MISPerer: Evaluating LLM-Mediated Access to MISP via the Model Context Protocol

The Malware Information Sharing Platform (MISP) is an open-source threat intelligence platform that enables organizations to collect, store, distribute, and share cybersecurity indicators and threats. Despite its critical role in cyber threat intelligence (CTI), MISP remains inaccessible to non-technical stakeholders who increasingly need threat awareness for strategic decision-making. Large Language Models (LLMs) offer a way forward by enabling natural language interaction with CTI systems, translating user intent into structured queries. We present MISPerer, a framework that integrates LLMs with MISP through a secure Model Context Protocol (MCP) server, a standardized interface for LLM-tool integration. MISPerer enables intuitive interactions with MISP data, automating the translation of natural language requests into queries. To assess its performance, we introduce an expert built MISP benchmark derived from real-world scenarios, designed to evaluate both the functional accuracy and coverage of LLM-mediated interactions. Using this benchmark, we perform an empirical evaluation of popular LLMs.