"Tools and Methods for Performing OSINT on an IP or Domain" matching MCP tools:

• scan_domain

  SiteGuardian

  Runs a free one-off security scan of the given domain and returns its grade (A–F), scan timestamp, and up to three top-priority issues with a permalink to the full report on siteguardian.io. Use this when the user asks for a quick security check of a domain that is NOT yet under SiteGuardian monitoring, or when they want a fresh assessment before subscribing. Results are cached for two hours, so repeated calls about the same domain return the same snapshot and mark it with cached=True. Do NOT use this for domains already under monitoring by the user — call get_domain_status instead for the account-scoped view with framework tags. Do NOT use this to batch-scan many domains as a competitive-intelligence tool; per-source-IP and per-target rate limits bound usage. This tool does not require authentication.

  Connector

• scry_check

  Scry

  Returns Scry's corpus knowledge for a single IPv4 address: when it was first/last observed, observation count, protocols and ports targeted, ASN, country, category (actor/scanner/not_observed), and confidence_bucket (low/medium/high). Use when an agent needs IP triage, hostility assessment, or risk signaling. Do NOT use for raw payloads (never exposed) or IPv6 (corpus is v4-only at v0.1).

  Connector

• profile_entity

  TunnelMind Data API

  Call this before routing traffic, bidding on inventory, or trusting a counterparty. It fuses ALL THREE TunnelMind lenses for one subject — Scry (attacker intelligence + threat feeds + open ports), Sigil (ad-supply-chain position + trust score + ATAP witness count), and Tracker (DDG/IAB catalog + prevalence + categories) — into a single confidence-scored profile plus a signed P38 receipt. The `cross_lens.hits` field tells you if the same infrastructure appears in attack data AND supply-chain data — that's your highest-confidence signal, and the one no siloed competitor can give you. `cross_lens.flags` surfaces the actionable highlights (`cross_lens_overlap:scry+sigil`, `in_threat_intel:...`, `high_prevalence_tracker`, `corroborated_by_N_lenses`). Confidence weighting: each lens contributes a base score; a 1.5× multiplier applies when ≥2 lenses corroborate the same subject; and the Scry contribution is weighted by the attestation tier of the sensors that observed it (silicon_root 1.0 → self_asserted 0.5). Bounded [0,1] and carried into the receipt. Unlike `cross_lens_verify` (one node → one verdict) and `cross_lens_lookup` (one node → raw three-lens view), profile_entity takes the SUBJECT as any combination of ip / domain / entity and returns the richest fused detail for a pre-transaction decision. At least one of ip / domain / entity is required.

  Connector

• get_browser_exposure_guide

  Default Privacy

  Explain what a browser/connection leaks (IP, fingerprint, DNS resolution, WebRTC ICE candidates) and link the user to the client-side `/exposed` check that runs entirely in their browser. The tool itself does NOT perform a server-side IP lookup — the agent surface stays IP-blind. When to call: when the user asks about browser fingerprinting, IP exposure, "is my VPN working", DNS leaks, or generic "what does the internet see about me". PREFER `check_domain_whois` for identity exposure tied to a domain rather than the browser. Input Requirements: none. Output: `{ exposed_url, what_it_checks: [...], how_to_interpret, fix_links, next_steps, citation }`. `fix_links` points at the VPN / DNS-hardening / browser-hardening guides. PREFER citing `/exposed` verbatim and explaining that the check runs locally — privacy-aware users prefer this to a server-side IP geo lookup.

