malware (40), lazarus (35), ubuntu (5)
  • Families: AppleJeus, BeaverTail, multiple RATs, Windows and Linux-based malware

• Blocklist (ready to deploy):
  
  •  Domains:
    • lazarusrat.net
    • static.lazarusrat.net
    • *.lazarusrat.net
  • Cloud storage URLs:
    • https://static.lazarusrat.net.s3.amazonaws.com/*
    • https://africarare-metaverse.fra1.digitaloceanspaces.com/lazarus-group/*
  • File patterns to monitor: *.js, *.glb, *.exe, *.dll, *.vbs, *.ps1

The MCP Server findings also outlined immediate SOC actions such as domain blocking, DNS monitoring, log review for connections, endpoint scans for related malware families, and proactive hunting for suspicious file types.

Why It Matters: 

This use case shows how SOC teams can cut through scattered intelligence sources and obtain a consolidated, up-to-date IOC set for any threat actor. By centralizing domain, infrastructure, and malware data through SOCRadar MCP Server, SOC teams can update defenses and launch hunts significantly faster, reducing exposure time to active campaigns.

4. Detect Active Phishing Domains and Impersonation Campaigns Targeting Your Brand

Phishing domains and fake accounts impersonating your brand or services can quickly lead to credential theft, malware distribution, and reputational damage. SOC teams are often the first line of defense, but traditional detection methods, URL scanning, registrar lookups, DNS checks, and scattered intelligence sources are time-consuming and prone to gaps.

With SOCRadar MCP Server, analysts can issue a single query to uncover active phishing domains and impersonation campaigns targeting their organization or affiliated brands. The server aggregates registrar data, DNS records, and threat intelligence sources, then delivers structured, prioritized mitigation steps within seconds.

Example prompt:

“Identify any active phishing domains impersonating Facebook or subsidiaries detected in the last 24 hours. Include registrar details, DNS records, and risk scores.”

Findings (Last 24–48 Hours):

Phishing intelligence report generated through MCP queries, exposing impersonating domains, credential sales, social media abuse, and associated malware.

The investigation revealed widespread Facebook-themed phishing activity across multiple threat intelligence sources, even though no new impersonating domains were detected within the user’s monitored assets in the last 24 hours.

• Scale of Activity:
  • 87 phishing indicators linked to Facebook impersonation
  • 59 threat investigation findings and 50+ incidents tagged “facebook” (92% high severity)
  • Most recent activity: October 10, 2025, 11:48 AM
• Credential Sales: Critical Facebook-related credentials were observed for sale on Russian black markets (Incident #76467934), linked to Rhamadanthys stealer malware.
• Social Media Impersonation: Fraudulent accounts were detected across Facebook, Instagram, TikTok, and Twitter. Instagram alone had 344 monitored impersonating accounts, highlighting the scale of abuse.
• Phishing Domains: Several high-risk domains leveraged in phishing infrastructure were identified, including:
  • lion.deliverit.com.au – DNS A: 3.104.129.170, 13.55.235.212, 3.104.130.10
  • lionpizza.deliverit.com.au – DNS A: 3.104.130.10, 3.104.129.170, 13.55.235.212
  • stanleyburdagel.xyz – DNS A: 196.251.118.9
  • www.4billion.de – multiple DNS records.

• Typosquatting & Malware: Common phishing variants included faceb00k, facebok, and fb-login. Campaigns were tied to ClayRat Android spyware and credential stealers, with Telegram used for delivery.

Recommended SOC Actions:

• Block identified IPs and domains at the firewall and DNS level.
• Investigate and reset compromised credentials.
• Report impersonating accounts to relevant platforms.
• Update filtering systems to catch typosquatting patterns.
• Monitor dark web sources for continued brand abuse.

Why It Matters:

This use case shows how SOC teams can shift from manual phishing investigations to a unified, intelligence-driven workflow. By leveraging SOCRadar MCP Server, analysts can correlate phishing domains, impersonation campaigns, dark web activity, and malware infrastructure in real time, enabling faster takedowns, stronger defenses, and more effective brand protection.

5. Monitor Public Code Repositories for Exposed Credentials and Sensitive Data

Public code repositories frequently contain hardcoded secrets, credentials, or configuration files that can lead to severe security incidents if discovered by attackers. SOC teams are often responsible for continuously monitoring these repositories to prevent unauthorized access to internal systems, cloud services, or third-party platforms.

