Cybersecurity Intelligence MCP Server

View on ApifyForge | Use on Apify Store

---

Quick Start

Add to your MCP client (Claude Desktop, Cursor, Windsurf):

{
  "mcpServers": {
    "cybersecurity-intelligence-mcp": {
      "url": "https://ryanclinton--cybersecurity-intelligence-mcp.apify.actor/mcp"
    }
  }
}

---

Cybersecurity intelligence for AI agents — search 200,000+ CVEs, check the CISA Known Exploited Vulnerabilities catalog, enumerate subdomains via Certificate Transparency, audit DNS and email security, scan internet-exposed hosts via Censys, and investigate domain registration — all through a single MCP server. Built for security engineers, penetration testers, and AI-powered workflows that need structured threat intelligence without active scanning.

Connect once to Claude Desktop, Cursor, or any MCP-compatible client and your AI can investigate CVE exposure, analyze a domain's attack surface, map subdomains, and produce risk-scored security assessments on demand. Eight tools wrap six authoritative public data sources: NIST NVD, CISA KEV, Censys, crt.sh Certificate Transparency logs, DNS/email security records, and WHOIS/RDAP registration data.

⬇️ What data can you extract?

Data Point	Source	Example
📋 CVE ID, description, CVSS score	NIST NVD	CVE-2021-44228, CVSS 10.0 CRITICAL
⚔️ Attack vector and attack complexity	NIST NVD	NETWORK / LOW
🔍 CWE weakness classifications	NIST NVD	CWE-502 (Deserialization)
🚨 Actively exploited vulnerability flag	CISA KEV	knownRansomwareCampaignUse: "Known"
🗓️ KEV due date for mandatory patching	CISA KEV	2022-05-04 (Federal agencies)
🌐 Internet-exposed hosts and open ports	Censys	192.0.2.14:3306 (MySQL exposed)
🔒 SSL/TLS certificate history per domain	crt.sh CT Logs	847 certs, 134 unique subdomains
📡 A, AAAA, MX, NS, TXT, CNAME, SOA records	DNS lookup	a.example.com → 93.184.216.34
🛡️ SPF, DMARC, DKIM email security audit	DNS lookup	DMARC: p=reject, SPF: pass
🏢 Domain registrar, registration date, age	WHOIS/RDAP	Registered 2003-01-01, age 8,115 days
⏳ Domain expiry and days-until-expiry	WHOIS/RDAP	Expires 2027-01-01, 652 days
⚠️ Risk indicators with severity labels	Domain Intelligence	ALERT, WARNING, CRITICAL, INFO

Why use the Cybersecurity Intelligence MCP Server?

Cybersecurity investigations today mean switching between five or six browser tabs: NVD for CVE lookups, CISA's KEV catalog for exploit status, crt.sh for certificate enumeration, a WHOIS tool, an MX lookup tool, and Censys for host reconnaissance. Each lookup is manual, copy-paste heavy, and produces raw data that still needs interpretation. A single vendor assessment can take 30-45 minutes before you have a usable picture.

This MCP server delivers all six data sources through a unified interface your AI client can call as tools. Ask Claude "what vulnerabilities affect Apache and are currently being exploited?" and it queries NVD and CISA KEV, cross-references results, and presents a prioritized list — in under 30 seconds. The cyber_domain_intelligence tool runs DNS, WHOIS, SSL, and KEV checks in parallel and returns a risk-scored summary with labeled indicators.

• Scheduling — run recurring security assessments via Apify platform cron scheduling to keep your threat intelligence current
• API access — trigger runs from Python, JavaScript, or any HTTP client with your Apify token
• Monitoring — receive Slack or email alerts when runs fail or return unexpected results
• Integrations — pipe results into Zapier, Make, Google Sheets, HubSpot, or custom webhooks
• Spending controls — set a per-run budget cap so AI agents cannot exceed your cost threshold

