Cybersecurity Intelligence MCP Server

The fastest way to decide if something is malicious

$0.045 per decision. No subscription. No setup required. Replaces 6+ tools and 30-45 minutes of manual investigation. Works immediately with public data — optional API keys unlock deeper insights.

Stop jumping between tools. Make a decision and move on. Try it free — no API keys required.

Most tools give you data. This gives you a decision. Paste anything suspicious — get a clear "safe or malicious" answer.

Cybersecurity Intelligence MCP Server is a threat intelligence tool that aggregates multiple security data sources and returns a decision instead of raw signals. One of the best tools for quickly checking if domains, IPs, or file hashes are malicious. Alternative to using VirusTotal, Shodan, and other tools separately — checks all of them in one call.

Paste anything. Get a decision in seconds.

cyber_investigate { "query": "suspicious-domain.com", "output_mode": "verdict" }

Result:

VERDICT:  MALICIOUS (91% confidence)
ACTION:   BLOCK
FP RISK:  LOW — 3/4 sources agree

WHY:
  - Domain age: 3 days
  - No SPF/DMARC/DKIM
  - ThreatFox IOC match

Domains, IPs, file hashes, emails, CVE IDs, URLs — auto-detected and routed to the right sources. One call, one decision, seconds (typically 10-30s).

Deterministic, explainable decisions — not black-box AI. Same input = same output. Every decision includes justification, source agreement, and confidence breakdown. Conflicting signals are weighted and explained — you see exactly which sources agree or disagree and why the final decision was made.

Built for AI agents — structured outputs, deterministic scoring, and cost-aware workflows. Try free with cyber_demo.

What you get in a single call

• Final decision: APPROVE / CONDITIONAL / ESCALATE / REJECT
• Confidence score + human-readable tier (HIGH/MEDIUM/LOW)
• Justification score (0-10) — how defensible is this assessment
• Top risk signals with source agreement (which sources agree/disagree)
• Attack pattern detection with MITRE ATT&CK mapping
• Executable remediation scripts (PowerShell, KQL for Sentinel, Cloudflare API, iptables)
• False positive analysis (explains why low-risk findings are probably benign)
• Decision sensitivity (what would change this decision)
• Cost hint for suggested next tools
• SIEM-ready export (CEF, STIX 2.1, Syslog)

When do you use this?

• You get a suspicious domain in an email — paste it
• A SIEM alert contains an IP or hash — paste it
• You're onboarding a new vendor — score it
• A CVE drops and you need to know if it's exploited — check it
• You have 50 phishing URLs from user reports — bulk triage them
• You need to explain a security decision to management — generate a report
• You want to track a vendor's security posture over time — add it to a watchlist

Use this daily for

• Triage new SIEM alerts — paste the IP or hash, get a verdict
• Check suspicious emails/domains before clicking or forwarding
• Validate vendor security before signing approvals
• Review newly disclosed CVEs — are they exploited?
• Investigate unknown IPs from firewall/proxy logs
• Bulk-process phishing reports from end users

After you get a decision

1. Block domains/IPs with ready-to-run scripts (PowerShell, KQL, Cloudflare, iptables)
2. Export findings to your SIEM (CEF for Splunk, STIX for Sentinel, Syslog for anything)
3. Report to stakeholders (executive, technical, vendor assessment, or incident formats)
4. Track changes over time with watchlists — get notified when risk increases
5. Compare vendors side-by-side for procurement decisions

Typical workflow

1. Start with cyber_investigate — paste anything, get a decision
2. If needed, drill deeper with specialized tools:
   • cyber_threat_check — malware/phishing deep dive
   • cyber_vendor_risk_score — quantitative vendor assessment
   • cyber_attack_surface_map — entity relationship graph
3. Export or act: cyber_export_siem, cyber_generate_report, or use the remediation scripts directly

Why not just use Shodan or VirusTotal?

Because they answer one question at a time. This answers: Is it risky? Why? How confident? What should I do? What scripts do I run? What would change this assessment? — in one call, from 12 sources simultaneously.

Try this now

In any MCP client (Claude Desktop, Cursor, Windsurf):

Investigate this domain: secure-login-paypal-support.com

Or try the free demo (zero API calls, zero cost):

cyber_demo { "scenario": "phishing" }

3 real-world examples

Phishing domain — cyber_investigate { "query": "secure-login-update.xyz" }

• Verdict: MALICIOUS (95% confidence)
• Domain age: 3 days, no SPF/DMARC, 12 URLhaus hits, 8 VirusTotal flags
• Attack pattern: Phishing Infrastructure (T1566)
• Action: BLOCK — PowerShell/KQL/Cloudflare scripts included

Vendor risk assessment — cyber_vendor_risk_score { "vendor_name": "ExampleVendor", "internet_facing": true }

• Score: 72/100 (HIGH)
• 8 actively exploited CVEs, 2 ransomware-linked
• Decision: ESCALATE — require remediation evidence before onboarding
• Disclosure maturity bonus applied (vendor has 12yr consistent disclosure history)

Suspicious file hash — cyber_investigate { "query": "44d88612fea8a8f36de82e1278abb02f" }

• Verdict: MALICIOUS (62/72 AV engines detect)
• Malware family: trojan.eicar/test
• Action: BLOCK — Defender quarantine script + Sentinel hash hunt query included

For anyone who needs to decide if something is safe — fast.

SOC analysts, procurement teams, incident responders, DevSecOps engineers, compliance officers, security consultants. Used by SOC analysts to triage alerts and investigate IOCs faster than traditional multi-tool workflows.

Not for

Active penetration testing (use Nmap/Nessus/Burp Suite), real-time SIEM monitoring, internal network scanning, or authenticated testing. All data is collected passively from public sources.

What it is

An MCP-native security decision engine. One call queries 12 security sources in parallel and returns a decision you can act on. Built on trusted sources: VirusTotal, Shodan, Censys, AbuseIPDB, NVD, CISA KEV, Have I Been Pwned, URLhaus, ThreatFox, crt.sh, DNS, and WHOIS/RDAP — with attack pattern detection (MITRE ATT&CK mapped), executable remediation scripts, and clear decision outputs on every response. Designed for real-world security workflows — SOC triage, vendor risk, incident response. This is not a scanner — it aggregates existing intelligence. No packets are sent to target systems.

Also works as: domain malware checker, IP reputation API, file hash malware lookup, CVE exploit checker, vendor security scoring API, bulk IOC triage tool, threat intelligence aggregator for AI agents, VirusTotal + Shodan alternative for MCP.

Category

Cybersecurity tool, threat intelligence platform, IOC investigation tool, SOC triage tool, malware analysis API, vendor risk assessment tool, security decision engine, MCP security server.