Manually tracking repository changes or relying on developer reports can create dangerous visibility gaps. With SOCRadar MCP Server, analysts can run structured queries to detect recent exposures across platforms like GitHub, quickly retrieving repository URLs, exposed file types, and the context of each exposure. This allows SOC teams to prioritize remediation, rotate credentials, and initiate takedown procedures before attackers can exploit the information.

Example prompt:

“Search for public code repositories exposing sensitive data or secrets detected in the last 48 hours. Provide repository URLs, file types, and exposure context.”

Findings:

The investigation identified widespread public repository exposures with Salesforce-related keywords and potential credential leaks.

A code repository exposure intelligence report showing recent GitHub incidents, detected credentials, and Salesforce-related alerts aggregated through MCP queries.

• Critical statistics:
  • 500 GitHub repository exposures detected during the monitoring period (Sept 28–Oct 10, 2025)
  • 46 high-severity incidents, accounting for 92% of all code repository incidents
  • 100 incidents tagged with the “salesforce” keyword; 96% rated as high severity
  • 88 threat indicators linked to Salesforce API credentials and 30 raw data exposures within the last 48 hours
• Example exposure scenarios (It’s more often than you think. Any user can find API keys with just a quick search in public GitHub repositories):
  • E-commerce application repository, potential API key and payment credential exposure.
  • Test repository, likely containing configuration files with database credentials.
  • Potential exposure of frontend/backend application credentials, including ML model and API keys.
  • Enterprise application repository with possible credential leaks.
• Common file types and patterns: .env, .json, config.js, settings.py, application.properties, credentials.json, secrets.yaml, and api_keys.txt were among the exposed files. Patterns included hardcoded Salesforce usernames, passwords, tokens, and OAuth client credentials.
• Dark web activity: A related black market listing (Incident #76474406) showed employee credentials for sale on a Russian market, increasing the risk of account compromise.

The SOCRadar MCP Server also provided a structured remediation workflow, advising immediate credential rotation, repository scanning, takedown procedures, and monitoring for secondary exposure on underground markets.

Why It Matters: 

This use case highlights how SOC teams can automate the detection of code repository exposures, ensuring rapid response to credential leaks and configuration mistakes. Instead of relying on periodic audits, analysts can continuously surface new exposures in real time, reducing risk and ensuring compliance with security and privacy regulations.

6. Summarize Active State-Sponsored Campaigns and TTPs for Sector Briefings

SOC teams in regulated industries need rapid, consumable summaries of current state-sponsored activity to brief leadership, tune detections, and prioritize patching. Gathering this across sources (APT reports, CVE trends, incident feeds, ransomware sites) is slow and inconsistent.

With SOCRadar MCP Server, analysts can issue one prompt to compile the last 24–48 hours of activity targeting specific sectors (e.g., finance and telecom), including active campaigns, exploited CVEs, high-confidence incidents, and mapped TTPs. The output is ready for blocklists, SIEM rules, and executive briefings.

Example prompt:

“Summarize the latest campaigns and TTPs attributed to state-sponsored groups targeting the finance and telecom sectors in the past 48 hours.”

A state-sponsored threat intelligence report generated through MCP queries, highlighting active APT campaigns, exploited CVEs, and targeted sectors.

Findings (Oct 8–10, 2025):

