Home > MCP Servers > contrastapi

contrastapi

Security intelligence API and MCP server for AI agents. 25 tools, 35+ endpoints: CVE/EPSS/KEV, domain recon, SSL, IP reputation, threat intel, email security, code scanning. Free, no signup.

ai-agents api cve cybersecurity domain-reconnaissance fastapi mcp mcp-server python

Why this rank:Strong adoptionRecent releaseHealthy release cadence

Description

Security intelligence API and MCP server for AI agents. 25 tools, 35+ endpoints: CVE/EPSS/KEV, domain recon, SSL, IP reputation, threat intel, email security, code scanning. Free, no signup.

README

ContrastAPI — 31 Security Tools for AI Agents

Security intelligence API and MCP server for AI agents. Domain audit, CVE lookup with EPSS+KEV, IP threat reports, IOC enrichment, tech fingerprinting, and 25 more. Free, no API key, 100 credits/hour.

English | 中文 · Live: api.contrastcyber.com

30-Second Setup

Pick your integration:

Option 1: MCP (Claude Desktop / Cursor / VS Code / Windsurf / OpenClaw)

Add to your MCP config:

{
  "mcpServers": {
    "contrastapi": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://api.contrastcyber.com/mcp/"]
    }
  }
}

Restart your agent. Done. Full setup guide: api.contrastcyber.com/mcp-setup

Option 2: Node.js SDK

npm install contrastapi

const api = require("contrastapi")();

const audit = await api.domain.audit("example.com");        // full audit
const cve   = await api.cve.lookup("CVE-2024-3094");        // EPSS + KEV
const ip    = await api.ip.threatReport("8.8.8.8");         // Shodan + AbuseIPDB + ASN
const bulk  = await api.cve.bulk(["CVE-2021-44228", "CVE-2024-3094"]);

Zero dependencies, Node 14+. Full SDK docs: sdk/node/

Option 3: cURL

curl https://api.contrastcyber.com/v1/cve/CVE-2024-3094
curl https://api.contrastcyber.com/v1/audit/example.com
curl https://api.contrastcyber.com/v1/threat-report/8.8.8.8

More examples: API Quick Start (cURL, Node.js, Python, CI/CD)

Option 4: VS Code Extension

Install ContrastAPI — Security Intelligence from the Marketplace. 29 commands, sidebar tree, right-click context menu. No API key required.

Try It Now

After setup, ask your AI agent:

"Is CVE-2024-3094 being exploited in the wild? Check EPSS + KEV."
"Show me CVEs indexed before NVD — what's leading right now?"
"Audit example.com, then look up CVEs for every technology detected"

More example prompts: docs/PROMPTS.md · /playground (interactive tester)

What's Inside

31 MCP tools across 6 categories — full list: docs/ENDPOINTS.md
340K+ CVEs from NVD + MITRE cvelistV5 + GitHub Security Advisories, enriched with EPSS + CISA KEV. cve_lookup exposes sources, first_seen_source, first_seen_at — agents detect CVEs indexed before NVD publishes. cve_search supports kev, epss_min, sort, and offset pagination — agents can filter to actively exploited CVEs, sort by exploit probability, and page through large result sets.
Weighted credits — 1 for simple calls, 4 for heavy orchestration (audit, threat report), N for bulk lookups
LLM-optimized summaries — every response includes a summary field so agents reason without parsing nested JSON
Distribution — npm SDK · VS Code Extension · Smithery MCP (99/100 quality) · REST API

Docs & Links

API Quick Start: api.contrastcyber.com/quickstart
MCP Setup: api.contrastcyber.com/mcp-setup
Full endpoint list: docs/ENDPOINTS.md
OpenAPI spec: api.contrastcyber.com/openapi.json
LLM discovery: api.contrastcyber.com/llms.txt
Interactive playground: api.contrastcyber.com/playground

Self-Hosting

git clone https://github.com/UPinar/contrastapi.git
cd contrastapi
python3 -m venv venv
venv/bin/pip install -r requirements.txt
cd app
../venv/bin/uvicorn main:app --host 127.0.0.1 --port 8002

Requires Python 3.12. SQLite databases auto-initialize on first run. See docs/ENDPOINTS.md for the full endpoint reference.

Tests

cd app && PYTHONPATH=. python -m pytest tests/ -v

1104 tests, 36/36 smoke-test coverage on every 15-minute cron. Covers auth, rate limiting, validation, database ops, domain intelligence, CVE intelligence, threat intelligence, code security (ReDoS protection, concurrency limits), tech fingerprinting, IP reputation, email security, phone validation, web archive, MCP endpoint, bulk endpoints, weighted credit system, and API routes.

