ctscout
This server queries ctscout.dev's domain-attribution warehouse to map legal entities (from OV/EV certificates) to the apex domains they own, and vice versa.
Search by company name (
ctscout_search_company): Input an organization name (partial matches allowed) and retrieve apex domains attributed to it, along with cert counts, subdomain counts, and timestamps.Reverse-lookup by domain (
ctscout_lookup_domain): Input one or more apex domains (up to 10) and get the organization(s) attributed to each, plus sibling domains owned by the same legal entity.Sibling domain & digital footprint discovery: Surface other apex domains attributed to the same legal entity, enabling lateral discovery of an org's full presence.
Parent/subsidiary relationship checking: Compare multiple domains to determine if they share the same attributed organization (e.g., "Are coalition.com and at-bay.com owned by the same parent?").
Flexible output formats: Human-readable markdown tables or structured JSON.
Free tier (with API key): Up to 10 queries/day, top 5 results from a weekly snapshot.
Pro tier: Unlimited queries, full result sets, and live enriched signals (DNS, RDAP, homepage, IP/ASN, VLM visual verification) with a confidence band per attribution.
Coverage: ~6,000 entities indexed from OV/EV certs (strong on established US/EU organizations); DV-only domains (e.g., Let's Encrypt) are not visible.
Limitation: Searches by legal entity name, not brand — common brand names may return zero results, so try alternate legal-name queries.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ctscoutFind all domains attributed to Cloudflare"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ctscout-mcp-server
MCP server for ctscout.dev — named-entity attribution from Certificate Transparency logs (OV/EV only), with optional multi-signal corroboration on Pro. For mapping legal-entity digital footprints, sibling-domain discovery, and SAN-cohort analysis from LLM-driven workflows.
DV-only infrastructure (Let's Encrypt, ZeroSSL, cloud-native shops) is invisible to ctscout by design. See LIMITATIONS.md for what that means in practice.
Two tools:
ctscout_search_company— find apex domains attributed to an organization by namectscout_lookup_domain— reverse-lookup the organization attributed to one or more domains
Both work over the public ctscout.dev /scan API. Free tier requires an API key (no email, no signup). Pro tier returns a confidence_band per attribution plus the underlying signal evidence (DNS brand tokens, og:site_name match, RDAP, IP/ASN, VLM verdict).
Not a cyber-risk-scoring tool. See LIMITATIONS.md for what ctscout is and isn't, the DV-cert coverage gap, and the corrections path.
Release history: see CHANGELOG.md.
Install
For Claude Code, Claude Desktop, Cursor, or any other MCP client. Two ways to connect: hosted (recommended, no install) or local npm (this package).
1. Get a free API key
Visit ctscout.dev and click "Get a free API key". Solve the Turnstile captcha. Copy the key (you can't recover it later — save it now).
2a. Hosted endpoint (recommended — zero install)
The same tools are hosted at https://ctscout.dev/mcp. Nothing to install — just point your MCP client at the URL with your API key as the X-API-Key header.
Claude Code (CLI):
claude mcp add ctscout \
-s user \
--transport http \
--header "X-API-Key: YOUR_KEY_HERE" \
https://ctscout.dev/mcpThis writes to ~/.claude.json.
Claude Desktop / Cursor / Cline / any HTTP-transport MCP client — edit the client config:
{
"mcpServers": {
"ctscout": {
"type": "http",
"url": "https://ctscout.dev/mcp",
"headers": { "X-API-Key": "YOUR_KEY_HERE" }
}
}
}Config file locations:
Claude Desktop:
~/Library/Application Support/Claude/claude_desktop_config.json(Mac),%APPDATA%\Claude\claude_desktop_config.json(Windows). HTTP-transport MCP support requires a recent Desktop build; if your client doesn't recognize"type": "http", use the local npm fallback below.Cursor:
~/.cursor/mcp.json. If Cursor's HTTP transport doesn't connect, swap theurltohttps://ctscout.dev/sse— the same tools are served over the legacy SSE transport.
After adding, fully quit and restart your MCP client (not just close the window). The tools will appear under "ctscout".
2b. Local npm (fallback — if you can't use the hosted endpoint)
If you're behind a network policy that blocks ctscout.dev, prefer running the published Node binary locally:
claude mcp add ctscout \
-s user \
-e CTSCOUT_API_KEY=YOUR_KEY_HERE \
-- npx -y ctscout-mcp-serverOr in JSON config:
{
"mcpServers": {
"ctscout": {
"command": "npx",
"args": ["-y", "ctscout-mcp-server"],
"env": { "CTSCOUT_API_KEY": "YOUR_KEY_HERE" }
}
}
}The two paths talk to the same /scan API on the backend — feature-parity is automatic. The hosted endpoint just skips the Node install.