Features

• NIST NVD CVE search — query 200,000+ published CVEs by keyword, direct CVE ID, CPE product string, CVSS v3 severity (CRITICAL/HIGH/MEDIUM/LOW), or publication date range; returns CVSS base score, attack vector, attack complexity, privileges required, user interaction, and all CWE weakness IDs
• CISA KEV catalog — search the definitive list of CVEs actively exploited in the wild; filter by vendor, product, date added, and ransomware campaign linkage; returns federal patch due dates and knownRansomwareCampaignUse flag
• Censys internet host scanning — query Censys's IPv4 scan data using structured search expressions to find exposed services, open ports, and infrastructure; supports free Censys API credentials (250 queries/month free tier) and returns demo data without credentials
• Certificate Transparency enumeration — search crt.sh for all SSL/TLS certificates ever issued to a domain; runs in deduplication mode (one row per unique subdomain) or full certificate history mode (one row per certificate); no credentials required
• Active subdomain count and freshness — each subdomain result includes isActive, lastSeen, and certificateCount fields so you can distinguish live infrastructure from historical artifacts
• DNS record enumeration — retrieves A, AAAA, MX, NS, TXT, CNAME, and SOA records for up to 50 domains in a single call
• Email security audit — checks SPF record presence and policy, DMARC record and enforcement policy, and DKIM across 10 common selectors (google, default, selector1, selector2, mail, dkim, k1, k2, s1, s2); reports hasEmailSecurity boolean for each domain
• WHOIS/RDAP domain intelligence — returns registrar, created date, expiry date, domainAge in days, expiresIn in days, nameservers, DNSSEC status, and domain status flags (clientDeleteProhibited, etc.)
• Unified domain intelligence — cyber_domain_intelligence orchestrates DNS, WHOIS, SSL, and optional KEV/NVD checks in parallel with Promise.all, assembles a structured risk profile, and auto-generates labeled risk indicators (CRITICAL, WARNING, ALERT, INFO) based on domain age thresholds, email security gaps, DNSSEC status, KEV matches, and CVE severity
• Risk indicator engine — automatically flags domains fewer than 30 days old as CRITICAL phishing risk, flags 30-180 day old domains as WARNING, and alerts on KEV matches with ransomware count
• Vendor guessing for KEV cross-reference — the domain intelligence tool extracts the first domain label (e.g., "apache" from apache.org) to query CISA KEV for vendor-related exploited vulnerabilities automatically
• Per-event spend controls — every tool call checks Actor.charge() with an event-specific budget gate; the run halts cleanly if the configured spending limit is reached rather than continuing to accrue costs
• Stateless per-request server — each POST to /mcp creates a fresh McpServer + StreamableHTTPServerTransport pair, ensuring no session bleed between AI agent requests

Use cases for cybersecurity intelligence

Vulnerability management and patch prioritization

Security engineers responsible for patch cycles query NVD for CVEs affecting their software stack, then immediately cross-reference with CISA KEV to identify which vulnerabilities are actively exploited in the wild. The MCP server lets an AI agent perform this two-source cross-reference in a single conversational turn, returning a severity-sorted list with KEV due dates so teams can prioritize patching decisions without manual tab-switching.

Attack surface and subdomain discovery

Red teams and bug bounty hunters run cyber_ssl_certificates with deduplicate: true to enumerate all subdomains ever observed in Certificate Transparency logs. Unlike DNS brute-forcing, this approach is entirely passive and requires no active scanning. Results include isActive status so analysts can immediately focus on live subdomains vs. historical artifacts.

Phishing domain and brand protection investigation

Threat intelligence analysts investigating suspicious domains run cyber_domain_intelligence to get a rapid risk profile: domain age (very new domains trigger CRITICAL flags), email spoofability (SPF/DMARC gaps), DNSSEC status, and certificate history. Combining WHOIS age with CT log enumeration reveals whether a domain is mimicking a legitimate brand using similar subdomains or certificate patterns.

Vendor and third-party risk assessment

Procurement and vendor risk teams assess a supplier's security posture by running domain intelligence checks before onboarding. The tool reports email security configuration (a proxy for security maturity), known exploited vulnerabilities linked to the vendor's technology stack, and domain registration stability — all without requiring access to the vendor's internal systems.