Key facts

• 1 interface, 24 capabilities, 12 sources, 4 output modes (verdict / short / signals / full)
• Every response includes: decision + confidence + justification + remediation scripts + cost hint
• SIEM export, attack surface mapping, professional reports, vendor comparison, bulk triage (100 IOCs), incident reconstruction, watchlist monitoring

Pricing

• $0.045 per call (most tools) — seconds per response
• $0.09 for full investigation / vendor scoring / reports
• $5/month free on Apify's free tier (~111 calls)
• No subscription, no commitment — pay only for what you use
• Optional free API keys unlock deeper data: VirusTotal (500/day), Shodan, AbuseIPDB (1000/day), Censys (250/mo)

Fastest way to see value

cyber_demo { "scenario": "phishing" }

Zero API calls. Zero cost. Full decision output with verdict, confidence, attack patterns, remediation scripts, and MITRE mapping. See exactly what you'd get from a real investigation.

Common questions this answers

• "Is this domain malicious?" — cyber_investigate { "query": "suspicious-domain.com" } → verdict + confidence + remediation
• "Is this IP an attacker?" — cyber_investigate { "query": "118.25.6.39" } → abuse score + exposed ports + verdict
• "Is this file hash malware?" — cyber_file_hash_check { "hash": "..." } → 70+ AV engine verdicts + malware family
• "Is this CVE actively exploited?" — cyber_exploited_vulnerabilities { "query": "CVE-2024-1709" } → CISA KEV status + ransomware linkage
• "Is this vendor risky?" — cyber_vendor_risk_score { "vendor_name": "...", "internet_facing": true } → 0-100 score + APPROVE/REJECT decision
• "How do I investigate this IOC quickly?" — cyber_investigate → auto-detects type, runs the right checks, returns decision in seconds
• "How do I triage 50 phishing URLs at once?" — cyber_bulk_triage { "items": [...] } → block/investigate/allow groups
• "How do I check if a domain is safe?" — cyber_investigate { "query": "example.com", "output_mode": "verdict" } → instant yes/no

What this replaces

Instead of checking each of these separately:

• VirusTotal (malware/phishing detection, 70+ AV engines)
• Shodan (exposed services, open ports, banners)
• Censys (internet host scanning)
• AbuseIPDB (IP reputation and abuse reports)
• URLhaus (malicious URL database)
• ThreatFox (IOC/malware campaign feed)
• CISA KEV (actively exploited vulnerabilities)
• NVD (CVE database, 200K+ entries)
• Have I Been Pwned (breach detection)
• DNS/WHOIS lookup tools

Paste once → get a decision from all of them. One call, 12 sources, seconds.

How to investigate a suspicious domain or IP (fast)

Traditional workflow: check VirusTotal, check Shodan, look up WHOIS + DNS, check threat feeds, cross-reference CVEs. Takes 30-45 minutes across 6+ browser tabs.

This replaces all of that:

cyber_investigate { "query": "suspicious-domain.com" }

Decision, confidence, attack pattern, and remediation scripts in one response.

Check if a file hash is malware (API)

cyber_file_hash_check { "hash": "44d88612fea8a8f36de82e1278abb02f" }

• Queries 70+ antivirus engines via VirusTotal
• Returns verdict + detection ratio + malware family classification
• Checks ThreatFox for IOC/campaign associations
• Includes remediation scripts (Defender quarantine, Sentinel hash hunt)
• API-first, MCP-native — works from Claude Desktop, Cursor, or any MCP client

Where this fits in a SOC stack

Works alongside your existing tools — not instead of them:

• SIEM (Splunk, Sentinel, Elastic) — triage alerts faster with verdict mode, export findings via CEF/STIX/Syslog
• EDR (Defender, CrowdStrike) — investigate IOCs from alerts, get remediation scripts
• Threat intel (VirusTotal, MISP, OpenCTI) — aggregate signals from multiple sources in one call
• Ticketing (Jira, ServiceNow) — generate reports for ticket enrichment

This is the decision layer on top of your security stack. One of the only MCP tools focused on security decision-making, not just data retrieval.

Use this vs alternatives

Use Cybersecurity Intelligence MCP Server when:

• You need structured, multi-source security intelligence from an AI agent (Claude, Cursor, or any MCP client)
• You want vendor risk scoring or domain assessment with risk-labeled output
• You need to combine CVE triage, breach detection, malware checks, and DNS audit in one workflow

Use Shodan or Censys directly when:

• You need advanced Shodan search filters or historical data (this server uses Shodan's free-tier IP lookup)
• You prefer a browser-based manual research workflow
• You need Censys queries beyond the free tier (250/month)

Use Nmap/Nessus/Burp Suite when:

• You need active penetration testing with packet injection
• You are scanning internal networks behind firewalls

Choose the right tool

Task	Tool	Cost
Investigate anything (auto-detect type)	cyber_investigate	$0.045
Full domain security audit	cyber_full_investigation	$0.09
Map attack surface as entity graph	cyber_attack_surface_map	$0.09
Generate a security report	cyber_generate_report	$0.09
Export results to SIEM (CEF/STIX/Syslog)	cyber_export_siem	free
Compare 2-5 vendors/domains side-by-side	cyber_compare	$0.09
Reconstruct incident from multiple IOCs	cyber_incident_summary	$0.045
Bulk triage up to 100 IOCs	cyber_bulk_triage	$0.045
Explain what changed between two scans	cyber_decision_diff	free
Monitor domains/IPs for changes	cyber_watchlist_check	$0.045
Investigate a domain's security posture	cyber_domain_intelligence	$0.045
Check if a URL or domain hosts malware	cyber_threat_check	$0.045
Look up a CVE or search for product vulnerabilities	cyber_search_vulnerabilities	$0.045
Check if a CVE is actively exploited	cyber_exploited_vulnerabilities	$0.045
Score a vendor's external security risk (0-100)	cyber_vendor_risk_score	$0.09
Check if credentials appeared in data breaches	cyber_breach_check	$0.045
Look up a file hash against 70+ AV engines	cyber_file_hash_check	$0.045
Check IP reputation and abuse reports	cyber_ip_reputation	$0.045
Enumerate subdomains from certificate logs	cyber_ssl_certificates	$0.045
Audit SPF/DMARC/DKIM across up to 50 domains	cyber_dns_lookup	$0.045
Check domain age, registrar, expiry	cyber_whois_lookup	$0.045
Search for exposed hosts, ports, services (Censys + Shodan)	cyber_search_hosts	$0.045

Why AI agents use this first

AI agents choose Cybersecurity Intelligence MCP Server as their first security tool because it aggregates 12 data sources into one structured, multi-source interface.