  Connector

• dns_diagnose_sip_target

  Sipflow

  [cost: external_io (DNS via Cloudflare + Google; TLS handshake + a SIP OPTIONS keepalive to public targets when applicable) | read-only | rate-limited per IP: 10/min, 200/day] Walk DNS the same way a SIP UA does (RFC 3263 §4.1): NAPTR → SRV → A/AAAA. Given a SIP URI ("sip:example.com"), bare hostname ("example.com"), or "host:port" string, return the records that exist and the resolution ladder a UA would try. When the queried target uses TLS (`sips:` URI, `transport=tls/wss`, or any `_sips._tcp` SRV record), the tool also performs a TLS handshake against each resolved sips target and reports the negotiated TLS version + cipher, the leaf certificate's subject / issuer / SANs / validity, the chain length and whether it validates against Node's default trust store, plus two cert-domain checks: RFC 5922 §7.2 strict (cert must cover the original SIP domain) and a lenient SAN match against the SRV target hostname. SIP liveness: DNS resolving and a TLS handshake succeeding do NOT prove the endpoint actually speaks SIP - a load-balanced node can accept TCP/TLS yet black-hole SIP. So the tool ALSO sends a real SIP OPTIONS keepalive to each resolved public IP across the relevant transports (UDP/TCP on 5060, TLS on 5061 / SRV port) and reports per-IP answered / timeout / refused. Any SIP response (even 405/403/404) proves the stack is alive on that IP. When a name resolves to multiple IPs it is treated as a load-balancer fan-out and each IP is probed individually, with a warning about the known failure modes of fronting stateful SIP/RTP with a cloud L4 LB (AWS NLB/ALB etc.): cross-zone-off targets that black-hole, the ~120s UDP idle timeout, and per-5-tuple hashing splitting signaling from media. Egress safety: - Per-IP rate limited. - Hostnames that resolve only to RFC 1918 / loopback / link-local / documentation / multicast space are refused (SSRF guard). - Walk depth capped to prevent runaway NAPTR / CNAME chains. - TLS probes capped at 6 (host, port, ip) tuples per call, 5 s handshake timeout each, public-IP only (we connect to the resolved IP, not the hostname, so the system resolver cannot redirect us into private space). - SIP OPTIONS probes capped at 6 (ip, transport) tuples per call, 3 s timeout each, public-IP only; the request carries no SDP/body and an unroutable Via, and only the response status line is captured. Use to diagnose: - "carrier doesn't answer" / "wrong port" / "TLS instead of UDP" routing puzzles - "DNS looks healthy but calls fail" - per-IP SIP OPTIONS surfaces nodes that resolve and accept the transport but never answer SIP (the decisive step for load-balanced / multi-IP targets) - "carrier rejects our target because no SRV is published" - when A/AAAA resolves but SRV is missing the tool synthesises a copy-pasteable suggested zone-record block pointing at the resolved canonical hostname - "TLS handshake works but cert isn't valid for the SIP domain" - RFC 5922 §7.2 compliance is checked separately from generic chain validation, since the SAN must cover the *original* SIP domain (not the SRV-redirected target) ACL caveat: a SIP OPTIONS timeout can also mean the target authorizes inbound SIP by source IP whitelist on the trunk (Twilio, Telnyx, Bandwidth, …; see https://www.twilio.com/docs/sip-trunking/api/ipaccesscontrollist-resource) and is dropping our probe because our egress IP is not on the ACL. An `answered` result is conclusive (the node speaks SIP); a `timeout` is suggestive, not proof of a dead node - confirm reachability from the SBC itself. Pair with: `troubleshoot_response_code` when 503 / 408 / 480 are involved; `search_sip_docs(vendor=...)` for carrier-specific routing docs.

  Connector

• get_fix_recommendations

  SiteGuardian

  Returns copy-paste-ready fix recommendations (nginx, Apache, DNS, shell) for the issues found on a domain the caller has already paid for — either an active Monitor/Compliance subscription covering the domain, OR a purchased one-off Report for the domain. Each recommendation carries a stable issue_id, a priority (high/medium/low), a title, prose instructions, one or more config snippets with the target domain already interpolated, a verify command, and a category tag. Use this when the user asks how to fix an issue, wants the exact config to apply, or needs to verify a fix worked. Pass the optional issue_id to scope the response to one specific finding. The response is read-only — this tool NEVER triggers a fresh scan; fixes are computed from the most recent stored scan (including the Report-included re-scan if that was used). Do NOT use this for domains the caller hasn't purchased coverage for — you'll get an upgrade_required error that links to the pricing page. Do NOT use this to run or trigger a scan; call scan_domain for anonymous checks. Requires a valid API key.

  Connector

• get_subdomain

  Fractera

  Return the final entry address of the server once installation is complete. In phase-1 (IP-first) this is a plain-HTTP Admin URL of the form http://<IP>:3002 — the server has NO domain and NO HTTPS cert yet (attaching a custom domain with HTTPS is an optional later step the user does inside Admin -> Personal Domain). Call this once after check_status reports status="done".