Security-aware AI agent workflows

Development teams building AI agents for IT operations, SOC automation, or threat hunting embed this MCP server as the cybersecurity intelligence layer. The agent can autonomously check whether a CVE reported in an alert is in the CISA KEV catalog, enumerate the affected domain's subdomains, and produce a triage summary — without any hardcoded API integrations in the agent code.

Email security auditing for compliance

Compliance teams auditing SPF, DMARC, and DKIM configuration across dozens of company-owned domains use cyber_dns_lookup with check_email_security: true and pass arrays of up to 50 domains per call. The summary response includes domainsWithEmailSecurity and domainsWithoutEmailSecurity counts for immediate reporting.

How to connect this MCP server

Claude Desktop

Add the following to your Claude Desktop configuration file (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "cybersecurity-intelligence": {
      "url": "https://cybersecurity-intelligence-mcp.apify.actor/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_APIFY_TOKEN"
      }
    }
  }
}

Replace YOUR_APIFY_TOKEN with your token from the Apify console.

Cursor, Windsurf, and other MCP clients

Use the same configuration block pointing to the same endpoint. Any client that supports the Streamable HTTP transport can connect to https://cybersecurity-intelligence-mcp.apify.actor/mcp with Authorization: Bearer YOUR_APIFY_TOKEN.

Programmatic (HTTP)

curl -X POST "https://cybersecurity-intelligence-mcp.apify.actor/mcp" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{
    "jsonrpc": "2.0",
    "method": "tools/call",
    "params": {
      "name": "cyber_domain_intelligence",
      "arguments": { "domain": "suspicious-vendor.io", "check_exploited": true }
    },
    "id": 1
  }'

Available MCP tools

Tool	Source	Description
cyber_search_vulnerabilities	NIST NVD	Search CVEs by keyword, CVE ID, CPE, severity, date range. Returns CVSS scores, attack vectors, CWEs.
cyber_exploited_vulnerabilities	CISA KEV	Known actively-exploited CVEs with ransomware linkage and federal patch due dates.
cyber_search_hosts	Censys	Internet-connected host search by service, port, location, or certificate subject.
cyber_ssl_certificates	crt.sh	All SSL/TLS certificates for a domain from CT logs. Subdomain discovery or full cert history.
cyber_dns_lookup	System DNS	A, AAAA, MX, NS, TXT, CNAME, SOA records + SPF, DMARC, DKIM for up to 50 domains.
cyber_whois_lookup	RDAP/WHOIS	Domain registration, registrar, age, expiry, nameservers, DNSSEC for up to 50 domains.
cyber_domain_intelligence	All of the above	Parallel domain security assessment with auto-generated risk indicators.
cyber_list_sources	—	List all tools and data sources available on this server.

Tool input parameters

cyber_search_vulnerabilities

Parameter	Type	Required	Default	Description
keyword	string	No	—	Search CVE descriptions (e.g., "log4j", "remote code execution")
cve_id	string	No	—	Direct CVE ID lookup (e.g., "CVE-2021-44228"); overrides keyword
cpe_name	string	No	—	CPE product filter (e.g., "cpe:2.3:a:apache:log4j")
severity	enum	No	—	CVSS v3 severity: CRITICAL, HIGH, MEDIUM, LOW
date_from	string	No	—	Publication start date YYYY-MM-DD
date_to	string	No	—	Publication end date YYYY-MM-DD
exact_match	boolean	No	false	Exact phrase match vs. any-word match for keyword
max_results	integer	No	50	Maximum results (1–500); large values slow due to NVD rate limits

cyber_exploited_vulnerabilities

Parameter	Type	Required	Default	Description
query	string	No	—	Search across CVE ID, vendor, product, name, description
vendor	string	No	—	Vendor name (e.g., "Microsoft", "Apache", "Citrix")
product	string	No	—	Product name (e.g., "Exchange Server", "Log4j")
date_added_from	string	No	—	Added to KEV after this date YYYY-MM-DD
date_added_to	string	No	—	Added to KEV before this date YYYY-MM-DD
ransomware_only	boolean	No	false	Return only CVEs linked to known ransomware campaigns
max_results	integer	No	50	Maximum results (1–1000)

