IBM X-Force Exchange
IBM X-Force Exchange is a threat intelligence sharing platform for researching security threats, aggregating intelligence, and collaborating on cybersecurity insights
Verdict
Common use cases
- Validate suspicious IPs during incident triage
- Check URL categories before clicking links
- Pull threat collections for morning briefings
- Audit API access and user profile details
- Map indicators to X-Force taxonomy categories
Integration
- Vendor
- IBM X-Force Exchange
- Category
- other
- Auth
- API_KEY
- Tools
- 7
- Composio slug
ibm_x_force_exchange
Tools
- Generate API Key and Password
Tool to generate a new API key and password pair for IBM X-Force Exchange authentication. Use when you need to create new credentials for API access. The generated credentials do not expire and can be used with Basic Authentication.
- Get Current API Version
Tool to retrieve current running API version information from IBM X-Force Exchange. Use when you need to check the API version, build number, or creation date.
- Get IPR Category List
Tool to retrieve the complete list of IP reputation categories from IBM X-Force Exchange. Use when you need to understand available IPR classification categories used by XFE.
- Get Latest Public Collections
Tool to retrieve latest public Collections from IBM X-Force Exchange. Use when you need to access publicly available collections without pagination. For fetching all public collections, consider using the paginated endpoint instead.
- Get Public Collections Paginated
Tool to retrieve all public Collections using pagination from IBM X-Force Exchange. Use when you need to access publicly available collections with pagination support. Returns a list of publicly accessible case files with pagination metadat
- Get URL Category List
Tool to retrieve the complete list of URL categories from IBM X-Force Exchange. Use when you need to understand available URL classification categories used by XFE.
- Get User Profile Information
Tool to retrieve authenticated user's profile information from IBM X-Force Exchange. Use when you need to access user account details, membership statistics, or integration configurations.
Setup
Setup guide
- 11. Open your Switchy workspace and navigate to Settings > Integrations > Browse MCP Servers. 2. Search for IBM X-Force Exchange and click Connect. 3. You'll be prompted to enter an API key and password; generate these from your X-Force Exchange account dashboard under API Access (credentials don't expire, so save them securely). 4. Paste the key and password into Switchy's connection form and click Authorize. 5. Switchy confirms the connection by calling the Get Current API Version tool in the background. 6. Open any Space and type '@IBM X-Force Exchange get the latest public collections' to test — the MCP returns a list of threat intelligence collections. 7. If the test fails, verify your API credentials in X-Force Exchange and reconnect.
What teammates see: by default, memories from IBM X-Force Exchange are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
Check IP Reputation
@IBM X-Force Exchange retrieve the IP reputation categories list so I can understand how you classify threatsOpen in a Space →
List URL Categories
@IBM X-Force Exchange get the complete list of URL categories you use for classificationOpen in a Space →
Fetch Public Collections
@IBM X-Force Exchange show me the latest public threat collections available right nowOpen in a Space →
Verify API Version
@IBM X-Force Exchange what API version and build number are you currently usingOpen in a Space →
Review User Profile
@IBM X-Force Exchange pull my user profile information including membership statisticsOpen in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@IBM X-Force Exchange check the reputation categories for IP address 185.220.101.47 and tell me if it's associated with any threat activity
Based on the IPR category data from X-Force Exchange, this IP address is flagged under categories including 'Botnet Command and Control Server' and 'Scanning IPs' with a risk score of 8/10. The IP has been observed in malicious activity within the last 30 days, with associations to known malware campaigns. X-Force categorizes this as high-risk infrastructure that should be blocked at the perimeter. This example illustrates how the MCP retrieves threat intelligence classifications that security teams use for firewall rules and incident triage.
This example uses the IPR category lookup tool to demonstrate threat intelligence retrieval. Note that X-Force's reputation data reflects observed activity across IBM's global sensor network—scores and categories update as new threat data arrives. Your API key must have read access to reputation endpoints.
@IBM X-Force Exchange retrieve the latest 10 public threat collections and summarize the most common attack vectors mentioned
The 10 most recent public collections from X-Force Exchange include threat reports on ransomware campaigns (3 collections), phishing infrastructure (2 collections), cryptomining botnets (2 collections), and supply chain compromises (3 collections). Common attack vectors across these collections are: spear-phishing emails with malicious attachments, exploitation of unpatched VPN appliances, and abuse of legitimate cloud services for command-and-control. This example shows how analysts can monitor emerging threat patterns by scanning public intelligence shared by the X-Force community.
This example combines the public collections tool with AI summarization to surface trends. Public collections are community-contributed—quality and timeliness vary. The MCP retrieves metadata and indicators; you'll need to fetch full collection details separately if you want IOC lists or STIX bundles.
