Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Read other articles Download PDF

8 Best MCP Servers for Cybersecurity Professionals

As people explore more ways to use AI, it’s natural that they want to extend its reach by connecting it with other tools. This is done through the Model Context Protocol (MCP) servers — special tools that allow AI applications like Claude or Gemini to interact with external APIs using a unified standard protocol.

With an MCP server in place, your LLM can access data and services it normally couldn’t reach on its own. By bridging the gap between AI and external apps, MCP servers make it possible to handle complex, data-driven tasks with ease. This is why a growing number of web applications and SaaS platforms from very different industries — from marketing to legal and compliance — are rolling out their own MCP servers.

In this post, we’re looking at eight of the best MCP servers for different cybersecurity needs.

Best Cybersecurity MCP Servers

1. WhoisXML API MCP Server

The WhoisXML API MCP Server allows LLMs to query 17 different internet intelligence APIs, including WHOIS, DNS, IP, threat intelligence, and other APIs that WhoisXML API offers. Client configurations are available for Claude Desktop, Claude Code, Cursor, and Gemini CLI, but in practice, you can use it with local language models as well. 

The server integrates a suite of cybersecurity APIs, namely:

In one prompt, you can call the same API multiple times or combine calls to different APIs, enabling you to perform complex tasks with a few clicks. 

The server itself is free, and users only pay for the API credits they use. To start using the WhoisXML API MCP Server, you need an API key from WhoisXML API — the same one used for running API queries outside the MCP server. 

The WhoisXML API MCP Server is useful when conducting cybersecurity investigations, enriching security workflows, and other tasks that require real-time WHOIS, DNS, SSL certificate, and threat intelligence data. The server can also be used to prepare external attack surface audits by allowing an LLM to enumerate subdomains, run reverse DNS lookups, and gather WHOIS ownership details. 

It's also ideal for investigating malicious infrastructure and threat hunting since it gives LLMs access to reverse WHOIS and historical DNS records. Here’s an example of the server’s response when our research team investigated the GreedyBear attack.

Screenshot of Claude with WhoisXML API MCP

2. Zap MCP Server

The unofficial ZAP MCP Server provides an integration between AI models and the popular open-source web application security scanner, OWASP ZAP. This server is designed for automated security testing and vulnerability scanning of web applications – all from the interface of an LLM chatbot. An AI can be prompted to initiate a scan, provide alerts, and summarize security vulnerabilities that ZAP found. Below are the ZAP tools you can access through the server:

  • start_scan: Initiate a ZAP scan on a target URL
  • get_scan_status: Check an ongoing scan's status
  • get_alerts: Obtain alerts from the current scan
  • get_scan_summary: Get a scan summary

To use the ZAP MCP Server, you need to have OWASP ZAP running locally or remotely, Python 3.8+, and the Claude Desktop App or other MCP-compatible LLM clients.

3. Security Operations Multi-Tool Platform (secops-mcp)

The secops-mcp is an all-in-one security testing toolbox that brings together popular open-source tools through a single MCP interface. These tools include those that fall under web application security, network security, reconnaissance, and cryptography, specifically the following:

The secops-mcp enables users to perform pentesting, bug bounty hunting, vulnerability scanning, and attack surface mapping, among many other security-related tasks. Arjun and Gospider are the most recent additions, adding web crawling and HTTP testing to the MCP server’s capabilities. For the individual tools to work, you need to install them on your computer. Each individual tool has its own prerequisites.  

4. Shodan MCP Server

The Shodan MCP Server is an MCP server for querying Shodan, an internet-wide search engine that finds and indexes devices and services connected to the internet (e.g., routers, servers, webcams, industrial control systems). Specifically, the Shodan MCP Server integrates with:

  • Shodan API: A developer interface that allows users to programmatically access all the data collected by the Shodan search engine
  • Shodan Common Vulnerabilities and Exposures Database (CVEDB): A database that provides access to information about known vulnerabilities in various services and products.