cyber_search_hosts

Parameter	Type	Required	Default	Description
query	string	Yes	—	Censys search expression (e.g., "services.port: 3306 AND location.country: US")
censys_api_id	string	No	—	Censys API ID from censys.io; returns demo data if omitted
censys_api_secret	string	No	—	Censys API Secret
max_results	integer	No	25	Maximum results (1–100; Censys free tier max: 100)

cyber_ssl_certificates

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to search (e.g., "acmecorp.com")
include_expired	boolean	No	true	Include expired certificates
include_subdomains	boolean	No	true	Search subdomains using wildcard prefix
deduplicate	boolean	No	true	One row per unique subdomain (true) or one row per certificate (false)
max_results	integer	No	100	Maximum results (1–5000)

cyber_dns_lookup

Parameter	Type	Required	Default	Description
domains	array	Yes	—	Array of domains (1–50), e.g., ["acmecorp.com", "subsidiary.io"]
record_types	array	No	["A","AAAA","MX","NS","TXT","CNAME","SOA"]	DNS record types to query
check_email_security	boolean	No	true	Audit SPF, DMARC, and DKIM records

cyber_whois_lookup — domains (array, required): array of 1–50 domains to look up.

cyber_domain_intelligence

Parameter	Type	Required	Default	Description
domain	string	Yes	—	Domain to investigate (e.g., "suspicious-site.xyz")
check_vulnerabilities	boolean	No	false	Also query NVD for CVEs mentioning this domain/product (adds time)
check_exploited	boolean	No	true	Check CISA KEV for exploited CVEs related to this domain's vendor

Output examples

cyber_search_vulnerabilities output

{
  "total": 3,
  "severityBreakdown": {
    "critical": 2,
    "high": 1,
    "medium": 0,
    "low": 0
  },
  "vulnerabilities": [
    {
      "cveId": "CVE-2021-44228",
      "description": "Apache Log4j2 2.0-beta9 through 2.14.1 JNDI features do not protect against attacker-controlled LDAP and other JNDI related endpoints...",
      "severity": "CRITICAL",
      "cvssScore": 10.0,
      "attackVector": "NETWORK",
      "attackComplexity": "LOW",
      "privilegesRequired": "NONE",
      "userInteraction": "NONE",
      "publishedDate": "2021-12-10",
      "lastModifiedDate": "2023-09-14",
      "cwes": ["CWE-502", "CWE-400", "CWE-20"],
      "references": [
        "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
        "https://logging.apache.org/log4j/2.x/security.html"
      ]
    }
  ]
}

cyber_exploited_vulnerabilities output

{
  "total": 2,
  "ransomwareLinked": 1,
  "entries": [
    {
      "cveID": "CVE-2021-44228",
      "vendorProject": "Apache",
      "product": "Log4j",
      "vulnerabilityName": "Apache Log4j2 Remote Code Execution Vulnerability",
      "dateAdded": "2021-12-10",
      "shortDescription": "Apache Log4j2 contains a remote code execution vulnerability...",
      "requiredAction": "Apply updates per vendor instructions.",
      "dueDate": "2021-12-24",
      "knownRansomwareCampaignUse": "Known",
      "notes": "Ransomware campaigns actively exploiting this vulnerability."
    }
  ]
}