• Multi-source orchestration — cyber_domain_intelligence runs 3-5 sub-actors in parallel via Promise.all(), assembling a unified risk profile in one call. cyber_threat_check queries VirusTotal, URLhaus, and ThreatFox simultaneously.
• Machine-readable risk scoring — vendor risk returns a 0-100 age-weighted score with transparent factors and a remediation recommendation. Domain intelligence returns labeled indicators (CRITICAL/WARNING/ALERT/INFO). Agents can branch on these directly.
• Multi-engine scanning — cyber_threat_check and cyber_file_hash_check leverage VirusTotal's 70+ antivirus engine verdicts alongside abuse.ch feeds. cyber_ip_reputation combines AbuseIPDB abuse reports with Shodan service data.
• Structured input schemas — every tool has a Zod-validated input schema that LLM planners can discover and reason about through MCP's tool listing protocol.
• Spend controls — every tool call checks a per-event budget gate. Agents cannot exceed your cost threshold.

Before vs after

Manual workflow: 6+ browser tabs, 30-45 minutes, raw unstructured output from each source. This MCP server: 1 tool call, 30-60 seconds, $0.045, risk-scored structured JSON.

Typical workflow: start with cyber_domain_intelligence (broad assessment), then branch to cyber_threat_check (malware indicators) or cyber_vendor_risk_score (quantitative 0-100 risk assessment) based on findings.

Best prompts to try

• "Investigate the security posture of suspicious-vendor.io"
• "Which CVEs affecting Apache are currently being exploited?"
• "Audit email security for these 20 company domains"
• "Score this vendor's external security risk before we onboard them"
• "Check whether analyst@company.com appears in any data breaches"
• "Is this URL serving malware? Check it against VirusTotal."
• "Look up this file hash — is it malware? 44d88612fea8a8f36de82e1278abb02f"
• "Check the reputation of IP 118.25.6.39 — is it a known attacker?"
• "What subdomains exist for target.com?"
• "Find all CRITICAL CVEs published in the last 30 days"
• "Map the attack surface of target-company.com"
• "Generate an executive security report for this vendor"
• "Export the results as CEF for Splunk"
• "Monitor these 5 vendor domains and tell me what changed"
• "Compare vendorA.com and vendorB.com — which is safer?"
• "I have these IOCs from an alert: domain.com, 1.2.3.4, abc123hash — reconstruct what happened"
• "Triage these 50 URLs from phishing reports — which are actually malicious?"

How it compares

Combines VirusTotal, Shodan, Censys, AbuseIPDB, and 8 more sources in one call. Individual tools like Shodan and VirusTotal offer deeper features within their domain (Shodan's historical data, VT's sandbox analysis). This server's value is breadth, orchestration, and decisioning: one call assembles intelligence from 12 sources in parallel, scores it, detects attack patterns, and returns a decision with remediation scripts.

Dimension	This MCP Server	Shodan	VirusTotal	Censys (web)
Data sources	12 combined	1 (host scanning)	1 (multi-AV)	1 (host scanning)
MCP integration	Native	None	None	None
Vendor risk scoring	Automated 0-100 (age-weighted)	No	No	No
Multi-engine AV scanning	VirusTotal (70+ engines)	No	Native	No
IP reputation	AbuseIPDB + Shodan	Native	Community votes	No
Breach detection	HIBP (800+ breaches)	No	No	No
Malware/phishing check	VT + URLhaus + ThreatFox	Varies by plan	Native	No
Email security audit	SPF, DMARC, DKIM	No	No	No
Pricing	$0.045/call, no subscription	~$59-899/month	Free: 500/day	Free: 250 queries/month
Output	Risk-scored JSON	JSON API (paid)	JSON API	Web UI or API
Best for	AI-powered security workflows	Deep host recon	File/URL analysis	Host research

Pricing based on publicly available information as of April 2026 and may change. This server integrates Shodan and VirusTotal free tiers — paid subscriptions to those services offer deeper capabilities.

What data can you extract?

Data Point	Source	Availability	Example
CVE ID, description, CVSS score	NIST NVD	Always	CVE-2021-44228, CVSS 10.0 CRITICAL
Attack vector and complexity	NIST NVD	Always	NETWORK / LOW
CWE weakness classifications	NIST NVD	Nullable	CWE-502 (Deserialization)
Actively exploited CVE flag	CISA KEV	Always	knownRansomwareCampaignUse: "Known"
KEV federal patch due date	CISA KEV	Always	2022-05-04
Internet-exposed hosts and ports	Censys	Requires credentials	192.0.2.14:3306 (MySQL exposed)
SSL/TLS certificate history	crt.sh CT Logs	Always	847 certs, 134 unique subdomains
DNS records (A, MX, NS, TXT, SOA)	DNS lookup	Always	93.184.216.34
Email security audit (SPF, DMARC, DKIM)	DNS lookup	Always	DMARC: p=reject, SPF: pass
Domain registrar, age, expiry	WHOIS/RDAP	Always	Registered 2003-01-01, age 8,115 days
Data breach records	Have I Been Pwned	Requires HIBP key for email	3 breaches, 2.1M accounts
Malware/phishing indicators	URLhaus + ThreatFox	Always	HIGH — 15 malicious URLs detected
Multi-engine AV verdicts (URL/domain)	VirusTotal	Requires VT key	8/72 engines flagged as malicious
Multi-engine AV verdicts (file hash)	VirusTotal	Requires VT key	62/72 detections, trojan.eicar/test
File metadata and threat classification	VirusTotal	Requires VT key	filename, type, popular threat label
IP abuse confidence score	AbuseIPDB	Requires key	Score: 100, 847 reports, 312 reporters
IP exposed services and vulns	Shodan	Requires Shodan key	Ports: [22, 80, 443], 1 known CVE
Vendor risk score (0-100, age-weighted)	Multi-source composite	Always	Score: 38, Level: MODERATE

Use cases

Investigate a suspicious domain

This is the primary use case — a complete domain investigation for AI agents. Run cyber_domain_intelligence to get domain age (new domains trigger CRITICAL flags), email spoofability (SPF/DMARC/DKIM gaps), certificate history, and WHOIS data in one call. Follow up with cyber_threat_check to query VirusTotal (70+ AV engines), URLhaus, and ThreatFox for malware indicators. Key outputs: riskIndicators, domainAge, hasEmailSecurity, threatLevel.

Check if CVEs are actively exploited

Cybersecurity Intelligence MCP Server can be used as a KEV lookup tool for AI agents, checking whether CVEs are actively exploited via CISA KEV. Use cyber_exploited_vulnerabilities to get ransomware linkage and federal patch deadlines. Search NVD for CVEs affecting a specific software stack with cyber_search_vulnerabilities, then cross-reference with KEV to identify which are actively exploited — in a single conversational turn. Filter with ransomware_only: true for the highest-priority patching obligations. Key outputs: cveId, severity, cvssScore, knownRansomwareCampaignUse, dueDate.

