Entity Attack Surface MCP Server

Corporate cyber exposure intelligence via the Model Context Protocol. This MCP server orchestrates 11 data sources to discover and score an organization's digital attack surface -- from DNS and SSL infrastructure to technology vulnerabilities and CISA Known Exploited Vulnerabilities. Produces Exposure Scores (0-100) and letter grades (A-F) through passive reconnaissance only. Purpose-built for MSSPs, cyber insurers, SOC teams, and M&A due diligence.

What data can you access?

Data Point	Source
DNS records (A, AAAA, MX, TXT, CNAME, NS)	DNS Lookup
SSL certificates and subdomain discovery	crt.sh Certificate Transparency
Domain registration and ownership	WHOIS Lookup
Internet-wide host and service enumeration	Censys Host Search
IP address location and ASN mapping	IP Geolocation
Known vulnerabilities by technology	NVD CVE Search
Actively exploited vulnerabilities	CISA KEV Catalog
Website technology identification	Tech Stack Detector
Historical web page snapshots	Wayback Machine
Public code repositories and secrets	GitHub Repo Search
Website content change tracking	Website Change Monitor

MCP Tools

Tool	Price	Description
discover_attack_surface	$2.00	Full attack surface discovery via DNS records, SSL certificate transparency logs, WHOIS registration, Censys host enumeration, and IP geolocation. Returns infrastructure map with subdomain count and unique IPs
tech_stack_vulnerability_map	$2.00	Detect a domain's technology stack (CMS, frameworks, libraries, servers) and cross-reference each technology against the NVD for known CVEs. The core tech-to-CVE pipeline
cisa_kev_exposure_check	$2.00	Check if detected technologies match any CISA Known Exploited Vulnerabilities -- actively exploited in the wild, requiring urgent remediation per BOD 22-01
infrastructure_sprawl_analysis	$2.00	Analyze infrastructure sprawl by mapping DNS subdomains, SSL certificates, and Censys hosts. Identifies shadow IT, forgotten subdomains, and geographic distribution with a Sprawl Score
historical_drift_detection	$2.00	Detect historical changes in digital footprint using Wayback Machine archives and website change monitoring. Identifies compromises, defacements, or unauthorized modifications
exposed_code_secrets_scan	$2.00	Search for public GitHub repositories and identify potential secret/credential exposure based on repository names suggesting internal tools, configs, or sensitive data
third_party_cyber_rating	$4.00	Generate a composite third-party cyber risk rating (A-F) combining email security (SPF/DMARC), SSL hygiene, network exposure, and tech complexity. Similar to SecurityScorecard or BitSight
attack_vector_report	$4.00	Comprehensive attack surface report running all 11 actors. Produces an Exposure Score (0-100) across infrastructure, vulnerability, code, and historical drift dimensions with prioritized remediation

Data Sources

• DNS Lookup -- DNS record enumeration including A, AAAA, MX, TXT, CNAME, and NS records for mapping mail, web, and infrastructure architecture
• SSL/crt.sh Certificate -- Certificate transparency log search revealing all issued certificates and subdomains across the target domain
• WHOIS Lookup -- Domain registration data including registrar, creation date, expiration, and registrant information
• Censys Host Search -- Internet-wide scan index showing open ports, services, and TLS configurations across the target's IP space
• IP Geolocation -- Geographic location and ASN mapping for discovered IP addresses, revealing hosting distribution
• NVD CVE Search -- NIST National Vulnerability Database with CVE details, CVSS scores, and affected product versions
• CISA KEV Catalog -- Cybersecurity and Infrastructure Security Agency catalog of vulnerabilities actively exploited in the wild
• Tech Stack Detector -- Website technology identification covering CMS platforms, JavaScript frameworks, CDNs, analytics tools, and server software
• Wayback Machine -- Internet Archive historical snapshots for detecting page additions, removals, and content changes over time
• GitHub Repo Search -- Public repository discovery and metadata analysis for code leak and credential exposure detection
• Website Change Monitor -- Active website content change tracking for detecting unauthorized modifications

How the scoring works

The attack_vector_report produces an Exposure Score (0-100) computed from four weighted dimensions.

Email Security (20% weight) checks for SPF and DMARC DNS records. Missing SPF deducts 40 points; missing DMARC deducts 40 points. Email without these protections is vulnerable to spoofing and phishing.

SSL Hygiene (25% weight) evaluates certificate health. Expired certificates deduct 30 points. No certificates found deducts 50 points. Proper TLS configuration across all subdomains is essential.

Network Exposure (35% weight) analyzes Censys-discovered open ports. Dangerous ports (FTP 21, Telnet 23, SMB 445, RDP 3389, VNC 5900, Redis 6379, MongoDB 27017, Elasticsearch 9200) each deduct 15 points. More than 10 open ports deducts an additional 20 points.

Tech Complexity (20% weight) penalizes excessive technology surface area. Each detected technology adds 1.5 points of exposure (capped at 30 technologies).