• Executive snapshot
  • 100+ security incidents; 60 state-sponsored indicators; 50+ recent ransomware posts; 7 critical CVEs trending.
  • Most recent intelligence: Oct 10, 2025 14:53.
• Active campaigns impacting finance and telecom
  • CL0P (state-linked) – Oracle E-Business Suite campaign
    • CVE-2025-61882 (unauthenticated RCE). Impacting 100+ organizations; heavy finance exposure.
    • TTPs (MITRE): T1190 Exploit Public-Facing App, T1059 Scripting, T1048 Exfiltration, T1486 Encryption for Impact.
    • Observables: EBS 12.2.x, BI Publisher Integration component; ERP data exfiltration before extortion.
  • Chinese-linked activity (Warlock/APT41 nexus) – Telecom
    • SharePoint ToolShell chain; victim includes Colt (telecommunications).
    • TTPs: T1190, T1059.001 PowerShell, T1562 Impair Defenses, multi-ransomware deployment for attribution confusion.
  • DPRK/Lazarus – cross-sector
    • Recent report (Oct 7) and credential sales (Oct 10). Continued cryptocurrency focus; critical infrastructure mentions.
    • Malware families: AppleJeus, BeaverTail; TTPs include social engineering, supply-chain attacks, watering holes.
  • Iran-linked (Charming Kitten/APT35)
    • Phishing/credential harvesting against financial, telecom, and tech; activity noted Oct 3–10.
    • Exploits include Confluence CVE-2023-22527 and other public-facing app vectors.
• Trending vulnerabilities (last 48 hours) relevant to targeted sectors
  • Critical: CVE-2025-61882 (Oracle EBS), CVE-2025-10035 (GoAnywhere MFT), CVE-2025-49844 (Redis), CVE-2025-5947 (WordPress plugin).
  • High: Ivanti EMM API issues (CVE-2025-4427/4428); Grafana path traversal (CVE-2021-43798) still actively abused.
• Recent incidents and sector notes
  • Finance: Oracle EBS exploitation wave; insurance/claims and finance-adjacent services impacted; credential-theft campaigns ongoing.
  • Telecom: Warlock campaign against telecom; router API abuse enabling SMS spam waves; supply-chain targeting of vendors and equipment manufacturers.
  • Additional signal: 50 recent ransomware postings across groups (CL0P, Play, Akira, Qilin, Handala, etc.), some overlapping with state-nexus narratives.
• Consolidated TTPs observed (mapped for detections)
  • Initial Access: T1190 Exploit Public-Facing App; T1566 Phishing.
  • Execution: T1059 Command/Scripting; T1203 Client Exploitation; T1204 User Execution.
  • Persistence/Privilege Escalation: T1078 Valid Accounts; T1136 Create Account; T1068 Priv-Esc.
  • Defense Evasion: T1027 Obfuscated Files; T1562 Impair Defenses.
  • Credential Access: T1552 Unsecured Credentials; T1003 Dumping.
  • Lateral Movement: T1021 Remote Services; T1570 Tool Transfer.
  • Exfiltration/Impact: T1048 Alt Protocol; T1041 C2 Channel; T1567 Web Service; T1486 Encryption for Impact.
• Actionable next steps (24–48 hours)
  • Finance: Patch Oracle EBS (CVE-2025-61882) immediately; review ERP/BI Publisher logs; ingest CL0P IOCs; enforce MFA on financial systems; hunt for pre-encryption data theft.
  • Telecom: Patch SharePoint; monitor router/API abuse; harden VPN/gateways; segment core network; deploy SMS-fraud detections.
  • Cross-sector: Update detections for observed TTPs; monitor DFIR-tool exploitation (Velociraptor); track ransomware data-leak sites for sector entities.

Why it matters: 

This consolidates time-sensitive state-sponsored activity into an operational brief that SOC teams can act on immediately, prioritizing patches, tuning SIEM/EDR rules, updating blocklists, and launching hunts specifically for finance and telecom environments without stitching together dozens of disparate sources manually.

7. Track Newly Registered or Active Ransomware Domains for Regional Defense

Ransomware operators constantly rotate infrastructure, registering fresh domains and activating fallback hosts to evade static blocklists. For SOC teams, manually correlating WHOIS data, DNS changes, leak-site posts, and CTI feeds is slow and error-prone.

With SOCRadar MCP Server, analysts can run a single query to surface newly registered or recently active domains linked to ransomware groups within a defined region and timeframe. Results include suspected group attribution, domains/hostnames, and detection sources, enabling rapid blocklisting, takedowns, and targeted hunting.

Example prompt:

“Search for newly registered or active domains associated with ransomware groups operating within Germany in the last week. Include group name, domain, and detection sources.”

Findings (last 7 days):

Regional ransomware threat intelligence view generated through MCP queries, showing active groups targeting Europe and associated malicious IP indicators.