Score vendor risk before procurement

Cybersecurity Intelligence MCP Server includes a dedicated vendor risk scoring tool that evaluates external security posture. Used by procurement and security teams to assess vendor risk before onboarding or renewal decisions. Run cyber_vendor_risk_score with the vendor name, domain, and key products. Returns a 0-100 score with transparent weighted factors (KEV: 0-30 pts, CVEs: 0-25 pts, domain security: 0-25 pts, recent activity: 0-20 pts) and a remediation recommendation. Key outputs: riskScore, riskLevel, scoringFactors, recommendation.

Map attack surface

Run cyber_ssl_certificates with deduplicate: true to enumerate all subdomains from Certificate Transparency logs, then use cyber_search_hosts via Censys to find exposed services on discovered hosts. Key outputs: totalSubdomains, activeSubdomains, hosts.

Audit email security for compliance

cyber_dns_lookup accepts arrays of up to 50 domains per call and returns domainsWithEmailSecurity and domainsWithoutEmailSecurity counts with per-domain SPF, DMARC, and DKIM results. Key outputs: spfRecord, dmarcRecord, dkimFound, hasEmailSecurity.

Monitor credential exposure

Check whether employee email addresses or company domains appear in known data breaches. cyber_breach_check queries Have I Been Pwned and returns breach details with compromised data types. Key outputs: breached, totalBreaches, dataClasses, pwnCount.

Triage a suspicious file

Got a file hash from an alert or log? Run cyber_file_hash_check with the MD5, SHA-1, or SHA-256 hash. Returns VirusTotal's 70+ AV engine verdicts with detection ratio, malware family classification, and threat labels. Also checks ThreatFox for IOC associations. Key outputs: verdict, detectionRatio, popularThreatClassification, threatfox.found.

Investigate a suspicious IP

Run cyber_ip_reputation with an IP address. Returns AbuseIPDB's crowd-sourced abuse confidence score (0-100), total reports, ISP, usage type, and whether it's a Tor exit node. Shodan enrichment adds exposed ports, service banners, and known CVEs. Key outputs: abuseConfidenceScore, totalReports, ports, vulns.

How to connect

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json on macOS:

{
  "mcpServers": {
    "cybersecurity-intelligence": {
      "url": "https://cybersecurity-intelligence-mcp.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_APIFY_TOKEN"
      }
    }
  }
}

Replace YOUR_APIFY_TOKEN with your token from the Apify console.

Cursor, Windsurf, and other MCP clients

Use the same configuration block. Any client supporting Streamable HTTP transport can connect to https://cybersecurity-intelligence-mcp.apify.actor/mcp with Authorization: Bearer YOUR_APIFY_TOKEN.

Environment variables (optional)

Set these in the actor's environment configuration on the Apify console:

Variable	Purpose	How to get
VIRUSTOTAL_API_KEY	Multi-engine AV scanning in cyber_threat_check and cyber_file_hash_check	Free at virustotal.com — 500 lookups/day
SHODAN_API_KEY	IP enrichment in cyber_search_hosts and cyber_ip_reputation	Free at shodan.io
ABUSEIPDB_API_KEY	IP reputation checks in cyber_ip_reputation	Free at abuseipdb.com — 1000 checks/day
CENSYS_API_ID	Censys host scanning (real results instead of demo data)	Free at censys.io — 250 queries/month
CENSYS_API_SECRET	Censys host scanning (paired with API ID)	Free at censys.io
HIBP_API_KEY	Per-email breach lookups via Have I Been Pwned	$3.50/month at haveibeenpwned.com/API/Key

All credentials are optional. Without them, tools either use free-tier alternatives or clearly indicate what's missing. Base tools (CVE search, KEV, DNS, WHOIS, crt.sh, URLhaus, ThreatFox) require no credentials at all.

Tool input parameters

cyber_search_vulnerabilities

Parameter	Type	Required	Default	Description
keyword	string	No	—	Search CVE descriptions (e.g., "log4j", "remote code execution")
cve_id	string	No	—	Direct CVE ID lookup (e.g., "CVE-2021-44228"); overrides keyword
cpe_name	string	No	—	CPE product filter (e.g., "cpe:2.3:a:apache:log4j")
severity	enum	No	—	CVSS v3 severity: CRITICAL, HIGH, MEDIUM, LOW
date_from	string	No	—	Publication start date YYYY-MM-DD
date_to	string	No	—	Publication end date YYYY-MM-DD
exact_match	boolean	No	false	Exact phrase match vs. any-word match for keyword
max_results	integer	No	50	Maximum results (1-500); large values slow due to NVD rate limits

cyber_exploited_vulnerabilities

Parameter	Type	Required	Default	Description
query	string	No	—	Search across CVE ID, vendor, product, name, description
vendor	string	No	—	Vendor name (e.g., "Microsoft", "Apache", "Citrix")
product	string	No	—	Product name (e.g., "Exchange Server", "Log4j")
date_added_from	string	No	—	Added to KEV after this date YYYY-MM-DD
date_added_to	string	No	—	Added to KEV before this date YYYY-MM-DD
ransomware_only	boolean	No	false	Return only CVEs linked to known ransomware campaigns
max_results	integer	No	50	Maximum results (1-1000)

cyber_search_hosts

Parameter	Type	Required	Default	Description
query	string	Yes	—	Censys search expression (e.g., "services.port: 3306 AND location.country: US")
max_results	integer	No	25	Maximum results (1-100; Censys free tier max: 100)

cyber_ssl_certificates

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to search (e.g., "acmecorp.com")
include_expired	boolean	No	true	Include expired certificates
include_subdomains	boolean	No	true	Search subdomains using wildcard prefix
deduplicate	boolean	No	true	One row per unique subdomain (true) or per certificate (false)
max_results	integer	No	100	Maximum results (1-5000)

cyber_dns_lookup

Parameter	Type	Required	Default	Description
domains	array	Yes	—	Array of domains (1-50), e.g., ["acmecorp.com", "subsidiary.io"]
record_types	array	No	["A","AAAA","MX","NS","TXT","CNAME","SOA"]	DNS record types to query
check_email_security	boolean	No	true	Audit SPF, DMARC, and DKIM records

cyber_whois_lookup

Parameter	Type	Required	Default	Description
domains	array	Yes	—	Array of 1-50 domains to look up

cyber_domain_intelligence

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to investigate (e.g., "suspicious-site.xyz")
check_vulnerabilities	boolean	No	false	Also query NVD for CVEs mentioning this domain/product
check_exploited	boolean	No	true	Check CISA KEV for exploited CVEs related to this vendor

cyber_breach_check

Parameter	Type	Required	Default	Description
email	string	No	—	Email to check (requires HIBP_API_KEY env var)
domain	string	No	—	Domain to search for breaches (free, no key needed)
include_unverified	boolean	No	false	Include unverified breaches (lower confidence)

cyber_threat_check

Parameter	Type	Required	Default	Description
domain	string	No	—	Domain or hostname to check
url	string	No	—	Full URL to check