3. Use it
In Claude Code or Claude Desktop, just ask the model:
"Find all domains attributed to Cloudflare"
"Who is gs.com attributed to? What about goldmansachs.com — same parent?"
"Given an OV/EV-cert domain, pivot from its cert subject and surface sibling apex domains attributed to the same legal entity."
"List the domains attributed to The Hartford."
The model will pick the right ctscout tool, call it, and summarize.
Related MCP server: External Reconnaissance MCP Server
Free tier vs Pro tier
Free | Pro | |
Queries per day | 10 | unlimited |
Results per query | top 5 | full set |
Data freshness | weekly snapshot | live (DNS, RDAP, homepage, IP/ASN, VLM) |
Per-attribution evidence | — |
|
Price | $0 | concierge — email for early access |
The MCP server uses the same API key for both — your tier is determined by the key. If you hit the daily quota, the tool returns a 429 error with an upgrade hint.
Pro is currently concierge-only (manual key mint + invoice) while usage data justifies whether automated commerce is worth building. Email pro@ctscout.dev if you want a Pro key.
What the Pro response looks like
Free tier returns the legacy (domain, organization, certs, subdomains) table. Pro tier replaces it with a richer attribution table you can defend in a meeting:
| Domain | Attributed to | Band | Signals | Evidence |
|---|---|---|---|---|
| coalition.com | Coalition Inc | ✅ verified | dns_txt_brand_token, og_site_name_match, +1 | verified via google-site-verification, atlassian-domain... |
| imposter.com | Coalition Inc | ⚪ insufficient 🚫VLM-veto | dns_txt_brand_token, vlm_verdict_no | Logo on screenshot is a different brand |Bands map to confidence intervals (verified ≥ multiple strong independent signals, down to insufficient = no signals or signals disagree). The 🚫VLM-veto tag appears when visual brand verification overrode the positive-signal accumulation. Full structured payload is available via response_format: "json".
What this is, and isn't
ctscout is a digital entity resolution tool — it maps apex domains to organizations attributed in their Certificate Transparency records, optionally corroborated by DNS / RDAP / IP/ASN / favicon / visual brand verification on the Pro tier.
It is NOT a cyber-risk quantification platform. It does not score security posture, predict breaches, or produce risk ratings. See LIMITATIONS.md for the full disclaimer, coverage gaps, and corrections path.
Coverage at a glance
ctscout's warehouse is built from OV/EV certificates only — the ones where the issuing CA validated the org's legal identity. DV-only infrastructure (Let's Encrypt, ZeroSSL, ACME-defaulting cloud hosts) is invisible to the warehouse.
The warehouse is strongest on: established US/EU enterprise, government, financial services, traditional infrastructure, defense, education.
The warehouse is weak on: modern cloud-native shops (most domains entirely behind Cloudflare/Vercel/Netlify), pre-launch / stealth-mode startups, anything that defaults to DV certs.
When ctscout_lookup_domain returns 0 results, the apex isn't in the warehouse — not necessarily that nobody owns it. See LIMITATIONS.md for the full coverage discussion and ~5,976-org / 329K-pair scale stats.
Local development
git clone https://github.com/minghsuy/ctscout-mcp.git
cd ctscout-mcp
npm install
npm run build
# Run the test suite (Vitest, no network)
npm test
# Run the server (will fail without CTSCOUT_API_KEY)
node dist/index.js
# With a real key
CTSCOUT_API_KEY=your_key node dist/index.js
# Inspect with the official MCP inspector (browser UI)
npm run inspectTest the protocol handshake without a real key
echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}},"id":1}' | \
CTSCOUT_API_KEY=fake node dist/index.jsShould respond with the server's capabilities + tool registration. (Tool calls themselves require a real key.)
How it relates to ctscout.dev
This MCP server is a thin client over the public ctscout.dev /scan API. It does no auth-handling magic, no caching, no extra logic — just translates MCP tool calls into HTTP requests and formats the response for an LLM consumer.
If you're building your own integration in Python or another language, you can hit the same /scan endpoint directly. See ctscout.dev for curl examples.
License
MIT. See LICENSE.
The underlying ctscout service uses domain-scout (also MIT) for cert log analysis.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/minghsuy/ctscout-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server