ContrastAPI Security Tools
49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key.
Open the source and read safety notes before installing.
Citation facts
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
- Canonical URL
- https://heyclau.de/entry/mcp/contrastapi-mcp-server
- Source URLs
- https://api.contrastcyber.com, https://github.com/UPinar/contrastapi
- Brand
- ContrastAPI
- Brand domain
- contrastcyber.com
- Brand asset source
- brandfetch
- Safety notes
- Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it.
- Privacy notes
- Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context.
- Author
- UPinar
- Submitted by
- UPinar
- Original submission
- https://github.com/JSONbored/awesome-claude/issues/304
- Reviewed by
- JSONbored
- Claim status
- unclaimed
- Last verified
- 2026-04-20
Safety notes
- Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it.
Privacy notes
- Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context.
Schema details
- Install type
- cli
- Troubleshooting
- No
- Scope
- Source repo
Full copyable content
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/
claude mcp listAbout this resource
Overview
49 security intelligence tools over remote MCP: CVE/KEV/CWE/EPSS lookup with composite risk score (CVSS+EPSS+KEV+PoC fusion) and CVSS v3.x vector parser, domain audit, IP threat reports, IOC enrichment, dependency scanning, web intelligence (robots.txt parser, redirect-chain walker, email validation, brand-asset scraper, SEO audit), MITRE ATLAS AI/ML attack knowledge, and MITRE D3FEND defensive techniques. Anonymous tier; Pro tier with API key. Streamable-HTTP transport.
Usage
claude mcp add --transport http contrastapi https://api.contrastcyber.com/mcp/ claude mcp list
Auth Requirements
None required for the anonymous tier (rate-limited per IP). Optional X-API-Key header for Pro tier with higher limits. See https://api.contrastcyber.com/pricing
Verification
claude mcp listshows contrastapi as connected- Ask Claude: "Look up CVE-2021-44228 with EPSS and KEV data"
- Response includes verdict.completeness=full with real CVSS + EPSS percentile (~94%) + KEV listing date
Source citations
- Source repositorygithub.com 2026-04-30T11:16:21.000Z
- Documentationapi.contrastcyber.com
- Reviewed by JSONbored2026-04-30T11:16:21.000Z
- Submitted by UPinar2026-04-20T15:29:10.000Z
Add this badge to your README
How it compares
ContrastAPI Security Tools side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | 49 remote MCP security tools for CVE/KEV/CWE/EPSS lookup, composite CVSS+EPSS+KEV+PoC risk scoring, CVSS v3.x vector parsing, domain/IP/IOC enrichment, dependency and web intelligence checks, MITRE ATLAS AI/ML attacks, and MITRE D3FEND defenses. Anonymous tier available; Pro tier uses an API key. Open dossier | Security intelligence MCP server that lets Claude look up CVEs, EPSS scores, CISA KEV status, OSV package vulnerabilities, exploit indicators, MITRE mappings, IP reputation, passive DNS, Shodan host data, malware intelligence, URL safety, and risk reports across optional third-party APIs. Open dossier | PortSwigger's Burp Suite MCP Server extension connects Burp Suite to MCP clients through an SSE server or packaged stdio proxy for request, Repeater, Intruder, history, scanner, Collaborator, and configuration workflows. Open dossier | Go-based enterprise-information gathering MCP server for authorized security research, exposing local SSE tools for company search, ICP records, apps, Weibo, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and paginated data-source queries. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | mcp | mcp | mcp | mcp |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | UPinar | Mahipal Jangra | PortSwigger | WgpSec |
| Added | 2026-04-20 | 2026-06-06 | 2026-06-06 | 2026-06-06 |
| Platforms | Claude CodeCodexCursorClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop | Claude CodeClaude Desktop |
| Source repo | — | — | — | — |
| Safety notes | ✓Treat CVE, EPSS, KEV, IOC, and OSINT enrichment as advisory input that still needs security review before acting on it. | ✓CVE, CVSS, EPSS, KEV, exploit, PoC, MITRE, package-advisory, malware, and IP-reputation data can be stale, incomplete, provider-specific, or false positive. Treat generated risk scores and vulnerability reports as triage aids, not patch policy, incident-response authority, or compliance evidence by themselves. Some tools can submit or query URLs, IP addresses, domains, file hashes, package names, repository search terms, and exploit indicators against third-party services. Shodan, URLScan, VirusTotal, AbuseIPDB, GreyNoise, CIRCL, GitHub, VulnCheck, NVD, OSV, and other providers may apply rate limits, visibility rules, account terms, and retention policies. Review provider defaults before scanning URLs or infrastructure because some services can expose submitted targets or scan metadata publicly. The