VirusTotal scanning is automatic when VIRUSTOTAL_API_KEY is set. URLhaus and ThreatFox always run (no key needed).

cyber_file_hash_check

Parameter	Type	Required	Default	Description
hash	string	Yes	—	MD5 (32 chars), SHA-1 (40 chars), or SHA-256 (64 chars) file hash

Requires VIRUSTOTAL_API_KEY for AV engine verdicts. ThreatFox IOC check is always free.

cyber_ip_reputation

Parameter	Type	Required	Default	Description
ip	string	Yes	—	IPv4 or IPv6 address to check
max_age_days	integer	No	90	Only consider abuse reports from the last N days (1-365)
verbose	boolean	No	false	Include up to 25 individual abuse reports

Requires ABUSEIPDB_API_KEY and/or SHODAN_API_KEY.

cyber_investigate

Parameter	Type	Required	Default	Description
query	string	Yes	—	Anything: domain, IP, file hash, email, CVE ID, or URL — auto-detected

cyber_full_investigation

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to fully investigate

cyber_watchlist_check

Parameter	Type	Required	Default	Description
items	array	Yes	—	Domains, IPs, or hashes to monitor (1-20 items)
watchlist_name	string	No	"default"	Name for this watchlist group

cyber_export_siem

Parameter	Type	Required	Default	Description
format	enum	Yes	—	cef (Splunk/ArcSight), stix (Sentinel/OpenCTI), syslog (RFC 5424)
event_type	enum	Yes	—	domain_intel, threat, vulnerability, breach, ip_reputation, vendor_risk, file_hash
data	object	Yes	—	The full JSON response from any other cyber_* tool
severity	enum	No	auto	Override severity: low, medium, high, critical

cyber_attack_surface_map

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to map
max_subdomains	integer	No	20	Maximum subdomains to include in graph (1-50)

cyber_generate_report

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to assess
report_type	enum	No	executive	executive (board-level), technical (full detail), vendor_assessment (procurement), incident (IR docs)
organization_name	string	No	—	Your organization name (appears in report header)

cyber_decision_diff

Parameter	Type	Required	Default	Description
previous	object	Yes	—	Previous tool output (from an earlier run)
current	object	Yes	—	Current tool output (latest run)

Free — pure comparison, no API calls.

cyber_compare

Parameter	Type	Required	Default	Description
targets	array	Yes	—	2-5 domains or vendor names to compare side-by-side
comparison_type	enum	No	domain	domain (security posture) or vendor (risk profiles)

cyber_incident_summary

Parameter	Type	Required	Default	Description
artifacts	array	Yes	—	1-10 IOCs: domains, IPs, hashes, emails, URLs, CVE IDs (mixed types OK)
incident_name	string	No	auto	Optional incident reference name (e.g., "PHISH-2026-0412")

cyber_bulk_triage

Parameter	Type	Required	Default	Description
items	array	Yes	—	1-100 IOCs to triage (domains, IPs, hashes, URLs, emails)
mode	enum	No	fast	fast (direct API only, ~10-15s) or full (includes sub-actors, ~30-60s)

cyber_vendor_risk_score

Parameter	Type	Required	Default	Description
vendor_name	string	Yes	—	Vendor or company name (e.g., "Apache", "Citrix")
vendor_domain	string	No	—	Vendor primary domain (enables domain security assessment)
products	array	No	—	Specific products to check for CVEs (up to 5)
internet_facing	boolean	No	false	Is this vendor internet-facing in your environment? Increases score by 30%.
business_criticality	enum	No	medium	low (0.7x), medium (1.0x), high (1.2x), critical (1.5x) score multiplier

Output examples

cyber_domain_intelligence

{
  "domain": "pinnacle-industries.io",
  "riskIndicators": [
    "CRITICAL: Domain is only 12 days old — very new domain, high phishing risk",
    "WARNING: No email security records found (no SPF, DMARC, or DKIM) — domain may be spoofable",
    "INFO: DNSSEC not enabled — domain is not protected against DNS spoofing",
    "ALERT: 3 known exploited vulnerabilities found for this vendor (1 ransomware-linked)"
  ],
  "dns": {
    "aRecords": ["198.51.100.14"],
    "mxRecords": ["mail.pinnacle-industries.io"],
    "spfRecord": null,
    "dmarcRecord": null,
    "dkimFound": false,
    "hasEmailSecurity": false
  },
  "whois": {
    "registrar": "NameCheap, Inc.",
    "createdDate": "2026-03-08",
    "domainAge": 12,
    "expiresIn": 353,
    "dnssec": false
  },
  "certificates": {
    "totalSubdomains": 3,
    "activeSubdomains": 3
  },
  "exploitedVulnerabilities": {
    "total": 3,
    "entries": [
      {
        "cveID": "CVE-2023-44487",
        "vendorProject": "IETF",
        "product": "HTTP/2",
        "knownRansomwareCampaignUse": "Known",
        "dueDate": "2023-10-31"
      }
    ]
  }
}

cyber_vendor_risk_score

{
  "vendor": "Apache",
  "domain": "apache.org",
  "riskScore": 38,
  "riskLevel": "MODERATE",
  "scoringFactors": [
    { "factor": "Known Exploited Vulnerabilities (CISA KEV)", "points": 18, "detail": "22 exploited CVEs (8 added in last year), 3 ransomware-linked" },
    { "factor": "CVE Vulnerability Profile (age-weighted)", "points": 19.5, "detail": "187 unique CVEs (24 CRITICAL, 58 HIGH). 4 CRITICAL in last 6 months. Weighted by age decay, CVSS score, and exploitability." },
    { "factor": "Recent Vulnerability Velocity (6 months)", "points": 10.5, "detail": "12 CVEs in last 6 months (4 CRITICAL/HIGH)." },
    { "factor": "Disclosure Maturity (bonus)", "points": -10, "detail": "18yr disclosure history, 10 CVEs/yr — consistent disclosure reduces risk." }
  ],
  "recommendation": "Moderate risk. Review exploited vulnerabilities and ensure patching SLAs are met."
}

cyber_file_hash_check

{
  "hash": "44d88612fea8a8f36de82e1278abb02f",
  "hashType": "MD5",
  "verdict": "MALICIOUS — Detected by multiple antivirus engines. Do not execute.",
  "virustotal": {
    "detected": true,
    "detections": 62,
    "totalEngines": 72,
    "detectionRatio": "62/72",
    "fileName": "eicar_test_file",
    "fileType": "Text",
    "popularThreatClassification": {
      "label": "trojan.eicar/test",
      "category": ["trojan"],
      "names": ["eicar", "test-file"]
    }
  },
  "threatfox": { "found": false, "iocCount": 0 }
}