All you need to set up the server is a Node.js (version 18 or newer) runtime environment and a valid Shodan API key, giving you access to the following tools from within Claude Desktop or other LLMs:

  • IP Lookup Tool
  • Shodan Search Tool
  • CVE Lookup Tool
  • DNS Lookup Tool
  • Reverse DNS Lookup Tool
  • Common Platform Enumeration (CPE) Lookup Tool
  • CVEs by Product Tool

The server is used for network reconnaissance as it enables AI tools to obtain information about IP addresses, including open ports, services, and vulnerabilities. It also allows users to perform DNS analysis and advanced device discovery, as well as access vulnerability intelligence.

5. CVE-Search MCP Server

The CVE-Search MCP Server connects LLMs to the CVE-Search API, a public API that provides access to a local database of known cybersecurity vulnerabilities. With the server, users can browse vulnerabilities by vendor and product and stay up to date with the latest CVEs. 

To set up the CVE-Search MCP Server, you need to use Python version 3.10 or any later version, Python package installer uv, and AI coding agents like Cline or Roo Code, or any other MCP-compatible LLM client like Claude. The tools available within the server allow users to obtain a JSON file containing:

  • A list of all software and hardware vendors in the database
  • A list of products by vendor
  • A list of vulnerabilities per vendor
  • Details of a specific CVE ID
  • The 30 most recent CVEs, including information about related attack patterns (CAPEC), software weaknesses (CWE), and affected products (CPE)
CVE-Search MCP
CVE-Search MCP in action with Claude

6. Wazuh MCP Server

The Wazuh MCP Server enables security teams to use natural language for threat detection, automated incident response, compliance checks, and other SOC tasks by connecting to the Wazuh SIEM. The server gives users access to 29 tools that include:

  • 4 alert management tools
  • 6 agent management tools
  • 3 vulnerability management tools
  • 6 security analysis tools
  • 10 system monitoring tools

To start using the server, you need Python 3.9+ and Windows 10+, macOS 10.15+, or Linux, along with Claude Desktop, a working Wazuh server, and a Wazuh user account with API access. 

7. NetForensicMCP

NetForensicMCP is designed to give LLMs the ability to perform advanced offline network traffic analysis, converting packet capture files (PCAPs) into actionable threat intelligence. It also enables security professionals to hunt threats, respond to incidents, audit compliance, investigate attacks, and extract indicators of compromise (IoCs) using the following tools that are accessible within the server:

  • Core analysis engine, which includes smart stream analysis, URLhaus blacklist, credential extraction, and high-frequency IP analysis
  • Traffic statistics
  • Conversation analysis
  • Payload extraction
  • Data segmentation
  • Threat and credential scanning
  • Live traffic capture

Here’s a sample of a threat analysis report:

Screenshot of NetForensicsMCP

This MCP server requires a Windows, macOS, or Linux operating system, Wireshark with tshark in the system's PATH, Node.js version 16 or newer, and npm for managing dependencies.

8. Metasploit MCP Server

The Metasploit MCP server integrates the Metasploit penetration testing platform with LLMs, allowing users to use AI tools to perform reconnaissance and network scans. The server can also be used to execute exploits and generate payloads. These are the specific functions available within the server:

  • List available exploit modules and payloads
  • Configure and run exploits
  • Execute auxiliary and post-exploitation modules
  • Generate payload files
  • View and control active Metasploit sessions
  • Manage listeners and background jobs

To start using the server, you must have the Metasploit Framework installed and the msfrpcd service running, along with Python 3.10+ and the required Python packages.

More Places to Discover Useful MCP Servers

With more MCP servers popping up, many dedicated marketplaces are also being created. These platforms make it easier for security professionals to discover new tools and integrations for their AI agents. Some of the most popular MCP marketplaces include: 

Conclusion

Existing LLMs can be made more useful to security teams when they have access to a wide range of external data and tools — and that's what MCP servers are for. 

MCP servers also help democratize access to complex tools. Instead of needing to know how to code, cybersecurity practitioners or small startups can simply use natural language to tell an LLM what to do to map infrastructures or use penetration testing tools. That does not replace domain knowledge and understanding what it is that you’re doing, but it lowers the entry barrier and allows smaller teams to operate more efficiently.

Read other articles Download PDF
Try our WhoisXML API for free
Get started