Install command
Provided
49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
4 listed
Install type
CLI install
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 1 risk area.
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/
claude mcp list49 security intelligence tools over remote MCP: CVE/KEV/CWE/EPSS lookup with composite risk score (CVSS+EPSS+KEV+PoC fusion) and CVSS v3.x vector parser, domain audit, IP threat reports, IOC enrichment, dependency scanning, web intelligence (robots.txt parser, redirect-chain walker, email validation, brand-asset scraper, SEO audit), MITRE ATLAS AI/ML attack knowledge, and MITRE D3FEND defensive techniques. Anonymous tier; Pro tier with API key. Streamable-HTTP transport.
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/ claude mcp list
None required for the anonymous tier (rate-limited per IP). Optional X-API-Key header for Pro tier with higher limits. See https://api.contrastcyber.com/pricing
claude mcp list shows contrastapi as connectedContrastAPI Security Tools side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
3 trust signals differ across this comparison (Review status, Source provenance, Submitter).
| Field | 49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key. Open dossier | Security intelligence MCP server that lets Claude look up CVEs, EPSS scores, CISA KEV status, OSV package vulnerabilities, exploit indicators, MITRE mappings, IP reputation, passive DNS, Shodan host data, malware intelligence, URL safety, and risk reports across optional third-party APIs. Open dossier | PortSwigger's Burp Suite MCP Server extension connects Burp Suite to MCP clients through an SSE server or packaged stdio proxy for request, Repeater, Intruder, history, scanner, Collaborator, and configuration workflows. Open dossier | Go-based enterprise-information gathering MCP server for authorized security research, exposing local SSE tools for company search, ICP records, apps, Weibo, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and paginated data-source queries. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review statusDiffers | ReviewedJSONbored · 2026-04-30 | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenanceDiffers | Submission linkedImport PR | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | UPinar | oktofeesh1 | oktofeesh1 | oktofeesh1 |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | mcp | mcp | mcp | mcp |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | UPinar | Mahipal Jangra | PortSwigger | WgpSec |
| Added | 2026-04-20 | 2026-06-06 | 2026-06-06 | 2026-06-06 |
| Platforms | Claude CodeCodexCursorClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop |
| Source repo | — | — | — | — |
| Safety notes | ✓Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it. | ✓CVE, CVSS, EPSS, KEV, exploit, PoC, MITRE, package-advisory, malware, and IP-reputation data can be stale, incomplete, provider-specific, or false positive. Treat generated risk scores and vulnerability reports as triage aids, not patch policy, incident-response authority, or compliance evidence by themselves. Some tools can submit or query URLs, IP addresses, domains, file hashes, package names, repository search terms, and exploit indicators against third-party services. Shodan, URLScan, VirusTotal, AbuseIPDB, GreyNoise, CIRCL, GitHub, VulnCheck, NVD, OSV, and other providers may apply rate limits, visibility rules, account terms, and retention policies. Review provider defaults before scanning URLs or infrastructure because some services can expose submitted targets or scan metadata publicly. The project documentation says the server uses outbound HTTPS only and blocks private/internal IP lookups, but users should still avoid unauthorized reconnaissance or sensitive internal target submission. | ✓Burp Suite MCP Server can send HTTP/1.1 and HTTP/2 requests, create Repeater tabs, send requests to Intruder, toggle Proxy Intercept, pause or resume Burp's task execution engine, and update the active message editor. In Burp Suite Professional it can also expose scanner issues and generate or poll Collaborator payloads for out-of-band testing. The extension includes approval flows for outbound HTTP requests and sensitive data access, but users can configure always-allow targets and disable some approval requirements. Configuration editing tools can import project-level or user-level Burp options when enabled in the extension, which can change proxy, scanner, target, and other Burp behavior. Use only on systems and applications where testing is authorized; active requests, Intruder traffic, scanner workflows, and Collaborator payloads can affect third-party services. Keep the MCP server bound to trusted local interfaces and avoid exposing the SSE server to untrusted networks. | ✓ENScan_GO is security-research tooling intended for authorized HW/SRC and red-team-style enterprise information gathering. Use only public data sources and authorized accounts; the upstream README says it does not provide cracking or protection-bypass capabilities. Configure request delays, narrow fields, and scoped targets to reduce load on upstream data platforms and avoid account anomalies. Do not use the tool for harassment, doxxing, unauthorized profiling, commercial scraping outside provider terms, or unlawful intelligence gathering. The local SSE MCP server can expose configured data-source access to any MCP client that can reach the endpoint; bind it locally and avoid exposing the port on shared networks. |
| Privacy notes | ✓Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context. | ✓Security queries can reveal vulnerable products, internal triage priorities, asset names, IP addresses, domains, URLs, file hashes, package versions, malware interests, and investigation targets to upstream APIs. API keys are loaded from environment variables; keep them scoped, rotated, and out of model transcripts, shell history, and shared configuration files. The implementation initializes a local SQLite cache and rotating audit log, which can retain query parameters, statuses, timings, source results, and security-investigation context. Audit logging redacts fields whose names include key or token, but other query values can still be sensitive and should be protected as security data. The repository license file is Apache-2.0 while the README badge and pyproject classifier currently mention MIT, so verify current licensing before redistribution or commercial reuse. | ✓Proxy HTTP history, WebSocket history, Organizer items, scanner issues, request and response bodies, headers, cookies, tokens, session identifiers, and Collaborator interaction data may be returned to the MCP client. The extension can read project-level and user-level Burp configuration; upstream code filters some configuration credentials when configured, but users should still treat exported options as sensitive. MCP prompts, responses, Burp logs, and client transcripts can retain target URLs, credentials, payloads, vulnerability details, and proprietary application behavior. The stdio proxy and SSE server bridge Burp traffic into the MCP client process; keep client configs, proxy paths, and Burp project files protected. | ✓Queries, company names, PIDs, ICP records, apps, Weibo accounts, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and exported results can be sent to the MCP client and model. ENScan_GO configuration can contain cookies, Tianyancha IDs, auth tokens, API tokens, RiskBird cookies, Qimai cookies, MIIT API endpoints, proxy settings, and user-agent strings. Generated JSON, XLSX, cache files, logs, prompts, and transcripts can reveal target organizations, subsidiaries, suppliers, public accounts, and investigation scope. Keep cookies and API tokens out of prompts, restrict file permissions on the generated config, and clean up exports or `enscan.gob` cache files according to engagement rules. |
| Prerequisites | — none listed |
|
|
|
| Install | | | | |
| Config | | | | |
| Citations |
| |||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Learn MCP through Microsoft's hands-on curriculum for servers, clients, security, transports, auth, deployment, Azure, VS Code, and cross-language examples.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.