project documentation says the server uses outbound HTTPS only and blocks private/internal IP lookups, but users should still avoid unauthorized reconnaissance or sensitive internal target submission. | ✓Burp Suite MCP Server can send HTTP/1.1 and HTTP/2 requests, create Repeater tabs, send requests to Intruder, toggle Proxy Intercept, pause or resume Burp's task execution engine, and update the active message editor. In Burp Suite Professional it can also expose scanner issues and generate or poll Collaborator payloads for out-of-band testing. The extension includes approval flows for outbound HTTP requests and sensitive data access, but users can configure always-allow targets and disable some approval requirements. Configuration editing tools can import project-level or user-level Burp options when enabled in the extension, which can change proxy, scanner, target, and other Burp behavior. Use only on systems and applications where testing is authorized; active requests, Intruder traffic, scanner workflows, and Collaborator payloads can affect third-party services. Keep the MCP server bound to trusted local interfaces and avoid exposing the SSE server to untrusted networks. | ✓ENScan_GO is security-research tooling intended for authorized HW/SRC and red-team-style enterprise information gathering. Use only public data sources and authorized accounts; the upstream README says it does not provide cracking or protection-bypass capabilities. Configure request delays, narrow fields, and scoped targets to reduce load on upstream data platforms and avoid account anomalies. Do not use the tool for harassment, doxxing, unauthorized profiling, commercial scraping outside provider terms, or unlawful intelligence gathering. The local SSE MCP server can expose configured data-source access to any MCP client that can reach the endpoint; bind it locally and avoid exposing the port on shared networks. |
| Privacy notes | ✓Queried domains, IPs, dependencies, vulnerabilities, and indicators can reveal investigation targets and may enter model context. | ✓Security queries can reveal vulnerable products, internal triage priorities, asset names, IP addresses, domains, URLs, file hashes, package versions, malware interests, and investigation targets to upstream APIs. API keys are loaded from environment variables; keep them scoped, rotated, and out of model transcripts, shell history, and shared configuration files. The implementation initializes a local SQLite cache and rotating audit log, which can retain query parameters, statuses, timings, source results, and security-investigation context. Audit logging redacts fields whose names include key or token, but other query values can still be sensitive and should be protected as security data. The repository license file is Apache-2.0 while the README badge and pyproject classifier currently mention MIT, so verify current licensing before redistribution or commercial reuse. | ✓Proxy HTTP history, WebSocket history, Organizer items, scanner issues, request and response bodies, headers, cookies, tokens, session identifiers, and Collaborator interaction data may be returned to the MCP client. The extension can read project-level and user-level Burp configuration; upstream code filters some configuration credentials when configured, but users should still treat exported options as sensitive. MCP prompts, responses, Burp logs, and client transcripts can retain target URLs, credentials, payloads, vulnerability details, and proprietary application behavior. The stdio proxy and SSE server bridge Burp traffic into the MCP client process; keep client configs, proxy paths, and Burp project files protected. | ✓Queries, company names, PIDs, ICP records, apps, Weibo accounts, WeChat public accounts, mini programs, recruiting data, copyright records, suppliers, investments, branches, and exported results can be sent to the MCP client and model. ENScan_GO configuration can contain cookies, Tianyancha IDs, auth tokens, API tokens, RiskBird cookies, Qimai cookies, MIIT API endpoints, proxy settings, and user-agent strings. Generated JSON, XLSX, cache files, logs, prompts, and transcripts can reveal target organizations, subsidiaries, suppliers, public accounts, and investigation scope. Keep cookies and API tokens out of prompts, restrict file permissions on the generated config, and clean up exports or `enscan.gob` cache files according to engagement rules. |
| Prerequisites | — none listed |
|
|
|
| Install | | | | |
| Config | | | | |
| Citations |
| |||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Related guides
Source-backed guides for putting this to work.
Microsoft MCP for Beginners
Learn MCP through Microsoft's hands-on curriculum for servers, clients, security, transports, auth, deployment, Azure, VS Code, and cross-language examples.
Featured in
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.