cyber_domain_intelligence output

{
  "domain": "pinnacle-industries.io",
  "riskIndicators": [
    "CRITICAL: Domain is only 12 days old — very new domain, high phishing risk",
    "WARNING: No email security records found (no SPF, DMARC, or DKIM) — domain may be spoofable",
    "INFO: DNSSEC not enabled — domain is not protected against DNS spoofing",
    "ALERT: 3 known exploited vulnerabilities found for this vendor (1 ransomware-linked)"
  ],
  "dns": {
    "aRecords": ["198.51.100.14"],
    "mxRecords": ["mail.pinnacle-industries.io"],
    "spfRecord": null,
    "dmarcRecord": null,
    "dkimFound": false,
    "hasEmailSecurity": false
  },
  "whois": {
    "registrar": "NameCheap, Inc.",
    "createdDate": "2026-03-08",
    "expiryDate": "2027-03-08",
    "domainAge": 12,
    "expiresIn": 353,
    "nameservers": ["ns1.registrar-servers.com", "ns2.registrar-servers.com"],
    "dnssec": false,
    "status": ["clientTransferProhibited"]
  },
  "certificates": {
    "totalSubdomains": 3,
    "activeSubdomains": 3,
    "topSubdomains": [
      { "subdomain": "www.pinnacle-industries.io", "isActive": true, "lastSeen": "2026-03-09", "certificateCount": 1 },
      { "subdomain": "mail.pinnacle-industries.io", "isActive": true, "lastSeen": "2026-03-09", "certificateCount": 1 }
    ]
  },
  "exploitedVulnerabilities": {
    "total": 3,
    "entries": [
      {
        "cveID": "CVE-2023-44487",
        "vendorProject": "IETF",
        "product": "HTTP/2",
        "knownRansomwareCampaignUse": "Known",
        "dueDate": "2023-10-31"
      }
    ]
  }
}

cyber_ssl_certificates output (deduplicated subdomains)

{
  "domain": "betaindustries.com",
  "totalSubdomains": 47,
  "activeSubdomains": 31,
  "subdomains": [
    { "subdomain": "www.betaindustries.com", "isActive": true, "lastSeen": "2026-02-14", "certificateCount": 12 },
    { "subdomain": "api.betaindustries.com", "isActive": true, "lastSeen": "2026-01-30", "certificateCount": 4 },
    { "subdomain": "staging.betaindustries.com", "isActive": false, "lastSeen": "2024-08-01", "certificateCount": 2 }
  ]
}

⬆️ Output fields

cyber_search_vulnerabilities

Field	Type	Description
total	integer	Number of CVEs returned
severityBreakdown.critical	integer	Count of CRITICAL severity CVEs
severityBreakdown.high	integer	Count of HIGH severity CVEs
vulnerabilities[].cveId	string	CVE identifier (e.g., CVE-2021-44228)
vulnerabilities[].severity	string	CRITICAL, HIGH, MEDIUM, or LOW
vulnerabilities[].cvssScore	number	CVSS v3 base score (0.0–10.0)
vulnerabilities[].attackVector	string	NETWORK, ADJACENT, LOCAL, or PHYSICAL
vulnerabilities[].attackComplexity	string	LOW or HIGH
vulnerabilities[].privilegesRequired	string	NONE, LOW, or HIGH
vulnerabilities[].cwes	array	CWE weakness identifiers
vulnerabilities[].publishedDate	string	NVD publication date
vulnerabilities[].references	array	Reference URLs

cyber_domain_intelligence

Field	Type	Description
domain	string	Normalized domain (stripped of http://, www., and path)
riskIndicators	array	Labeled risk strings (CRITICAL, WARNING, ALERT, INFO)
dns.aRecords	array	IPv4 addresses
dns.mxRecords	array	Mail exchanger records
dns.spfRecord	string or null	Full SPF TXT record value
dns.dmarcRecord	string or null	Full DMARC TXT record value
dns.dkimFound	boolean	Whether any DKIM record was found across 10 selectors
dns.hasEmailSecurity	boolean	True if any of SPF, DMARC, or DKIM found
whois.domainAge	integer	Domain age in days
whois.expiresIn	integer	Days until domain expiry
whois.dnssec	boolean	Whether DNSSEC is enabled
certificates.totalSubdomains	integer	Unique subdomains found in CT logs
certificates.activeSubdomains	integer	Subdomains with active certificates
exploitedVulnerabilities.total	integer	KEV entries for guessed vendor (present when check_exploited: true)

How much does it cost to use cybersecurity intelligence tools?

This MCP server uses pay-per-event pricing — $0.045 per tool call. Every tool invocation charges one event regardless of result size. Platform compute costs are included.