The third_party_cyber_rating also produces a weighted composite score with letter grade:

Score	Grade	Assessment
90-100	A	Excellent security posture
80-89	B	Good security with minor gaps
70-79	C	Moderate risk -- improvements needed
60-69	D	Significant security concerns
0-59	F	Critical exposure -- immediate action required

How to connect this MCP server

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "entity-attack-surface": {
      "url": "https://entity-attack-surface-mcp.apify.actor/mcp"
    }
  }
}

Programmatic (HTTP)

curl -X POST https://entity-attack-surface-mcp.apify.actor/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"discover_attack_surface","arguments":{"domain":"example.com"}},"id":1}'

This MCP also works with Cursor, Windsurf, Cline, and any other MCP-compatible client.

Use cases for attack surface intelligence

MSSP Client Assessments

Run automated external attack surface assessments across your entire client portfolio. Identify shadow IT, forgotten subdomains, and exposed services without active scanning.

Cyber Insurance Underwriting

Generate pre-binding technical risk assessments with quantified Exposure Scores for underwriting decisions. The cyber rating mirrors industry-standard scoring from SecurityScorecard and BitSight.

SOC Continuous Monitoring

Set up recurring attack surface discovery to detect new subdomains, expired certificates, newly exposed ports, and CISA KEV matches before attackers find them.

M&A Technical Due Diligence

Assess acquisition targets' digital infrastructure for hidden liabilities -- shadow IT, exposed credentials, vulnerable tech stacks, and compliance gaps.

Vendor Risk Management

Rate third-party vendors and partners using the composite cyber rating. Identify vendors with dangerous port exposure, missing email security, or CISA KEV matches.

Code Exposure Auditing

Scan GitHub for public repositories containing keywords suggesting internal tools, credentials, API keys, or configuration files that should not be publicly accessible.

How much does it cost?

This MCP uses pay-per-event pricing. You are only charged when a tool is called -- there is no subscription or monthly fee.

The Apify Free plan includes $5 of monthly platform credits, covering multiple assessments at no cost.

Cost examples:

• Quick attack surface discovery: $2.00
• CISA KEV exposure check: $2.00
• Full attack vector report with Exposure Score: $4.00
• Third-party cyber rating for a vendor: $4.00

How it works

1. You call a tool (e.g., attack_vector_report) with a target domain and optional GitHub organization
2. The MCP dispatches parallel requests to up to 11 Apify actors simultaneously
3. DNS records, SSL certificates, WHOIS data, Censys hosts, tech stack, CVEs, CISA KEVs, Wayback snapshots, and GitHub repos are collected
4. The scoring engine computes exposure across infrastructure, vulnerability, code, and drift dimensions
5. A structured JSON response is returned with the Exposure Score, grade, dimensional breakdown, and prioritized remediation recommendations

Important: This MCP uses only passive reconnaissance from public data sources. No packets are sent to the target. No active scanning occurs.

FAQ

Q: Does this perform active scanning? A: No. This MCP only uses passive reconnaissance from public data sources (DNS records, certificate transparency logs, WHOIS, Censys index, NVD). No packets are sent to the target domain.

Q: How does the tech-to-CVE pipeline work? A: The Tech Stack Detector identifies technologies and versions on the target URL. These are cross-referenced against NVD CVE data for known vulnerabilities, then checked against the CISA KEV catalog to prioritize actively exploited ones.

Q: What is the CISA KEV and why does it matter? A: CISA Known Exploited Vulnerabilities are CVEs confirmed to be actively exploited in the wild. Under BOD 22-01, federal agencies must remediate these within prescribed timelines. Finding KEV matches in a tech stack requires urgent action.

Q: How accurate is the infrastructure sprawl detection? A: It discovers all SSL certificates issued for the domain via certificate transparency logs and cross-references with DNS records and Censys data. Coverage depends on the completeness of public indexes.

Q: Is it legal to use this? A: This tool accesses only publicly available data from DNS, WHOIS, certificate transparency, and vulnerability databases. See Apify's guide on web scraping legality.

Q: Can I assess multiple domains at once? A: Call the tools separately for each domain. For portfolio assessments, use the Apify API to batch calls programmatically.

Related MCP servers

MCP Server	Description
ryanclinton/digital-infrastructure-exposure-mcp	Passive infrastructure recon and misconfiguration detection
ryanclinton/counterparty-due-diligence-mcp	Corporate KYB with digital presence verification
ryanclinton/financial-crime-screening-mcp	AML/CFT screening with sanctions and watchlist checks

Integrations

This MCP server runs on the Apify platform and supports:

• Apify API -- Call any tool programmatically via the Apify Actor API
• Scheduling -- Set up recurring attack surface scans on daily, weekly, or monthly schedules
• Webhooks -- Get notified when scans complete for integration with SIEM, ticketing, or GRC platforms
• Apify integrations -- Connect to Slack, Google Sheets, Zapier, Make, and other platforms