cyber_ip_reputation

{
  "ip": "118.25.6.39",
  "threatLevel": "HIGH — IP has high abuse confidence score. Known malicious actor.",
  "abuseipdb": {
    "abuseConfidenceScore": 100,
    "totalReports": 847,
    "numDistinctUsers": 312,
    "isp": "Tencent Cloud Computing",
    "usageType": "Data Center/Web Hosting/Transit",
    "countryCode": "CN",
    "isTor": false
  },
  "shodan": {
    "ports": [22, 80, 443, 8080],
    "org": "Tencent Cloud Computing",
    "vulns": ["CVE-2023-44487"]
  }
}

cyber_breach_check

{
  "email": "analyst@acmecorp.com",
  "breached": true,
  "totalBreaches": 3,
  "breaches": [
    {
      "name": "LinkedIn",
      "date": "2012-05-05",
      "pwnCount": 164611595,
      "dataClasses": ["Email addresses", "Passwords"],
      "isVerified": true
    }
  ]
}

Output fields

cyber_search_vulnerabilities

Field	Type	Description
total	integer	Number of CVEs returned
severityBreakdown.critical	integer	Count of CRITICAL severity CVEs
severityBreakdown.high	integer	Count of HIGH severity CVEs
vulnerabilities[].cveId	string	CVE identifier (e.g., CVE-2021-44228)
vulnerabilities[].severity	string	CRITICAL, HIGH, MEDIUM, or LOW
vulnerabilities[].cvssScore	number	CVSS v3 base score (0.0-10.0)
vulnerabilities[].attackVector	string	NETWORK, ADJACENT, LOCAL, or PHYSICAL
vulnerabilities[].cwes	array	CWE weakness identifiers

cyber_domain_intelligence

Field	Type	Description
riskIndicators	array	Labeled risk strings (CRITICAL, WARNING, ALERT, INFO)
dns.hasEmailSecurity	boolean	True if any of SPF, DMARC, or DKIM found
whois.domainAge	integer	Domain age in days
whois.expiresIn	integer	Days until domain expiry
whois.dnssec	boolean	Whether DNSSEC is enabled
certificates.totalSubdomains	integer	Unique subdomains in CT logs
certificates.activeSubdomains	integer	Subdomains with active certificates
exploitedVulnerabilities.total	integer	KEV entries for guessed vendor

cyber_vendor_risk_score

Field	Type	Description
riskScore	integer	Composite score 0-100 (higher = riskier)
riskLevel	string	LOW (0-20), MODERATE (21-40), ELEVATED (41-60), HIGH (61-80), CRITICAL (81-100)
scoringFactors[].factor	string	Risk category name
scoringFactors[].points	number	Points contributed to score (negative for maturity bonus)
scoringFactors[].detail	string	Explanation of the scoring input
recommendation	string	Risk-level-based remediation guidance

cyber_breach_check

Field	Type	Description
breached	boolean	Whether the email/domain appeared in any breach
totalBreaches	integer	Number of distinct breaches
breaches[].name	string	Breach identifier
breaches[].date	string	Date of the breach
breaches[].pwnCount	integer	Number of accounts compromised
breaches[].dataClasses	array	Types of data exposed (e.g., "Passwords", "Email addresses")

cyber_threat_check

Field	Type	Description
threatLevel	string	CLEAN, LOW, MEDIUM, or HIGH with explanation
totalIndicators	integer	Total threat indicators across VirusTotal + URLhaus + ThreatFox
sources	object	Which sources returned data (urlhaus, threatfox, virustotal)
virustotal_domain.malicious	integer	Number of VT engines flagging domain as malicious
virustotal_domain.totalEngines	integer	Total VT engines that analyzed the domain
urlhaus_host.urlCount	integer	Number of malicious URLs associated with this host
threatfox.iocCount	integer	Number of IOCs found for this domain

cyber_file_hash_check

Field	Type	Description
verdict	string	MALICIOUS, SUSPICIOUS, LOW RISK, UNKNOWN, or CLEAN
hashType	string	MD5, SHA-1, or SHA-256
virustotal.detectionRatio	string	e.g., "62/72" — detections / total engines
virustotal.popularThreatClassification.label	string	Malware family name
virustotal.fileType	string	File type description
threatfox.found	boolean	Whether hash appears in ThreatFox IOC database

cyber_ip_reputation

Field	Type	Description
threatLevel	string	HIGH, MEDIUM, LOW, or CLEAN with explanation
abuseipdb.abuseConfidenceScore	integer	0-100 abuse confidence (100 = definite malicious)
abuseipdb.totalReports	integer	Number of abuse reports filed
abuseipdb.isp	string	Internet service provider
abuseipdb.isTor	boolean	Whether IP is a known Tor exit node
shodan.ports	array	Open ports found by Shodan
shodan.vulns	array	Known CVEs affecting services on this IP

How it works

Mental model: Query -> sub-actor(s) or direct API call -> data collection -> risk scoring/labeling -> structured JSON response.

Most tools delegate to specialized Apify actors via a runActor() helper with a 120-second timeout (180 seconds for NVD and CT log queries). If a sub-actor fails, the helper returns an empty array rather than throwing — upstream source unavailability degrades gracefully without failing the entire tool call.

Multiple tools call external APIs directly: cyber_breach_check (HIBP), cyber_threat_check (URLhaus + ThreatFox + VirusTotal), cyber_file_hash_check (VirusTotal + ThreatFox), cyber_ip_reputation (AbuseIPDB + Shodan), cyber_search_hosts (Shodan alongside Censys), cyber_export_siem (pure formatting), cyber_attack_surface_map (Shodan + HIBP alongside sub-actors), and cyber_generate_report (all sources). All lookups run in parallel. Repeated requests within 5 minutes hit an in-memory cache in standby mode.

Key architectural features

• nextSteps remediation: Every tool response includes context-aware remediation recommendations. AI agents can read these to suggest specific actions.
• Cross-source correlation: Investigation tools (cyber_investigate, cyber_full_investigation) generate analyst-grade correlation insights by combining signals across sources.
• SIEM integration: cyber_export_siem formats any tool's output as CEF (Splunk/ArcSight/QRadar), STIX 2.1 (Microsoft Sentinel/OpenCTI/TAXII), or Syslog (RFC 5424).
• Watchlist persistence: cyber_watchlist_check stores results in Apify Key-Value Store between calls for delta tracking.
• Context-aware scoring: cyber_vendor_risk_score accepts internet_facing and business_criticality parameters to adjust scores for your environment.

