Skip to main content
mcpSource-backedReview first Safety Privacy
ContrastAPI logo

ContrastAPI Security Tools

49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key.

HarnessClaude CodeCodexCursorClaude Desktop
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://api.contrastcyber.com, https://github.com/UPinar/contrastapi
Brand
ContrastAPI
Brand domain
contrastcyber.com
Brand asset source
brandfetch
Safety notes
Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it.
Privacy notes
Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context.
Author
UPinar
Submitted by
UPinar
Reviewed by
JSONbored
Claim status
unclaimed
Last verified
2026-04-20

Safety notes

  • Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it.

Privacy notes

  • Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context.

Schema details

Install type
cli
Troubleshooting
No
Source repository stats
Scope
Source repo
Full copyable content
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/
claude mcp list

About this resource

Overview

49 security intelligence tools over remote MCP: CVE/KEV/CWE/EPSS lookup with composite risk score (CVSS+EPSS+KEV+PoC fusion) and CVSS v3.x vector parser, domain audit, IP threat reports, IOC enrichment, dependency scanning, web intelligence (robots.txt parser, redirect-chain walker, email validation, brand-asset scraper, SEO audit), MITRE ATLAS AI/ML attack knowledge, and MITRE D3FEND defensive techniques. Anonymous tier; Pro tier with API key. Streamable-HTTP transport.

Usage

claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/ claude mcp list

Auth Requirements

None required for the anonymous tier (rate-limited per IP). Optional X-API-Key header for Pro tier with higher limits. See https://api.contrastcyber.com/pricing

Verification

  1. claude mcp list shows contrastapi as connected
  2. Ask Claude: "Look up CVE-2021-44228 with EPSS and KEV data"
  3. Response includes verdict.completeness=full with real CVSS + EPSS percentile (~94%) + KEV listing date

Source citations

Add this badge to your README

Show that ContrastAPI Security Tools is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/mcp/contrastapi-mcp-server.svg)](https://heyclau.de/entry/mcp/contrastapi-mcp-server)

How it compares

ContrastAPI Security Tools side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

Field

49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key.

Open dossier

Security intelligence MCP server that lets Claude look up CVEs, EPSS scores, CISA KEV status, OSV package vulnerabilities, exploit indicators, MITRE mappings, IP reputation, passive DNS, Shodan host data, malware intelligence, URL safety, and risk reports across optional third-party APIs.

Open dossier

PortSwigger's Burp Suite MCP Server extension connects Burp Suite to MCP clients through an SSE server or packaged stdio proxy for request, Repeater, Intruder, history, scanner, Collaborator, and configuration workflows.

Open dossier

Go-based enterprise-information gathering MCP server for authorized security research, exposing local SSE tools for company search, ICP records, apps, Weibo, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and paginated data-source queries.