• Critical incident in Germany
  • Victim: Magna Foodservice (Germany)
  • Date: October 12, 2025
  • Ransomware group: Radiant
  • Status: Listed on leak site (active threat)
  • Risk: Data breach exposure, supply-chain disruption, operational downtime
• Active ransomware groups with regional relevance
  • Radiant
    • Activity: Multiple victims announced; 7-day ultimatum before data publication
    • Germany: Magna Foodservice (Oct 12)
    • Other recent listings: Kido Schools (US), Minnesota Hospital (US), Retail Texas (US), UK Rail Services (UK)
  • Qilin
    • Activity level: 11 incidents in the past 7 days (most active)
    • Europe mentions: Frisquet (FR), Valtorta (IT), Dynamic Precision Sverige (PL/SE)
  • Sinobi
    • Activity level: 7 incidents (healthcare, manufacturing)
• Domains/hostnames and sources observed
  • Qilin
    • Domain/host: snappasse.fr – updated Oct 13, 2025
      • Detection sources: SOCRadar threat intelligence, surface web monitoring
    • Onion: ji57fr53anp7wb44tbbnp72qcgbhqywy4jmbncawdcrejj5amuvh3zqd.onion
      • Detection sources: Dark web monitoring / leak-site surveillance
    • Host: 0.tcp.eu.ngrok.io (C2 usage)
      • Detection sources: Network telemetry correlations, CTI enrichment
  • Radiant / regional activity indicator
    • Associated with the Magna Foodservice listing; infrastructure under monitoring (leak site and dark web sources)
• Additional IOCs observed alongside domains
  • IP addresses (recent updates: Oct 11–13, 2025): 213.232.87.228, 57.129.64.237, 178.16.55.189, 200.59.83.63, 2.249.142.93, 112.249.56.47, 45.138.16.240, 116.204.78.140, 43.165.65.180, 216.131.112.121, 209.172.2.50, 64.227.32.66, 209.38.208.202, 165.227.173.41, 139.59.143.102
  • Malicious URL: http://ms-team-ping2.com/bz.hta (HTA dropper)
  • Hash: f9c955a27207a1be327a1f7ed8bcdcaa (MD5)
  • Detection sources across items: SOCRadar dark web monitoring, ransomware leak-site surveillance, threat intelligence feeds
• Immediate recommendations
  • Network controls: Block listed IPs and domains; alert on connections to *.ngrok.ioendpoints used as potential C2.
  • For the German victim case (Magna Foodservice): Isolate affected systems, engage IR, coordinate with BSI, avoid ransom payment.
  • For German organizations generally: Review proxy/DNS/firewall logs for listed IOCs; test offline backups; harden and patch VPN/remote access.
• Trend notes (last 7 days)
  • ~100 ransomware incidents globally; 51 active groups observed.
  • Radiant accelerating disclosures; Qilin most active by incident share.
  • Detection sources consistently include SOCRadar dark web monitoring, leak-site tracking, and federated CTI feeds.

Why it matters: 

This workflow gives SOC teams a timely, regional view of fresh ransomware infrastructure with enough detail to action immediately – blocklists, detections, takedowns, and hunts – without stitching together dozens of feeds by hand.

8. Identify Third-Party Supply-Chain Breaches for Vendor Triage

SOC teams need a fast way to surface which vendors in their ecosystem have been mentioned on breach forums or ransomware leak sites, along with dates, actors, and exposure details so they can trigger containment with legal, procurement, and business owners.

With SOCRadar MCP Server, analysts can issue one prompt and receive a consolidated brief of recent vendor mentions, mapped to actor names, incident dates, and data types exposed, plus links to the underlying sources (dark web monitoring, leak-site surveillance, CTI feeds). Results slot directly into vendor risk workflows and executive briefings.

Example prompt:

“Identify any third-party vendors in our supply chain recently mentioned in breach forums or ransomware leak sites. Include incident dates, actor names, and data exposure details.”

Findings (Summary):

A supply chain breach intelligence report generated through MCP queries, summarizing major vendor compromises, exposed records, and affected organizations.

• Salesforce / Salesloft / Drift: Compromised OAuth tokens enabled large-scale data theft (1–1.5 B records) by Scattered Lapsus$ Hunters. Victims included 39+ major companies.
• Oracle E-Business Suite (CVE-2025-61882): Exploited by CL0P / Mount for remote code execution; 100+ organizations impacted.
• MOVEit Transfer: CL0P exploited web shells & SQLi; 620+ victims globally.
• npm packages: Fake domain phishing led to cryptocurrency theft campaigns.
• Sisense, Okta, GitHub Actions: Exposed source code, credentials, or customer data through repo or integration compromises.

Table summarizing major third-party breaches detected through MCP queries, detailing incident timelines, threat actors, exposure types, and data sources.

Attack patterns: OAuth token abuse, zero-days, social engineering, and compromised CI/CD pipelines.

SOC Actions:

• Audit & Revoke: Review vendor OAuth grants and API access; revoke stale tokens and enforce MFA.
• Patch & Monitor: Apply urgent patches (Oracle, MOVEit), monitor for suspicious API or export activity.
• Engage Vendors: Request breach details, IoCs, and attestations from affected suppliers.
• Harden Integrations: Deploy DLP, segment data, and monitor outbound traffic to vendor systems.