Scenario	Tool calls	Cost per call	Total cost
Quick test (single CVE lookup)	1	$0.045	$0.045
Domain assessment (domain intelligence)	1	$0.045	$0.045
Full 7-tool investigation	7	$0.045	$0.315
Daily monitoring (10 domains)	10	$0.045	$0.45
Weekly vulnerability scan (50 CVE searches)	50	$0.045	$2.25

You can set a maximum spending limit per run to control costs. The MCP server halts cleanly when your budget is reached rather than continuing to accrue charges.

Apify's free tier includes $5 of monthly platform credits — equivalent to approximately 111 tool calls per month at no cost. Compare this to commercial threat intelligence platforms that charge $500–2,000/month for comparable data access.

How the Cybersecurity Intelligence MCP Server works

The server runs in Apify's Standby mode — a persistent process that stays alive between requests. Each POST /mcp request instantiates a fresh McpServer paired with a StreamableHTTPServerTransport (no session ID generated), executes the tool, then both are closed on the response close event. No state bleeds between AI agent sessions.

Each MCP tool delegates to a specialized Apify actor via the runActor() helper in actor-client.ts. The helper calls client.actor(actorName).call(input, { waitSecs, memory: 256 }) with a 120-second timeout (180 seconds for NVD and CT log queries due to rate limiting), then retrieves items from defaultDatasetId. Failures return empty arrays rather than throwing, so an unavailable upstream source degrades gracefully without failing the whole tool call.

The cyber_domain_intelligence tool uses Promise.all() to run 3–5 actors in parallel. After all results return, a deterministic rule engine evaluates them in sequence: domain age thresholds (< 30 days = CRITICAL, 30–180 days = WARNING), expiry imminence, email security gaps, DNSSEC status, CT log coverage, and KEV match count with ransomware sub-count. Risk indicators are appended with severity prefixes (CRITICAL, WARNING, ALERT, INFO). When check_exploited: true, the tool extracts the first domain label as a vendor name (e.g., "citrix" from "citrix.com") and queries CISA KEV accordingly — silently returning zero results for generic names without affecting other outputs.

Tips for best results

1. Use cyber_domain_intelligence as your first tool. It runs DNS, WHOIS, SSL, and KEV checks in parallel in a single $0.045 call. Reserve the individual tools for follow-up deep dives (e.g., full certificate history, expanded CVE search).

2. Enable ransomware_only: true for prioritization. When querying CISA KEV, filtering to ransomware-linked CVEs narrows thousands of entries to the subset your incident response team should treat as P1 patching obligations.

3. Use exact_match: false for discovery, true for confirmation. NVD keyword search with exact_match: false finds CVEs mentioning any word in your query — useful for broad discovery. Switch to true when you need CVEs about a specific product name to avoid false positives.

4. Pass arrays to DNS and WHOIS tools. Both cyber_dns_lookup and cyber_whois_lookup accept up to 50 domains per call. Auditing 50 company-owned domains costs $0.045 total — the same as a single-domain call.

5. Use Censys queries with service filters for targeted results. Broad queries like "location.country: US" will hit the 100-result free tier limit fast. Narrow with service filters: services.service_name: SSH AND location.country: DE AND services.port: 22 finds specific exposed infrastructure.

6. Set deduplicate: false for certificate forensics. When investigating a specific incident or domain takeover, switching from the default deduplicated subdomain view to full certificate history reveals every certificate issuance event, issuing authority, and validity window — useful for timeline reconstruction.

7. Set check_vulnerabilities: true sparingly. Adding NVD search to cyber_domain_intelligence adds an extra parallel actor call and up to 180 seconds of wait time due to NVD rate limits. Use it when you specifically need CVEs mentioning the domain name, not just vendor-linked KEV entries.