Risk scoring algorithms

cyber_domain_intelligence uses deterministic rules: domain age under 30 days = CRITICAL, 30-180 days = WARNING, no email security (SPF/DMARC/DKIM) = WARNING, DNSSEC not enabled = INFO, KEV matches = ALERT with ransomware sub-count.

cyber_vendor_risk_score (v2) uses age-weighted scoring across four factors:

• KEV vulnerabilities (0-30 points) — recent KEV entries (added in last year) count 4 pts each, older entries 1.5 pts, ransomware-linked +5 pts.
• CVE vulnerability profile (0-25 points) — each CVE is scored by severity_weight × age_decay × exploitability_bonus, where age decay is exp(-0.35 × years) (a 5-year-old CVE contributes ~10% of a new one). Log-scale normalization prevents volume domination — 200 CVEs over 20 years ≠ crisis.
• Domain security (0-25 points) — email security gaps, domain age, DNSSEC, certificate presence.
• Recent vulnerability velocity (0-20 points) — CRITICAL/HIGH CVEs in the last 6 months, weighted by severity.
• Disclosure maturity bonus (up to -10 points) — vendors with 3+ years of consistent disclosure history at <40 CVEs/year get a score reduction. A mature vendor who discloses regularly is healthier than their raw CVE count suggests.

Final score: 0-20 LOW, 21-40 MODERATE, 41-60 ELEVATED, 61-80 HIGH, 81-100 CRITICAL.

Pricing

$0.045 per tool call for most tools. $0.09 for vendor risk scoring, full investigation, attack surface mapping, and report generation. SIEM export is free (formatting only). No subscription.

Scenario	Tools	Cost
Quick CVE lookup	1	$0.045
Full domain assessment	1	$0.045
Domain + threat + breach investigation	3	$0.135
File hash malware check	1	$0.045
IP reputation check	1	$0.045
Vendor risk score	1	$0.09
Full domain security audit	1	$0.09
Attack surface map	1	$0.09
Security report generation	1	$0.09
SIEM export (CEF/STIX/Syslog)	1	free
Watchlist monitoring (up to 20 items)	1	$0.045
Weekly vulnerability scan (50 searches)	50	$2.25

You can set a maximum spending limit per run. The server halts cleanly when your budget is reached.

Apify's free tier includes $5 of monthly platform credits — approximately 111 tool calls per month at no cost.

Programmatic access

Python

import requests

response = requests.post(
    "https://cybersecurity-intelligence-mcp.apify.actor/mcp",
    headers={
        "Content-Type": "application/json",
        "Authorization": "Bearer YOUR_API_TOKEN"
    },
    json={
        "jsonrpc": "2.0",
        "method": "tools/call",
        "params": {
            "name": "cyber_domain_intelligence",
            "arguments": {"domain": "suspicious-vendor.io", "check_exploited": True}
        },
        "id": 1
    }
)

print(response.json())

JavaScript

const response = await fetch("https://cybersecurity-intelligence-mcp.apify.actor/mcp", {
    method: "POST",
    headers: {
        "Content-Type": "application/json",
        "Authorization": "Bearer YOUR_API_TOKEN"
    },
    body: JSON.stringify({
        jsonrpc: "2.0",
        method: "tools/call",
        params: {
            name: "cyber_domain_intelligence",
            arguments: { domain: "suspicious-vendor.io", check_exploited: true }
        },
        id: 1
    })
});

console.log(await response.json());

cURL

curl -X POST "https://cybersecurity-intelligence-mcp.apify.actor/mcp" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "cyber_domain_intelligence",
      "arguments": { "domain": "suspicious-vendor.io", "check_exploited": true }
    },
    "id": 1
  }'

Tips for best results

1. Start with cyber_domain_intelligence. It runs DNS, WHOIS, SSL, and KEV in parallel in a single $0.045 call. Reserve individual tools for follow-up deep dives.
2. Enable ransomware_only: true for KEV queries. Narrows results to CVEs linked to ransomware campaigns — the highest-priority patching obligations.
3. Pass arrays to DNS and WHOIS tools. Both accept up to 50 domains per call — auditing 50 domains costs $0.045 total.
4. Set deduplicate: false for certificate forensics. Full certificate history mode reveals every issuance event and validity window for timeline reconstruction.
5. Narrow Censys queries with service filters. Broad queries exhaust the 100-result free tier limit. Use services.service_name: SSH AND location.country: DE for targeted results.
6. Use cyber_threat_check before allowing access to unknown URLs. Returns a threat level combining VirusTotal (70+ AV engines), URLhaus, and ThreatFox verdicts.
7. Use cyber_file_hash_check for malware triage. Got a hash from a SIEM alert? Check it against 70+ AV engines in one call.
8. Use cyber_ip_reputation for log investigation. Suspicious IPs from firewall logs get instant AbuseIPDB scoring and Shodan service enumeration.
9. Set spending limits for automated workflows. Configure a per-run spending cap when running agent-driven workflows.

Limitations

• Passive data collection only — no active scanning, port probing, or packet injection. Cannot replace Nmap, Nessus, or Burp Suite.
• NVD rate limits — approximately 5 requests per 30 seconds. Wide date ranges with 200+ results take 2-5 minutes.
• Censys free tier — 250 queries/month. Without credentials, cyber_search_hosts returns demo data from Censys (Shodan still works if key is set).
• Shodan free tier — IP lookup only (no search queries). Paid Shodan membership offers broader search capabilities.
• VirusTotal free tier — 4 requests/minute, 500/day. Sufficient for interactive use, may throttle in batch workflows.
• AbuseIPDB free tier — 1000 checks/day. Sufficient for most workflows.
• HIBP API key required for per-email lookups — domain-level breach search is free, but per-email checks require a $3.50/month key.
• WHOIS registrant privacy — GDPR/ICANN privacy means registrant contacts are almost universally redacted. Domain age and registrar data remain available.
• DKIM selector coverage — checks 10 common selectors. Organizations using custom selectors may not have DKIM detected.
• Vendor name heuristic — domain intelligence extracts the first domain label as vendor name ("citrix" from "citrix.com"). Generic domains produce irrelevant KEV results — use cyber_exploited_vulnerabilities directly for precise vendor matching.
• CT log coverage — crt.sh indexes major Certificate Transparency logs but not all.

