MCP Server

Offensive tools
your AI agents can call.

A native Model Context Protocol server exposes SICenter’s reconnaissance and validation tools over HTTPS. Plug Claude Desktop, Cursor or any agent framework straight in — every call is bound to the scope you authorized.

Serverhttps://sicenter.io/api/mcp
Generate a tokenSee the platform

Agent-native

Claude Desktop, Cursor, your own orchestrator. Any client that speaks MCP speaks to SICenter.

Scope-bound

Every tool invocation inherits your organization’s asset scope. Out-of-scope targets are refused server-side.

Bearer auth

Single HTTPS endpoint, standard Authorization header. Rotate tokens from your dashboard whenever you need.

Quickstart

Connect in three steps.

The MCP server speaks JSON-RPC 2.0 over HTTPS. Pass a bearer token and you can call any registered tool. No SDK required.

01

Generate an API token

Create a token from your dashboard. Each token is bound to the organization’s scoped assets — the MCP server refuses calls against anything not in that scope.

02

Point your agent at the server

Both Claude Desktop and Cursor support MCP servers over HTTP. Add SICenter to your client’s config and restart.

claude_desktop_config.json
{
  "mcpServers": {
    "sicenter": {
      "url": "https://sicenter.io/api/mcp",
      "headers": {
        "Authorization": "Bearer sk_live_YOUR_TOKEN"
      }
    }
  }
}
cursor mcp.json
{
  "mcpServers": {
    "sicenter": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://sicenter.io/api/mcp"],
      "env": {
        "MCP_REMOTE_HEADER_AUTHORIZATION": "Bearer sk_live_YOUR_TOKEN"
      }
    }
  }
}
03

Ask your agent to run reconnaissance

The agent discovers available tools automatically viatools/listand can invoke any of them. You can also call the server directly with curl for scripting.

curl — tools/call
curl -X POST https://sicenter.io/api/mcp \
  -H "Authorization: Bearer sk_live_YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "subdomain_enum",
      "arguments": { "domain": "example.com" }
    }
  }'
Tool catalog

What your agent can do today.

Every tool is tenant-scoped and audit-logged. The catalog grows continuously — call tools/list for the live list.

subdomain_enumDiscovery

Passive subdomain enumeration via certificate transparency (crt.sh). Zero touch on the target's authoritative DNS.

domainstringApex domain.
includeWildcardsboolean?Include `*.sub.domain.tld` records. Default: false.
{
  "domain": "example.com"
}
Tool docs
port_scanDiscovery

TCP connect scan over the top-N common ports with service naming. Pure Node, no external binaries, safe on serverless runtimes.

hoststringHostname or IPv4 literal. Private ranges are blocked server-side.
portsnumber[]?Explicit port list. Omit to scan the top 40 by default.
limitnumber?When `ports` is omitted, how many of the top-N to scan.
{
  "host": "example.com",
  "limit": 25
}
Tool docs
http_fingerprintDiscovery

Non-invasive HTTP recon: server stack, CDN, technologies, security-header audit (HSTS, CSP, X-Frame-Options, …).

urlstringFull URL including protocol (e.g. https://example.com).
{
  "url": "https://example.com"
}
Tool docs
dns_recordsDiscovery

Pull authoritative DNS: A, AAAA, MX, TXT, NS, CNAME, SOA. Useful for mapping infrastructure and catching stale delegations.

domainstringApex or sub-domain.
record_typesstring[]?Subset of A | AAAA | MX | TXT | NS | CNAME | SOA. Default: all seven.
{
  "domain": "example.com",
  "record_types": ["A", "MX", "TXT"]
}
Tool docs
whois_lookupDiscovery

RDAP-backed ownership lookup: registrar, registrant org, creation, expiry, nameservers. Never hits legacy port-43 whois.

domainstringApex domain.
{
  "domain": "example.com"
}
Tool docs
tls_auditDiscovery