Combine with other Apify actors

Actor	How to combine
WHOIS Domain Lookup	Use directly for bulk domain age checks across large domain lists (50 per call); feeds into domain age risk scoring
DNS Record Lookup	Run standalone for SPF/DMARC/DKIM audits across all company domains; export results to Google Sheets for compliance reporting
Censys Search	Query internet exposure for specific IP ranges or ASNs before a vendor security review
Website Tech Stack Detector	Detect the software stack running on a target domain, then feed detected technologies as CPE names into cyber_search_vulnerabilities
Website Contact Scraper	Collect security contact email addresses from target domains, then use WHOIS age and DNS data from this MCP to flag high-risk domains before outreach
Company Deep Research	Generate a company intelligence profile, then feed the company's domain into cyber_domain_intelligence for the security layer
crt.sh Certificate Search	Run full-volume certificate history searches (up to 5,000 records) directly for large enterprise subdomain mapping

Limitations

• Entirely passive data collection — no active scanning, no port probing, no packet injection. This server cannot replace tools like Nmap, Nessus, or Burp Suite for active penetration testing.
• NVD rate limits — the NIST NVD API permits approximately 5 requests per 30 seconds without an API key. Wide date ranges or large max_results values (200+) will take several minutes due to enforced delays.
• Censys free tier quota — the free Censys plan allows 250 queries per month. Without credentials, the cyber_search_hosts tool returns demo data labeled with a _dryRun flag rather than real scan results.
• WHOIS registrant privacy — GDPR and ICANN privacy services mean registrant name, address, and contact email are almost universally redacted for modern domain registrations. Domain age and registrar data remain available.
• DKIM selector coverage — the DNS tool checks 10 common DKIM selectors. Organizations using custom or service-specific selectors (e.g., Mailchimp's k1, SendGrid's s1) may not have all selectors detected. The dkimFound: false result does not guarantee DKIM is absent.
• Vendor heuristic accuracy — the domain intelligence tool guesses the vendor name from the first domain label. Generic domains (e.g., "cloud.company.com") will produce irrelevant KEV results for the "cloud" vendor. Use cyber_exploited_vulnerabilities directly with an explicit vendor parameter for precise matching.
• CT log coverage — crt.sh indexes major Certificate Transparency logs but not all logs. Subdomains secured with certificates from logs not indexed by crt.sh will not appear.
• No historical DNS data — DNS lookups return current live records only. For historical DNS change tracking, combine with Website Change Monitor.

Integrations

• Zapier — trigger a domain intelligence check when a new vendor is added to your procurement system and post risk indicators to Slack
• Make — build automated CVE triage workflows that query CISA KEV daily and create Jira tickets for newly added exploited vulnerabilities
• Google Sheets — export DNS and email security audit results for a portfolio of domains into a compliance tracking spreadsheet
• Apify API — call tool endpoints programmatically from Python or JavaScript CI/CD pipelines for pre-deployment security checks
• Webhooks — receive alerts when scheduled vulnerability scans return new CRITICAL or ALERT risk indicators
• LangChain / LlamaIndex — embed this MCP server as the cybersecurity intelligence tool layer in LLM-powered SOC automation or threat hunting agents

❓ FAQ

How many CVEs can I search in one call? Up to 500 results per call via the max_results parameter. For broad date-range scans, NVD rate limiting means large result sets may take 2–5 minutes. For most patch prioritization workflows, 50–100 results with a severity filter is sufficient.

Does cybersecurity intelligence MCP perform active scanning or send packets to target infrastructure? No. All data is collected passively from public sources: NVD CVE database, CISA KEV catalog, Censys scan data (pre-collected by Censys, not triggered by your query), crt.sh Certificate Transparency logs, standard DNS resolution, and WHOIS/RDAP endpoints. No probes are sent to target systems.

Is it legal to use this tool for domain reconnaissance? Yes — all data sources used are publicly available. NVD, CISA KEV, and crt.sh are government or public-benefit databases. DNS resolution and WHOIS lookups are standard internet infrastructure queries. Censys operates an independent internet scan and provides a search API over that data. For guidance on web scraping and data collection legality, see Apify's guide.

How fresh is the CVE data? NVD data is fetched live at query time, so results reflect the latest published CVEs with no caching lag. CISA KEV is similarly fetched live. Censys scan data reflects their most recent internet-wide scan, which runs continuously.

Can I check whether a specific CVE is actively being exploited? Yes. Call cyber_exploited_vulnerabilities with query: "CVE-2024-XXXXX" — or provide the CVE ID as the query parameter. If the CVE is in the CISA KEV catalog, it returns with the dueDate federal patch deadline and knownRansomwareCampaignUse flag.

