attack-surface-mcp-server

Tools

Eight tools organized around the recon workflow — attacksurface_map_domain orchestrates the full flow end to end, the per-aspect tools back it for targeted follow-up, and attacksurface_recon_guidance synthesizes findings into a defensive review plan. Seven are keyless; one (attacksurface_lookup_host) needs a Shodan key and degrades gracefully without it.

attacksurface_map_domain

The spine of most engagements — one call maps a domain end to end.

• depth control: quick = subdomains + liveness only; standard = + DNS records, TLS, and HTTP posture; thorough = + Shodan enrichment (when a key is present, otherwise skipped with a note)

• includeRegistration adds an RDAP/WHOIS lookup for the apex at standard+ depth

• All per-host fan-out uses Promise.allSettled — one failed source or unreachable host degrades to a note, never tanks the call

• Subdomain resolution is capped (ATTACKSURFACE_MAX_SUBDOMAINS, default 200) with the cap disclosed when hit

• The assessment block synthesizes only observable facts — expiring certs, missing HSTS/CSP, weak TLS versions, failed chain validation — never an exploitation path

attacksurface_enumerate_subdomains

Passive subdomain discovery from public Certificate Transparency logs.

• Three sources with a fallback chain: crt.sh (primary), Certspotter (fallback — crt.sh is frequently overloaded), and the apex's own TLS certificate SAN list (always available)

• Every discovered name carries its source provenance

• DNS resolution marks which names are live; includeUnresolved: false returns only live hosts

• Reads public logs — it does not brute-force or probe the target's resolvers

attacksurface_resolve_dns

Multi-resolver DNS enumeration with propagation visibility.

• Queries A, AAAA, CNAME, MX, NS, TXT, and CAA across multiple public resolvers (default 8.8.8.8, 1.1.1.1, 9.9.9.9)

• Reports per-resolver answers so propagation gaps and split-horizon DNS are visible

• Optional reverse DNS (PTR) on resolved addresses

• Each host passes the SSRF guard; private/loopback resolver IPs are rejected; one failing host degrades to a per-host error

attacksurface_inspect_tls

Read-only TLS posture inspection — surfacing problems is the point.

• A real handshake per host reports negotiated protocol and cipher, the full certificate chain, SANs, validity window, days-to-expiry, issuer, and chain-validation status

• Invalid, expired, and self-signed certificates are inspected and reported rather than throwing

• Posture findings flag short expiry windows, deprecated protocols, and self-signed chains

• One handshake per host; no application data is sent; SSRF-guarded

attacksurface_probe_http

A single passive HTTP(S) GET with a security read-out.

• Follows redirects and reports the final status plus the full redirect chain

• Security-header audit: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, cookie Secure/HttpOnly/SameSite flags, and CORS origin-reflection

• Evidence-bound technology fingerprint (server, framework, CDN, WAF, CMS) — every detection names the header or body marker that triggered it

• Strictly one request per host — no path traversal, parameter injection, or multi-method probing; every redirect hop is re-checked against the SSRF guard

attacksurface_lookup_registration

Registration and ownership from public registries.

• RDAP first (structured JSON, 302-follow with a 5s deadline), WHOIS port-43 fallback for TLDs without RDAP or when RDAP is unresponsive

• Domain lookups return registrar, EPP status codes, registration/expiry/updated events, nameservers, and DNSSEC

• IP/CIDR lookups return the netblock name, allocation CIDRs, origin ASN, and country

• Registry data is frequently redacted or sparse — absent fields are reported as unknown, never inferred

attacksurface_lookup_host

Shodan infrastructure intelligence — the one optional-key path.

• mode: "host" (default) — a free single-IP lookup: open ports, service banners, software versions, hostnames, ASN, geo

• mode: "search" — a faceted internet-wide query that consumes paid Shodan query credits

• Requires SHODAN_API_KEY; without it the tool returns a typed source_unavailable error and every other tool keeps working

• Shodan data reflects Shodan's last scan, not a live port state — the server itself never scans ports

attacksurface_recon_guidance

State-aware synthesis — no network calls, just reasoning over what you've found.

• Takes the findings gathered so far (live hosts, TLS/cert state, missing headers, software versions, open ports) and returns a prioritized defensive review plan as markdown plus structured priority items

• Pre-fills concrete follow-up calls — re-inspecting hosts that lack posture data, and chaining disclosed software versions to an external NVD (nist-nvd-mcp-server) or OSV (osv-advisory-mcp-server) server for CVE context

• Output is a remediation/visibility plan, never an exploitation playbook

Related MCP server: MCP Security Tools Suite

Resources

All resource data is also reachable via tools — tool-only clients lose nothing, since attacksurface_map_domain covers the same ground. Large maps disclose a truncation count rather than returning unbounded host detail. The server exposes no prompts; attacksurface_recon_guidance supplies the one "structure the next steps" pattern as a state-aware tool instead of a static template.