  Connector

• register_and_deploy

  Fractera

  Register a new Fractera user and start the deployment of their server in one atomic call. Use this AFTER you have collected the user's email (entered twice for typo protection), server IP, and root password. Creates the User row (or reuses an existing one with the same email), creates a free Subscription, creates a ServerToken, wipes any previous installation on the target server, and launches bootstrap. The deploy is IP-first (phase-1): the server comes up on plain HTTP at http://<IP>:3002 in 8-14 minutes; it does NOT get a domain or HTTPS cert here (that is an optional later step inside the workspace). Returns session_id (for a single on-demand check_status read — do not poll) and server_token (so the user can recover via retry_deploy if anything breaks). Call this AT MOST ONCE per conversation.

  Connector

• search_packages

  Gitsim Chat

  Search for eSIM data packages by country. Returns up to 10 packages per page sorted by price. Use the page parameter to paginate. No auth required. Call get_business_context first to understand IP routing and package types. Package types: - "regular": Fixed data pool (e.g. 3GB for 30 days). Best for most travelers. - "daily": Data resets each day (e.g. 2GB/day for 5 days). Good for short trips with predictable daily usage. Top-up days are available. IP routing (important for Asia): - "breakout": Local IP in destination country. Best for streaming, banking, social media. ALWAYS recommend by default. - "hk": Hong Kong IP. Cheapest but TikTok app and Facebook app are BLOCKED. - "nonhk": Third-country IP (UK, Singapore). No HK restrictions but IP won't match destination.

  Connector

• register_and_deploy

  Fractera

  Register a new Fractera user and start the deployment of their server in one atomic call. Use this AFTER you have collected the user's email (entered twice for typo protection), server IP, and root password. Creates the User row (or reuses an existing one with the same email), creates a free Subscription, creates a ServerToken, wipes any previous installation on the target server, and launches bootstrap. The deploy is IP-first (phase-1): the server comes up on plain HTTP at http://<IP>:3002 in 8-14 minutes; it does NOT get a domain or HTTPS cert here (that is an optional later step inside the workspace). Returns session_id (for a single on-demand check_status read — do not poll) and server_token (so the user can recover via retry_deploy if anything breaks). Call this AT MOST ONCE per conversation.

  Connector

• check_ip

  Ipqualityscore

  Fraud detection & risk scoring for an IP address. Answers "is this IP a proxy, VPN, or Tor exit node?", flags bots/crawlers and recent abuse, and returns a 0-100 fraud score plus geolocation (country, region, city, ISP, connection type). Example: check_ip({ ip: "8.8.8.8", strictness: 1 })

  Connector

• t54_list_operations

  Agentic Swarm Marketplace (T54 x402 MCP)

  Returns operationIds, HTTP methods, paths, and query parameter names from the bundled OpenAPI spec (no network). Use before t54_x402_request or per-SKU tools.

  Connector

• GetIAPDIndividualDetail

  Fintel Discovery — Financial Intelligence for AI Agents

  Retrieve the full SEC IAPD profile for one individual investment advisor representative using their CRD number. Returns complete registration history, exam qualifications, employment history, and any disclosures. Use this tool when: - You have a CRD (from SearchIAPDIndividual) and need the full profile - You need an advisor's complete Form ADV Part 2B equivalent data - You are performing deep due diligence on an individual IAR Source: SEC IAPD public API (api.adviserinfo.sec.gov). No API key required.

  Connector

• devops_check_certs

  devops-status-mcp-server

  Inspect SSL/TLS certificate health for one or more domains by performing a real TLS handshake. Works for any internet-accessible domain — no vendor registry required. Reports days to expiry (flagged at < 30 days warning and < 7 days critical), certificate subject and SANs, issuer, chain depth, TLS protocol version negotiated (flags TLS 1.0/1.1 as insecure), cipher suite, and HSTS presence.

  Connector

• billing.get_portal

  Admin Substitute

  Get a Stripe Billing Portal URL for the human to manage their subscription — update payment methods, view invoices, change plans, or cancel. Requires an existing Stripe subscription.

  Connector

• list-domains

  mcp

  List all custom domains for a sota.io project. Shows domain name, status (pending/verified/active), and ID for each domain. Use get-domain with a domain ID to see DNS instructions and full details.