How is this different from Shodan or other commercial threat intelligence platforms? Shodan, GreyNoise, and Recorded Future are subscription services charging $49–2,000/month. This MCP server provides comparable passive reconnaissance capabilities — CVE data, internet host exposure (via Censys), certificate enumeration, DNS, and WHOIS — at $0.045 per tool call with no subscription commitment. Apify's free tier covers the first 111 calls per month at no cost.

Can I use this MCP server with any AI client, not just Claude? Yes. The server implements the Streamable HTTP transport from the Model Context Protocol specification. It is compatible with any MCP client: Claude Desktop, Cursor, Windsurf, Continue.dev, and any framework using the @modelcontextprotocol/sdk. Connect to https://cybersecurity-intelligence-mcp.apify.actor/mcp with your Apify token as a Bearer header.

What happens if a data source is temporarily unavailable? Individual actor failures return empty arrays rather than throwing exceptions. The cyber_domain_intelligence tool runs its sources in parallel with Promise.all() — if one source (e.g., Censys) fails, the other components (DNS, WHOIS, CT logs) still return and the risk indicators are generated from available data. The response will be partial rather than absent.

Can I scan multiple domains at once? cyber_dns_lookup and cyber_whois_lookup accept arrays of up to 50 domains per call. cyber_domain_intelligence is designed for one domain per call because it runs 3–5 actors in parallel per domain — for bulk domain assessment, call it in a loop or use the individual DNS and WHOIS tools for batch processing.

How accurate is the risk indicator engine? The risk indicator rules are deterministic and conservative: domain age thresholds, email security presence/absence, DNSSEC status, KEV match count. They are designed to produce actionable signals, not probabilistic risk scores. False positives (e.g., a legitimate new domain flagged as high phishing risk) are expected — treat CRITICAL and WARNING flags as starting points for investigation, not definitive verdicts.

Can I schedule this MCP server to run regular security assessments? The MCP server runs in Apify Standby mode for interactive use. For scheduled assessments, use the underlying Apify actors directly (NVD CVE Search, CISA KEV Search, DNS Record Lookup) on a cron schedule via the Apify platform, or call the MCP endpoint programmatically from a scheduled job.

Help us improve

If you encounter issues, you can help us debug faster by enabling run sharing in your Apify account:

1. Go to Account Settings > Privacy
2. Enable Share runs with public Actor creators

This lets us see your run details when something goes wrong so we can fix issues faster. Your data is only visible to the actor developer, not publicly.

Troubleshooting

• cyber_search_vulnerabilities returns no results despite a valid keyword — NVD keyword search is case-sensitive for CPE names but not for general keywords. If querying a product name, try variations: "log4j", "log4j2", "log4shell". Also try exact_match: false to broaden the search to any-word matching.

• cyber_search_hosts returns demo data flagged as _dryRun — Censys credentials are not provided. Obtain a free API ID and secret at censys.io and pass them as censys_api_id and censys_api_secret in the tool call. The free tier provides 250 queries per month.

• cyber_domain_intelligence risk indicators mention vendor KEV matches for an unrelated vendor — the vendor is guessed from the first domain label. For a domain like "cloud.mycompany.com", the tool queries CISA KEV for vendor "cloud", which returns infrastructure-layer results. Call cyber_exploited_vulnerabilities directly with the explicit vendor parameter for accurate results.

• DNS lookup returns empty records for some record types — not all domains have every record type configured. AAAA records require IPv6 addresses; CNAME records only exist for non-apex subdomains; SOA records may be blocked by some authoritative servers. Empty arrays for a record type indicate the record does not exist, not a lookup failure.

• Run times exceeding 3 minutes for vulnerability searches — NVD enforces rate limits of approximately 5 requests per 30 seconds. A max_results of 500 over a wide date range may require 10+ sequential NVD API pages, each subject to rate limiting. Reduce max_results or narrow the date range to stay within a 2-minute window.

Support

Found a bug or have a feature request? Open an issue on this actor's page. For custom solutions or enterprise integrations, reach out through the Apify platform.