Stack & Architecture

Runtime: Python 3.12, FastAPI, uvicorn (2 workers)
MCP: Official mcp-python-sdk with Streamable HTTP transport, mounted as sub-app at /mcp
Domain audit: 8+ parallel checks (SSL, DNS, WHOIS, SPF/DMARC/DKIM, CT logs, tech fingerprint, security headers) via ThreadPoolExecutor, with 1-hour SQLite caching for warm-path responses
Database: SQLite with WAL mode (3 databases: API rate-limit, CVE cache, domain cache)
DNS: dnspython with _SSRFSafeBackend (custom httpcore backend that validates all resolved IPs before connecting — catches DNS rebinding)
HTTP: httpx
Rate limiting: SQLite sliding window, shared across workers via WAL mode
Weighted credits: Atomic BEGIN IMMEDIATE consumption — either the whole N-credit batch fits or the request is rejected

Also Available On

Smithery: smithery.ai/servers/contrastcyber/contrastapi (99/100 quality score)
npm: npmjs.com/package/contrastapi
VS Code Marketplace: ContrastAPI — Security Intelligence
Awesome OSINT MCP Servers: soxoj/awesome-osint-mcp-servers
RapidAPI: rapidapi.com/UPinar/api/contrastapi

Multi-Agent Usage

ContrastAPI responses include a verdict metadata block on key endpoints (cve_lookup, domain_report, ip_lookup, threat_intel, ioc_lookup):

{
  "verdict": {
    "deterministic": true,
    "falsifiable_fields": ["cve_id", "severity", "cvss_v3", "published", "references"],
    "data_age_seconds": 1834,
    "sources_queried": ["mitre_cache", "nvd_cache"],
    "sources_unavailable": [],
    "completeness": "complete"
  },
  "sources": ["mitre", "nvd"],
  "first_seen_source": "mitre",
  "first_seen_at": "2024-06-01T03:22:00Z"
}

This lets an orchestrator run Agent A (calling ContrastAPI) and Agent B (independently verifying a subset of falsifiable_fields against the upstream authority — NVD, RDAP, CT logs, URLhaus). deterministic: true means the same query will return the same answer; data_age_seconds is the distance from the latest upstream sync (or 0 for live fetches).

sources_queried lists upstream providers consulted for this response; sources_unavailable lists any that failed (timeout, parse error, rate-limit, upstream 5xx). completeness is "partial" whenever sources_unavailable is non-empty — agents should treat partial responses as best-effort and re-query later.

sources lists which upstream feeds have indexed this CVE (ordered by first observation). first_seen_source and first_seen_at reveal which feed saw it earliest — during 0-day bursts, MITRE and GHSA typically lead NVD by hours to weeks. completeness: "minimal" means only MITRE/GHSA have the CVE so far (no severity/CVSS from NVD yet).

Probe GET /v1/capabilities — responses with "verdict_metadata": true support this pattern across the endpoints listed above.