@IBM X-Force Exchange generate a new API key pair for our staging environment and show me the user profile limits
New API credentials generated successfully. API Key: `a1b2c3d4-e5f6-7890-abcd-ef1234567890` (password omitted for security). Your user profile shows: 5,000 API calls remaining this month, member since 2023-11, 12 private collections created, integration tier: Standard. Note that this is an illustrative example—real credential generation requires interactive confirmation and the password must be stored securely immediately, as X-Force does not allow password retrieval after creation.
This example demonstrates credential management and account introspection. The generate-key tool creates non-expiring credentials, so treat them like long-lived secrets. Profile information helps you monitor API quota usage before hitting rate limits. Credential generation is a write operation—test in non-production environments first.
Use-case deep-dives
When X-Force Exchange fits lean security operations
A 3-person SOC team at a mid-market SaaS company gets 40-60 alerts per day from their SIEM. Half are false positives tied to known-good IPs or benign URL patterns. The team uses Switchy to batch-check suspicious IPs and URLs against X-Force's reputation data during morning triage. The 7 tools cover the core lookups—IP categories, URL categories, public threat collections—without requiring a full SOAR platform. This works when your alert volume stays under 100/day and you're not correlating across multiple threat feeds. If you need real-time enrichment or cross-vendor threat intel, X-Force alone won't close the loop. For teams running lean who need a single authoritative source to cut triage time by 30%, this MCP delivers without the enterprise tax.
X-Force Exchange for quarterly threat intelligence audits
A 6-person compliance team at a healthcare fintech runs quarterly audits to document external threat exposure for SOC 2 and HIPAA assessments. They pull public collections from X-Force to show auditors they're tracking known vulnerabilities and threat actor campaigns relevant to their infrastructure. The MCP's paginated collections tool lets them export 200+ threat indicators in one Switchy session, then cross-reference against their asset inventory. This scenario works because the cadence is quarterly, not daily—X-Force's public data is comprehensive but not real-time. If your auditors demand live threat feeds or attribution to specific APT groups, you'll need a commercial threat intel subscription. For teams proving due diligence on a budget, X-Force's public collections hit the compliance checkbox without the per-seat licensing.
When X-Force helps vet third-party security posture
A 4-person procurement team at a Series B startup evaluates 15-20 new vendors per quarter. Before signing contracts, they run vendor domains and known IPs through X-Force to check for recent malware associations or phishing campaigns. The URL and IP category tools surface red flags—like a vendor's marketing site flagged for malvertising—that wouldn't show up in a standard security questionnaire. This works when you're vetting vendors at low volume and need a quick sanity check, not a full third-party risk management program. If you're processing 100+ vendors annually or need continuous monitoring, X-Force's manual lookup model breaks down. For early-stage teams adding a security gate to procurement without hiring a GRC analyst, this MCP turns vendor vetting into a 10-minute Switchy task.
Frequently asked
What does the IBM X-Force Exchange MCP do in Switchy?
It connects your team to IBM's threat intelligence database. You can query IP reputation categories, check URL classifications, pull public threat collections, and retrieve API version info. Think of it as letting your AI assistant tap into X-Force's security data without leaving the conversation. Useful for security teams who already use X-Force and want faster lookups during incident response or threat hunting.
Do I need an IBM X-Force Exchange account to use this MCP?
Yes. You need an active X-Force Exchange account and an API key. The MCP includes a tool to generate new API keys directly, but you still need to authenticate with IBM first. Keys don't expire, so once you set it up in Switchy, it stays connected until you revoke the key on IBM's side. No OAuth flow—just paste the API key into Switchy's connection settings.
Can this MCP submit new threat intelligence to X-Force Exchange?
No. The seven tools are read-only: they fetch IP categories, URL categories, public collections, user profile data, and API version info. If you need to submit indicators or create collections, use X-Force Exchange's web interface or a different integration. This MCP is built for querying existing threat data, not contributing new intelligence.
Why use this instead of just logging into X-Force Exchange?
Speed and context. Your team can ask the AI assistant to check an IP's reputation or pull the latest public collections without switching tabs or remembering query syntax. The assistant interprets natural language requests and returns X-Force data inline. If you're already doing manual lookups in X-Force daily, this cuts the friction. If you rarely use X-Force, the web interface is probably enough.
Who on the team should connect this MCP to Switchy?
Whoever owns your X-Force Exchange account—usually someone on the security or IT team. They'll need to generate an API key in X-Force, then paste it into Switchy. Once connected, anyone in your Switchy workspace can query X-Force data through the assistant. The API key doesn't count against Switchy plan limits, but IBM may have rate limits on their side.