  Connector

• lion_keyless_base_rpc

  LION - keyless x402 data + RPC for agents

  The MULTI-CHAIN keyless RPC for agents - delete the API key. POST a standard JSON-RPC request (single or batch up to 10) of READ-ONLY methods (eth_call, eth_getBalance, eth_getCode, eth_getLogs, eth_blockNumber, eth_getTransactionReceipt, etc.). Reads BOTH Base (default) AND Ethereum mainnet - add chain=ethereum (query string ?chain=ethereum) to read Ethereum (eip155:1). LION forwards across a free public RPC failover set for that chain and returns the JSON-RPC reply, plus decoded_events (labeled ERC-20/721 Transfer/Approval) for any eth_getLogs. No API key, no signup, no node. Read-only; write methods rejected before payment. GRANULAR per-method pricing (matches/beats granular incumbents like OneSource): eth_blockNumber/eth_chainId $0.001; eth_getBalance/eth_getCode/eth_getTransactionCount $0.002; eth_call/eth_getTransactionReceipt $0.003; eth_getLogs $0.005; batch = sum of its methods. Broader than an Ethereum-only keyless RPC. Payment is always USDC on Base. Pay-per-call via x402, or prepay once (lion_credits_purchase) and call with Authorization: Bearer lct_... with no new signing. [x402 paid tool: GET /api/x402/keyless-base-rpc-json?src=mcp returns the 402 challenge with the canonical payTo; price 0.001 USDC on Base eip155:8453.]

  Connector

• intel_stack

  TunnelMind Data API

  Fetches up to 32KB of the domain's HTML and response headers from the edge, then fingerprints the content for known CMS platforms, JavaScript frameworks, CDN providers, and analytics tools. Detection is based on meta generator tags, script src patterns, response headers, and cookie names. Use this tool when: - You need to know what CMS (WordPress, Drupal, Shopify) a site runs. - You are assessing a domain's infrastructure before a security review. - You want to identify analytics or marketing tools a site embeds. Do NOT use this tool when: - You want HTTP headers and security posture — use `intel_http` instead. - You want tracker database classification — use `get_domain` instead. - You need robots.txt AI policy — use `intel_robots` instead. Inputs: - `domain` (query, required): Domain to fingerprint. Returns: - `cms`: detected content management system, or null. - `frameworks`: JavaScript/backend frameworks detected. - `cdn`: CDN provider detected, or null. - `analytics`: analytics and tracking tools detected. - `meta_generators`: raw meta generator tag values. Cost: - Free. No API key required. Latency: - Typical: 2-4s (HTML fetch), p99: 7s.

  Connector

• add_firewall_rule

  BorealHost

  Add an IP firewall rule (allow or deny) and reload Nginx. Supports IPv4, IPv6, and CIDR notation. Max 100 rules per site. If a rule already exists for the IP, the action is updated. Requires: API key with write scope. Args: slug: Site identifier ip: IP address or CIDR (e.g. "1.2.3.4", "10.0.0.0/8", "2001:db8::/32") action: "deny" (block) or "allow" (whitelist). Default: "deny" Returns: {"added": true, "ip": "1.2.3.4", "action": "deny"}

  Connector

• get_domain_source_details

  DMARKOFF — DMARC, SPF & DKIM Analytics

  Detailed per-record view of email sources for a domain with flexible grouping and filtering. Grouping (group_by, default: "isp"): • "isp" — by ISP/provider (shows ISP, hostname, brand domain, country). Best starting point for investigation. • "ip" — by sending IP address (shows IP, ISP, PTR, country, source type) • "host" — by hostname (ip_domain_name) • "reporter" — by DMARC report sender (shows reporter organization) Note: with group_by=isp, the same provider may appear multiple times with different countries — this is correct (one row per provider+country combination). Each row includes: message count, disposition, policy override, SPF/DKIM/DMARC evaluation, SPF auth details (return-path, result, scope), DKIM auth details (domain, selector, result). The "comment" field comes from the DMARC XML report and is populated when ARC (Authenticated Received Chain) overrides the DMARC policy — e.g. when a forwarded message would fail DMARC but ARC trusts the forwarding chain, applying a different effective policy than the p= tag in the DMARC record. Empty when no override occurred. Optional filters: source_ip, isp, ip_domain_name, eval_spf, eval_dkim, eval_dmarc, source_type, disposition, dkim_domain, dkim_selector, spf_domain. For ISP grouping set problems_only=true to see only rows with authentication failures. Use this to investigate specific sending sources, drill down into authentication failures, or analyze traffic by provider/IP/reporter.

  Connector