Features

Built on @cyanheads/mcp-ts-core:

• Declarative tool and resource definitions — single file per primitive, framework handles registration and validation

• Unified error handling — handlers throw, framework catches, classifies, and formats

• Pluggable auth: none, jwt, oauth

• Swappable storage backends: in-memory, filesystem, Supabase, Cloudflare KV/R2/D1

• Structured logging with optional OpenTelemetry tracing

• STDIO and Streamable HTTP transports

Attack-surface-specific:

• Passive and non-intrusive by mandate — public records plus each target's own single published response; active scanning, exploitation, and brute-forcing are excluded from the surface, not toggled by a flag

• Keyless core — CT subdomain enumeration, DNS, TLS, HTTP/tech, and RDAP/WHOIS all work with zero API keys; Shodan is strictly additive depth

• SSRF guard on every outbound connection — rejects private, loopback, link-local, cloud-metadata, and reserved IPv4/IPv6 ranges before connecting (opt out for trusted internal assessment via ATTACKSURFACE_ALLOW_PRIVATE_TARGETS)

• Multi-source aggregation with fallback chains — CT discovery falls through crt.sh → Certspotter → TLS-SAN; registration falls through RDAP → WHOIS

Agent-friendly output:

• Provenance on every result — source labels (source: crt.sh | certspotter | tls-san, source: rdap | whois) and per-source status so agents can assess completeness and trust

• Graceful partial failure — multi-target and multi-source tools return per-item/per-source error fields and operational notes instead of failing the whole call; only malformed input throws

• Discriminated, typed contracts — typed error reasons (source_unavailable, blocked_target, all_sources_failed) and union output (kind: domain | ip) let callers branch on data, not string parsing

• No fabricated signal — technology detections carry their triggering evidence; absent CT/DNS/RDAP fields are reported as unknown, never inferred

Getting started

Add the following to your MCP client configuration file. Every tool except attacksurface_lookup_host works with no configuration — the keyless core boots on an empty environment.

{
  "mcpServers": {
    "attack-surface-mcp-server": {
      "type": "stdio",
      "command": "bunx",
      "args": ["@cyanheads/attack-surface-mcp-server@latest"],
      "env": {
        "MCP_TRANSPORT_TYPE": "stdio",
        "MCP_LOG_LEVEL": "info"
      }
    }
  }
}

Or with npx (no Bun required):

{
  "mcpServers": {
    "attack-surface-mcp-server": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@cyanheads/attack-surface-mcp-server@latest"],
      "env": {
        "MCP_TRANSPORT_TYPE": "stdio",
        "MCP_LOG_LEVEL": "info"
      }
    }
  }
}

Or with Docker:

{
  "mcpServers": {
    "attack-surface-mcp-server": {
      "type": "stdio",
      "command": "docker",
      "args": ["run", "-i", "--rm", "-e", "MCP_TRANSPORT_TYPE=stdio", "ghcr.io/cyanheads/attack-surface-mcp-server:latest"]
    }
  }
}

To enable Shodan host intelligence (attacksurface_lookup_host), add SHODAN_API_KEY to the env block.

For Streamable HTTP, set the transport and start the server:

MCP_TRANSPORT_TYPE=http MCP_HTTP_PORT=3010 bun run start:http
# Server listens at http://localhost:3010/mcp

Refer to "your MCP client configuration file" generically — different clients use different config paths and this server isn't client-specific.

Prerequisites

• Bun v1.3.11 or higher (or Node.js v24+).

• No API key required for the core tools. Optional: a Shodan API key for attacksurface_lookup_host, and a Certspotter API key to raise CT-fallback rate limits.

Installation

1. Clone the repository:

git clone https://github.com/cyanheads/attack-surface-mcp-server.git

2. Navigate into the directory:

cd attack-surface-mcp-server

3. Install dependencies:

bun install

4. Configure environment (optional):

cp .env.example .env
# edit .env only if you want Shodan, a Certspotter key, or non-default behavior

Configuration

All variables are optional — the server boots and delivers its keyless core with an empty environment.

See .env.example for the full list of optional overrides.

Running the server

Local development

• Build and run:

  # One-time build
  bun run rebuild
  
  # Run the built server
  bun run start:stdio
  # or
  bun run start:http

• Run checks and tests:

  bun run devcheck   # Lint, format, typecheck, security
  bun run test       # Vitest test suite
  bun run lint:mcp   # Validate MCP definitions against spec

Docker

docker build -t attack-surface-mcp-server .
docker run --rm -e MCP_TRANSPORT_TYPE=http -p 3010:3010 attack-surface-mcp-server

The Dockerfile defaults to HTTP transport, stateless session mode, and logs to /var/log/attack-surface-mcp-server. OpenTelemetry peer dependencies are installed by default — build with --build-arg OTEL_ENABLED=false to omit them.

Project structure

Development guide

See CLAUDE.md/AGENTS.md for development guidelines and architectural rules. The short version:

• Handlers throw, framework catches — no try/catch in tool logic

• Use ctx.log for request-scoped logging, ctx.state for tenant-scoped storage

• Register new tools and resources via the barrels in src/mcp-server/*/definitions/index.ts

• Every outbound connection to a user-supplied target must pass the SSRF guard (assertSafeDomain / assertSafeUrl / assertSafeResolverIp) before connecting

• Wrap external API calls: validate raw → normalize to domain type → return output schema; never fabricate missing fields

Contributing

Issues and pull requests are welcome. Run checks and tests before submitting:

bun run devcheck
bun run test

License

Apache-2.0 — see LICENSE for details.