License

MIT

Release History

Version	Changes	Urgency	Date
v1.33.22	## Fix: lean MCP `outputSchema` now accepts `null` for optional fields (#42) Optional response fields (`T \| None`) were advertised in the lean `tools/list` `outputSchema` by their non-null type only — e.g. `verdict` as `{"type": "object"}`. A tool returning `null` for such a field (where it isn't computed pre-enrichment) then failed strict MCP client validation: `-32602 ... must be object`. Fix: the null arm is preserved as a flat 2-element type array — `verdict: {"type": ["object", "n	High	6/1/2026
v1.33.18	### Fixes #38 — MCP `outputSchema` field-type accuracy The lean `outputSchema` advertised in `tools/list` previously declared nearly every field as `{"type":"object"}`, regardless of the field's real value type, because optional fields (`T \| None`) are encoded as `anyOf` in the source schema and the flattener only inspected a top-level `type` key. Strict MCP clients (e.g. opencode/dcp) rejected valid tool responses whose values were strings, arrays, numbers, or booleans. Fix: resolve the r	High	5/25/2026
v1.33.14	## Lean (flat) outputSchema reintroduced on `tools/list` v1.33.13 stripped `outputSchema` entirely to fix a Smithery catalog-gateway availability issue (309KB→81KB) — but that dropped Smithery's "Output schemas" quality criterion to 0/53 (−10.37pt). This release reintroduces a lean, flat `outputSchema` per tool: the success model's top-level field names + primitive types only (no `$defs`/`$ref`/`anyOf`/prose, ~0.5KB/tool). Each tool re-advertises its output shape and the whole `too	High	5/22/2026
v1.33.4	Hotfix on top of v1.33.3. ### Added - API keys are now accepted via the `X-API-Key: cc_<key>` request header, in addition to the existing `Authorization: Bearer cc_<key>`. This unblocks Pro authentication for clients that send the key as `X-API-Key` (e.g. the Smithery MCP marketplace connection config and the official Python SDK), which previously fell back to the keyless Free tier. - `Authorization: Bearer` takes precedence when both headers are present; whitespace-tolerant (parity with Bearer	High	5/16/2026
v1.30.2	## Agent Chain — 6 batches, 23 MCP tools Every tool in this batch returns `next_calls: list[PivotHint] \| None` — contextual drilldown hints for agent runners. Each `PivotHint` carries `tool` + `input` + `reason` so the agent can pivot without re-prompting. \| Batch \| Module \| Tools \| \|---\|---\|---\| \| B2 \| domain (core) \| 5 \| \| B3 \| web-intel \| 8 \| \| B4 \| domain (misc) + codesec \| 2 \| \| B5a \| cve \| 2 \| \| B5b \| atlas + d3fend \| 4 \| \| B6 \| ioc \| 2 \| Wire-compat: purely additive — existing cons	High	5/9/2026
v1.27.1	## Hotfix on top of v1.27.0 Standalone runners (Glama Docker, raw \`python3 mcp_server.py\` from repo root) hit \`ModuleNotFoundError: No module named 'schemas'\` because per-package schema files do \`from schemas import BaseSuccessResponse\` which needs \`app/\` on \`sys.path\`. Production uvicorn launches from \`app/\` cwd so the path is implicit; standalone runners only have the repo root on the path. Fix: \`mcp_server.py\` now inserts both \`_REPO_ROOT\` and \`_REPO_ROOT/app/\` into \`sys.	High	5/4/2026
v1.19.1	## Summary Token-efficiency patch for v1.19.0. No wire-breaking changes; all additions are backward compatible. Three response-size fixes after live smoke against the production catalog (224 ATLAS records + 149 D3FEND defenses + 3,234 mappings) revealed that some calls returned 50–100 KB of mostly drillable text: 1. ATLAS technique search now slim by default. `/v1/atlas/techniques` previously echoed the full multi-paragraph description (1–2 KB) for every result; with the default `limit=50	High	4/29/2026
v1.11.0	## Highlights ### IP Intelligence — Phase 1 + Phase 4 - `/v1/ip/{ip}` now returns ASN + holder name + country inline (via RIPE Stat), closing a 2-call pattern for agents (`5840057`). - Reputation block on Free tier: FireHOL level1 blocklist check. Pro tier: +AbuseIPDB + Shodan (`1108631`). - Stale-cache poisoning fix: partial-cache-fill when only one RIPE side was previously cached (`667ba22`). ### MCP Contract Audit — Tier 1 + 2 + 3 Agent-readable response schemas, end-to-end: - **Tie	High	4/24/2026
v1.9.0	## ContrastAPI v1.9.0 — OSV.dev 6th Source + CVE Enrichment + MCP UX Hardening ### New - OSV.dev 6th enrichment source: `cve_lookup` now cross-references OSV.dev after NVD/MITRE/GHSA/EPSS/KEV. Delta backfill (`since=2026-04-15`, `limit=500`) covers post-Apr-15 NIST enrichment gap. CVSS:3.x via `cvss==3.6` (lazy import), CWE from `database_specific.cwe_ids`, ecosystem→vendor map for 11 OSS ecosystems (npm, PyPI, Maven, Go, RubyGems, NuGet, crates.io, Packagist, Hex, Pub, SwiftURL). Selective	High	4/20/2026
v1.8.0	## ContrastAPI v1.8.0 — MITRE CNA Parser + check_dependencies + 31 MCP Tools ### New - MITRE CNA parser: `cve_lookup` now extracts CVSS/CWE/CPE from the MITRE cvelistV5 CNA container, not just NVD. CNA-only CVEs (pre-NVD, 0-day bursts) return full severity from day 0. Retroactive backfill of 340K+ existing CVEs in progress — CNA-only entries that previously returned `severity=null` are being upgraded to full CVSS/CWE. - `check_dependencies` MCP tool: requirements.txt / package.json depe	High	4/18/2026
v1.7.0	## ContrastAPI v1.7.0 — CVE Multi-Source Intelligence + 30 MCP Tools ### New - CVE Multi-Source Expansion: MITRE cvelistV5 + GitHub Security Advisories (GHSA) synced alongside NVD. CVEs indexed hours/days before NVD enriches them. - `cve_leading` endpoint + MCP tool: Returns CVEs seen by MITRE/GHSA that NVD hasn't published yet — 174 leading CVEs at launch. - `cve_sources` table: Every CVE now tracks `sources`, `first_seen_source`, `first_seen_at` — agents can reason about data fres	High	4/16/2026
v1.6.0	## ContrastAPI v1.6.0 — Privacy Hardening + 29 MCP Tools + Orchestration ### New - Feature-Gate Phase 1: Weighted credit system (audit=4, bulk=N), 4 new endpoints: `audit_domain`, `threat_report`, `bulk_cve_lookup`, `bulk_ioc_lookup` - Privacy transparency: `GET /v1/privacy/my-data` — returns every row the DB has about your (hashed) IP - DNT/GPC support: `DNT: 1` or `Sec-GPC: 1` → no usage row written - GET /mcp/ health: Returns JSON metadata for crawlers and availability checks	High	4/12/2026
v1.5.0	## ContrastAPI v1.5.0 — 25 MCP Tools ### New Endpoints (5) - `GET /v1/archive/{domain}` — Wayback Machine historical snapshots - `GET /v1/username/{username}` — Username OSINT across 16 platforms - `GET /v1/exploit/{cve_id}` — Public exploits (GitHub Advisory + ExploitDB) - `GET /v1/email/disposable/{email}` — Disposable email provider check - `GET /v1/phone/{number}` — Phone number validation and intelligence ### MCP Server Improvements - 25 MCP tools (was 20) with full parameter descriptions	High	4/8/2026
v1.0.1	## ContrastAPI v1.0.1 ### Fixed - Welcome page race condition — Lemon Squeezy checkout now polls for webhook arrival before displaying the API key, preventing "invalid order" errors - XSS — `order_id` in JS context now uses `\|tojson` filter - TOCTOU — `get_and_clear_pending_key` uses `BEGIN IMMEDIATE` for true atomicity ### Added - `GET /api/check-key` — polling endpoint for webhook readiness (10 req/min) - 3-way welcome logic: key shown / already claimed / polling spinner - `pendi	Medium	4/4/2026
v1.0.0	## ContrastAPI v1.0.0 Threat intelligence API platform — Python FastAPI. ### Features - CVE/EPSS: Lookup, search, recent CVEs, KEV catalog, EPSS scores - Domain Intel: DNS records, WHOIS, subdomains, CT logs, SSL certificates, tech fingerprinting, domain reputation scoring - Threat Feeds: IP reputation, GreyNoise, Shodan, AbuseIPDB integration (24h cache) - IOC: Hash lookup, IP lookup, phishing check, password breach check - CodeSec: Header analysis, injection detection, se	Medium	4/1/2026