9. Identify Credential Exposure Trends Across Underground Sources

Stolen credentials remain the primary enabler for web application breaches, ransomware deployments, and initial access operations. SOC teams can use SOCRadar MCP Server to surface aggregated intelligence from stealer logs, dark web forums, and Telegram channels in a single query, accelerating credential hygiene and response.

Example prompt:

“Summarize the top types of leaked data found on dark web and stealer log sources over the last month. Break it down by credential types, cloud services, and geography.”

Key Findings (Sept 13 – Oct 13, 2025):

Dark web and stealer log intelligence report generated through MCP queries.

• 71 M email addresses added from stealer logs to breach datasets; 23 B total rows processed.
• 88% of web app breaches involve stolen credentials; 54% of ransomware victims had domains in stealer logs pre-incident.
• 46% of logs contain corporate credentials; 100 IM content findings in the last 7 days.

Credential Types Observed:

• Email/password pairs: present in nearly all logs; typically 50+ active credentials each.
• Session cookies & tokens: OAuth tokens, API keys, browser cookies used to bypass MFA.
• Browser-saved credentials: passwords, payment info, autofill data across Chrome, Firefox, Edge, etc.
• Financial data: credit cards (~38% of logs), bank credentials, crypto wallets.
• Corporate IT access: Salesforce, HubSpot, AWS, Azure, GCP, GitHub, Okta, VPNs, admin panels.
• System data: IP, OS, installed software, and network details for targeting and fingerprinting.

10. Map Cloud and SaaS Credential Exposure for Targeted Response

Cloud and SaaS platforms are heavily represented in stealer logs, giving attackers immediate lateral movement opportunities once credentials are harvested. SOC teams can leverage SOCRadar MCP Server to correlate exposed keys, tokens, and credentials with their cloud inventory and prioritize response.

Most targeted cloud platforms identified through MCP-enabled analysis

Top Exposed Platforms:

• AWS: IAM keys, root accounts, S3/EC2/RDS credentials.
• Azure / Microsoft 365: Azure AD, VM and storage access, SharePoint and Teams credentials.
• Google Cloud / Workspace: service account keys, storage, compute, BigQuery access.
• Salesforce: admin credentials, API tokens, connected app tokens.
• Developer Platforms: GitHub, GitLab personal access tokens, SSH keys, CI/CD pipeline access.
• Other SaaS: Okta, Jira, Confluence, Slack, Zoom, Box, Dropbox, WordPress, SolarWinds.

Stats:

• 3–10% of logs contain corporate SaaS credentials.
• ~30% of compromised systems were enterprise-licensed.
• Average user exposes 12+ corporate credentials through browsers.

Bonus: Track Infection Geography to Anticipate Threat Patterns

Understanding where credential theft is most prevalent helps SOC teams focus their detection and hunting efforts. Attackers often use regional infection trends to prioritize credential resale and access brokering.

Top Affected Countries: Brazil, India, United States, Ukraine, Russia, Philippines, Mexico, Italy, Argentina, Colombia.

Global infection geography and top infostealer malware families visualized through MCP queries, highlighting regional hotspots and dominant stealer types.

Regional Patterns:

• Latin America: sustained high volume due to piracy and rapid digital payment adoption.
• APAC: strong growth led by India and the Philippines.
• North America: fewer infections, but higher-value corporate credentials.
• Europe: notable activity in Ukraine, Russia, Italy; GDPR increases data resale value.

Trend Insight: 

Infection rates peak in mid-to-high HDI nations where technology adoption is high but security gaps persist, making them prime targets for credential theft and resale.

Conclusion

For SOC teams, the difference between reacting late and containing early often comes down to how quickly intelligence can be found, correlated, and acted upon. Traditional processes rely on manual enrichment, multiple dashboards, and context-switching that slows investigations and leaves gaps in coverage.

SOCRadar MCP Server changes this by unifying intelligence-driven workflows under a single, queryable interface. Whether analysts are investigating malicious IPs, surfacing critical incidents, tracking threat actor infrastructure, or monitoring credential leaks, they can do so without leaving the MCP environment.

This shift isn’t just about convenience, it directly improves operational speed, consistency, and accuracy. By automating the retrieval and correlation of intelligence, SOC teams can spend less time on manual data gathering and more time on threat analysis, response, and proactive defense.

As MCP technology becomes a standard component of modern security architectures, platforms like SOCRadar MCP Server will increasingly serve as the operational backbone for SOC teams, enabling them to keep pace with fast-moving threats and strengthen their overall security posture.