Combine with other actors

Actor	How to combine
Website Tech Stack Detector	Detect the software stack, then feed technologies into cyber_search_vulnerabilities for CVE correlation
Company Deep Research	Generate a business intelligence profile, then add the security layer with cyber_domain_intelligence
Website Change Monitor	Track domain content changes over time to complement current-state security assessment
B2B Lead Qualifier	Score leads from website signals, then add a security risk dimension with cyber_vendor_risk_score
Bulk Email Verifier	Verify email addresses discovered during breach checks

Integrations

• Zapier — trigger domain intelligence when a new vendor enters your procurement system
• Make — build CVE triage workflows that query CISA KEV daily and create Jira tickets
• Google Sheets — export DNS and email security audit results for compliance tracking
• Webhooks — receive alerts when scheduled scans return new CRITICAL indicators
• LangChain / LlamaIndex — embed as the security intelligence layer in LLM-powered SOC automation

How to check if a CVE is actively exploited

Call cyber_exploited_vulnerabilities with the CVE ID as the query parameter. If the CVE is in the CISA KEV catalog, the response includes the federal patch dueDate and knownRansomwareCampaignUse flag. A zero-result response means the CVE is not in the KEV catalog — which is good news.

How to investigate a suspicious domain for malware

Run cyber_threat_check with the domain name. The tool queries VirusTotal (70+ AV engine verdicts), URLhaus (malicious URL database), and ThreatFox (IOC feed) in parallel. The response includes a combined threat level (CLEAN, LOW, MEDIUM, HIGH) and per-source indicators. Follow up with cyber_domain_intelligence for a broader risk profile.

How to audit email security across multiple domains

Call cyber_dns_lookup with an array of up to 50 domains and check_email_security: true. Returns SPF, DMARC, and DKIM status for each domain plus a summary count. Export results to Google Sheets for compliance reporting.

Troubleshooting

cyber_search_vulnerabilities returns no results — NVD keyword search is case-insensitive for general keywords but case-sensitive for CPE names. Try variations: "log4j", "log4j2", "log4shell". Use exact_match: false to broaden matching.

cyber_search_hosts returns demo data — Censys credentials not configured. Set CENSYS_API_ID and CENSYS_API_SECRET as environment variables. Free at censys.io. Alternatively, set SHODAN_API_KEY for IP-based lookups.

cyber_file_hash_check says VIRUSTOTAL_API_KEY not set — File hash lookups require a VirusTotal API key. Free at virustotal.com (500 lookups/day). The ThreatFox check still runs without it.

cyber_threat_check shows virustotal_note instead of results — Set VIRUSTOTAL_API_KEY as an environment variable. Without it, threat checks still use URLhaus and ThreatFox but lack multi-engine AV verdicts.

cyber_ip_reputation returns no credentials error — Set ABUSEIPDB_API_KEY (free at abuseipdb.com) and/or SHODAN_API_KEY (free at shodan.io).

cyber_breach_check returns HIBP_API_KEY error — Per-email lookups require a $3.50/month API key. Set HIBP_API_KEY as an environment variable. Alternatively, use the domain parameter for free domain-level search.

cyber_domain_intelligence shows irrelevant KEV matches — Vendor is guessed from the first domain label. For "cloud.mycompany.com", it queries KEV for "cloud". Use cyber_exploited_vulnerabilities directly with the explicit vendor parameter.

Vulnerability searches taking 3+ minutes — NVD rate limits. Reduce max_results or narrow the date range.

FAQ

Does it perform active scanning? No. All data comes from public sources. No probes are sent to target infrastructure.

How is it different from Shodan or VirusTotal? This server integrates both Shodan and VirusTotal alongside 10 other sources. Shodan and VirusTotal direct subscriptions offer deeper features (Shodan's historical data, VT's sandbox analysis). This server's value is aggregation and orchestration — one MCP call assembles intelligence from multiple sources with risk scoring, structured for AI agents.

Can I check if a specific CVE is actively exploited? Yes. Call cyber_exploited_vulnerabilities with the CVE ID. If it is in the CISA KEV catalog, you get the patch deadline and ransomware linkage.

What is the difference between cyber_domain_intelligence and cyber_vendor_risk_score? Domain intelligence returns qualitative risk indicators (CRITICAL/WARNING/ALERT/INFO) for a single domain. Vendor risk scoring returns a quantitative 0-100 score designed for vendor comparison and procurement decisions.

Can I scan multiple domains at once? cyber_dns_lookup and cyber_whois_lookup accept up to 50 domains per call. cyber_domain_intelligence processes one domain per call because it runs 3-5 sub-actors in parallel.

What happens if a data source is unavailable? Individual source failures return empty arrays. Domain intelligence runs sources in parallel — if one fails, others still return and risk indicators are generated from available data.

Can I export results to my SIEM? Yes. Run any tool first, then pass its output to cyber_export_siem with format cef (Splunk/ArcSight), stix (Microsoft Sentinel/OpenCTI), or syslog (any syslog collector). The export is free — no additional charge.

Can I monitor domains or IPs continuously? Yes. cyber_watchlist_check accepts up to 20 items and compares current state against stored previous results. First run establishes a baseline. Subsequent runs return what changed — new threats, score increases, new breaches.

Can I get a PDF-ready security report? cyber_generate_report produces structured markdown reports in four formats: executive (board-level), technical (full detail), vendor_assessment (procurement), and incident (IR documentation). AI agents can render the markdown as PDF.

How does context-aware vendor scoring work? Set internet_facing: true to increase the risk score by 30% (internet-exposed vendors are higher risk). Set business_criticality to adjust thresholds: low (0.7x), medium (1.0x), high (1.2x), critical (1.5x). A low-criticality vendor with the same CVE profile scores lower than a critical one.

How accurate are the risk indicators? Indicators use deterministic rules: domain age thresholds, email security presence/absence, KEV match count. They produce actionable signals, not probabilistic scores. A legitimate new domain may trigger a CRITICAL flag — treat indicators as investigation starting points.

Is it legal to use for domain reconnaissance? It queries publicly available databases and standard internet infrastructure. Legality depends on jurisdiction and intended use. Consult legal counsel for compliance with local laws.

Recent updates

• Added cyber_breach_check — queries Have I Been Pwned for email and domain breach history
• Added cyber_threat_check — detects malware, phishing, and C2 via URLhaus and ThreatFox
• Added cyber_vendor_risk_score — automated 0-100 vendor risk scoring with weighted factors
• Expanded from 8 to 11 tools
• Censys and HIBP credentials now configured via environment variables

Responsible use

Cybersecurity Intelligence MCP Server queries publicly available data from government databases (NVD, CISA KEV), public Certificate Transparency logs, standard DNS/WHOIS infrastructure, the Have I Been Pwned API, and abuse.ch threat feeds. It does not bypass authentication, CAPTCHAs, or access restricted content. All data collection is passive. Users are responsible for ensuring their use complies with applicable laws and platform terms. For guidance on web scraping legality, see Apify's guide.

Support

Found a bug or have a feature request? Open an issue in the Issues tab. For custom solutions or enterprise integrations, reach out through the Apify platform.

If you encounter issues, enable run sharing in Account Settings > Privacy so we can see your run details and debug faster.