Dependencies & License Audit

Loading dependencies...

Similar Packages

sqltools_mcp🔌 Access multiple databases seamlessly with SQLTools MCP, a versatile service supporting MySQL, PostgreSQL, SQL Server, DM8, and SQLite without multiple servers.main@2026-06-07

MCP---Agent-Starter-Kit🚀 Build and explore multi-agent AI workflows with ready-to-use projects for document serving, Q/A bots, and orchestration.main@2026-06-05

notebooklm-pyProvide full Python API access to NotebookLM features, including advanced functions beyond the web interface, via CLI and AI agent integration.main@2026-06-05

OpenACMSelf-hosted autonomous AI agent — runs on your PC, controls your environment, connects to any MCP server.main@2026-06-02

claude-api-cost-optimization💰 Optimize your Claude API usage to save 50-90% on costs with batching techniques and efficient request management.main@2026-06-01

More in MCP Servers

PlanExeCreate a plan from a description in minutes

automagik-genieSelf-evolving AI agent orchestration framework with Model Context Protocol support

agentroveYour own Claude Code UI, sandbox, in-browser VS Code, terminal, multi-provider support (Anthropic, OpenAI, GitHub Copilot, OpenRouter), custom skills, and MCP servers.

ProxmoxMCP-PlusEnhanced Proxmox MCP server with advanced virtualization management and full OpenAPI integration.