Open dossier
Trust
Install riskReview firstReview firstReview firstReview first
Notes Safety Privacy Safety Privacy Safety Privacy Safety Privacy
BrandContrastAPI logoContrastAPIBurp Suite MCP Server logoBurp Suite MCP Server
Categorymcpmcpmcpmcp
Sourcesource-backedsource-backedsource-backedsource-backed
AuthorUPinarMahipal JangraPortSwiggerWgpSec
Added2026-04-202026-06-062026-06-062026-06-06
Platforms
Claude CodeCodexCursorClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Claude CodeClaude Desktop
Source repo
Safety notesTreat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it.CVE, CVSS, EPSS, KEV, exploit, PoC, MITRE, package-advisory, malware, and IP-reputation data can be stale, incomplete, provider-specific, or false positive. Treat generated risk scores and vulnerability reports as triage aids, not patch policy, incident-response authority, or compliance evidence by themselves. Some tools can submit or query URLs, IP addresses, domains, file hashes, package names, repository search terms, and exploit indicators against third-party services. Shodan, URLScan, VirusTotal, AbuseIPDB, GreyNoise, CIRCL, GitHub, VulnCheck, NVD, OSV, and other providers may apply rate limits, visibility rules, account terms, and retention policies. Review provider defaults before scanning URLs or infrastructure because some services can expose submitted targets or scan metadata publicly. The project documentation says the server uses outbound HTTPS only and blocks private/internal IP lookups, but users should still avoid unauthorized reconnaissance or sensitive internal target submission.Burp Suite MCP Server can send HTTP/1.1 and HTTP/2 requests, create Repeater tabs, send requests to Intruder, toggle Proxy Intercept, pause or resume Burp's task execution engine, and update the active message editor. In Burp Suite Professional it can also expose scanner issues and generate or poll Collaborator payloads for out-of-band testing. The extension includes approval flows for outbound HTTP requests and sensitive data access, but users can configure always-allow targets and disable some approval requirements. Configuration editing tools can import project-level or user-level Burp options when enabled in the extension, which can change proxy, scanner, target, and other Burp behavior. Use only on systems and applications where testing is authorized; active requests, Intruder traffic, scanner workflows, and Collaborator payloads can affect third-party services. Keep the MCP server bound to trusted local interfaces and avoid exposing the SSE server to untrusted networks.ENScan_GO is security-research tooling intended for authorized HW/SRC and red-team-style enterprise information gathering. Use only public data sources and authorized accounts; the upstream README says it does not provide cracking or protection-bypass capabilities. Configure request delays, narrow fields, and scoped targets to reduce load on upstream data platforms and avoid account anomalies. Do not use the tool for harassment, doxxing, unauthorized profiling, commercial scraping outside provider terms, or unlawful intelligence gathering. The local SSE MCP server can expose configured data-source access to any MCP client that can reach the endpoint; bind it locally and avoid exposing the port on shared networks.
Privacy notesQueried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context.Security queries can reveal vulnerable products, internal triage priorities, asset names, IP addresses, domains, URLs, file hashes, package versions, malware interests, and investigation targets to upstream APIs. API keys are loaded from environment variables; keep them scoped, rotated, and out of model transcripts, shell history, and shared configuration files. The implementation initializes a local SQLite cache and rotating audit log, which can retain query parameters, statuses, timings, source results, and security-investigation context. Audit logging redacts fields whose names include key or token, but other query values can still be sensitive and should be protected as security data. The repository license file is Apache-2.0 while the README badge and pyproject classifier currently mention MIT, so verify current licensing before redistribution or commercial reuse.Proxy HTTP history, WebSocket history, Organizer items, scanner issues, request and response bodies, headers, cookies, tokens, session identifiers, and Collaborator interaction data may be returned to the MCP client. The extension can read project-level and user-level Burp configuration; upstream code filters some configuration credentials when configured, but users should still treat exported options as sensitive. MCP prompts, responses, Burp logs, and client transcripts can retain target URLs, credentials, payloads, vulnerability details, and proprietary application behavior. The stdio proxy and SSE server bridge Burp traffic into the MCP client process; keep client configs, proxy paths, and Burp project files protected.Queries, company names, PIDs, ICP records, apps, Weibo accounts, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and exported results can be sent to the MCP client and model. ENScan_GO configuration can contain cookies, Tianyancha IDs, auth tokens, API tokens, RiskBird cookies, Qimai cookies, MIIT API endpoints, proxy settings, and user-agent strings. Generated JSON, XLSX, cache files, logs, prompts, and transcripts can reveal target organizations, subsidiaries, suppliers, public accounts, and investigation scope. Keep cookies and API tokens out of prompts, restrict file permissions on the generated config, and clean up exports or `enscan.gob` cache files according to engagement rules.
Prerequisites— none listed
  • Python 3.10 or newer for the source project, or a Python version supported by the currently published package.
  • pip, uv, or another supported Python package installer.
  • Network access to the selected vulnerability, threat-intelligence, and package-advisory APIs.
  • Optional API keys for NVD, GitHub, VulnCheck, AbuseIPDB, VirusTotal, URLScan, Shodan, GreyNoise, or CIRCL Passive DNS when those integrations are needed.
  • Burp Suite Community or Professional with Java extension support.
  • Java and the `jar` command available for building and loading the extension.
  • Gradle wrapper execution allowed for building `build/libs/burp-mcp-all.jar` from source.
  • An MCP client that can connect to the Burp SSE server or run the packaged stdio proxy.
  • Downloaded ENScan_GO release binary for your operating system, or Go 1.23-compatible tooling to build from source.
  • First-run configuration generated with `./enscan -v`.
  • Valid, authorized cookies or API credentials for the selected enterprise-data sources.
  • Local MCP client support for SSE transport, or a trusted stdio-to-SSE bridge if your client does not connect to SSE endpoints directly.
Install
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/
pip install cve-mcp-server
./gradlew embedProxyJar
Download an ENScan_GO release archive, configure credentials with ./enscan -v, then run ./enscan --mcp
Config
{
  "mcpServers": {
    "contrastapi": {
      "url": "https://api.contrastcyber.com/mcp/",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "cve-mcp": {
      "command": "cve-mcp",
      "env": {
        "NVD_API_KEY": "",
        "GITHUB_TOKEN": "",
        "VULNCHECK_TOKEN": "",
        "ABUSEIPDB_KEY": "",
        "VIRUSTOTAL_KEY": "",
        "URLSCAN_KEY": "",
        "SHODAN_KEY": "",
        "GREYNOISE_API_KEY": "",
        "CIRCL_PDNS_USER": "",
        "CIRCL_PDNS_PASS": "",
        "CACHE_DB_PATH": "",
        "AUDIT_LOG_PATH": ""
      }
    }
  }
}
Manual-only setup:
./gradlew embedProxyJar
{
  "mcpServers": {
    "enscan-go": {
      "url": "<loopback-sse-url>"
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.