Inspect a TLS endpoint: cert chain, SANs, expiry countdown, negotiated protocol/cipher. Flags expired, self-signed, weak-protocol, weak-cipher findings.

targetstringHostname or IP. Private ranges blocked.
portnumber?TCP port. Default: 443.
{
  "target": "example.com",
  "port": 443
}
Tool docs
email_postureDiscovery

Audit a domain's outbound email security: SPF presence + policy, DMARC policy (none/quarantine/reject), DKIM selector presence.

domainstringApex domain.
{
  "domain": "example.com"
}
Tool docs
subdomain_takeover_checkValidation

Resolve a subdomain's CNAME and probe the target service. Matches against 10 common hijackable-service fingerprints (GitHub Pages, Heroku, S3, Fastly, Shopify, Pantheon, Ghost, Tumblr, Wufoo, Tilda).

subdomainstringFQDN to check.
{
  "subdomain": "legacy.example.com"
}
Tool docs
github_leaksDiscovery

Search GitHub code for potential credential leaks tied to a domain or org. Requires GITHUB_TOKEN env var; returns graceful error if not configured.

org_or_domainstringGitHub org slug or your domain.
max_resultsnumber?Cap on matches (default 25, max 100).
{
  "org_or_domain": "example.com",
  "max_results": 25
}
Tool docs
cve_enrichPrioritization

Fetch CVE details including CVSS v3 score, severity, description, and references. Queries local intel first, falls back to NIST NVD REST API 2.0.

cve_idstringCVE identifier (e.g. CVE-2021-44228).
{
  "cve_id": "CVE-2021-44228"
}
Tool docs
epss_lookupPrioritization

Retrieve EPSS probability score (0–1) and percentile (0–100) for a CVE. Indicates likelihood of exploitation in the next 30 days. Queries local intel or FIRST.org.

cve_idstringCVE identifier (e.g. CVE-2021-44228).
{
  "cve_id": "CVE-2021-44228"
}
Tool docs
brand_typosquatDiscovery

Generate typosquat domain candidates (leet, adjacent-key, deletion, insertion, homoglyphs, TLD-swap) and probe each via DNS + crt.sh to identify registered look-alikes.

domainstringApex domain to generate typosquats for.
max_resultsnumber?Max candidates to probe (default 50, max 200).
{
  "domain": "example.com",
  "max_results": 50
}
Tool docs
api_discoveryDiscovery

Surface API endpoints by probing robots.txt, sitemap.xml, Swagger/OpenAPI spec paths, and GraphQL introspection. Non-aggressive — requests well-known public paths only.

domainstringDomain to surface API endpoints for.
max_pathsnumber?Max endpoints to return (default 30, max 200).
{
  "domain": "example.com",
  "max_paths": 30
}
Tool docs
cloud_config_auditValidation

Detect cloud misconfigurations via passive HTTP header inspection: CDN fingerprints, direct S3 bucket serving, and overly permissive CORS. HEAD + OPTIONS only.

domainstringDomain to audit for cloud misconfigs.
{
  "domain": "example.com"
}
Tool docs
Protocol

JSON-RPC 2.0 over HTTPS.

SICenter implements the Model Context Protocol specification version 2024-11-05. A single POST endpoint handles every method the spec defines — no SSE transport required for the current tool set.

initializeHandshake. Returns server info + capabilities.
tools/listDiscover every registered tool with its input schema.
tools/callInvoke a tool by name with validated JSON arguments.
pingLiveness check.
initialize request
{
  "jsonrpc": "2.0",
  "id": 0,
  "method": "initialize",
  "params": {
    "protocolVersion": "2024-11-05",
    "capabilities": {},
    "clientInfo": {
      "name": "my-agent",
      "version": "0.1.0"
    }
  }
}

Put your agents to work.

Generate a token, paste it into Claude or Cursor, and your AI starts running CTEM on your surface.

Start freeTalk to sales