MCP.so
Sign In
Servers

Enrichment MCP Server

@synackpwn

A Model Context Protocol (MCP) server for security data enrichment

Overview

What is Enrichment MCP Server?

A Model Context Protocol (MCP) server that performs third-party enrichment on observables (IP addresses, domains, URLs, email addresses) using configured services such as VirusTotal, Hybrid Analysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, and HaveIBeenPwned. It is intended for development and testing, not production.

How to use Enrichment MCP Server?

Install uv, clone the repository, and configure Claude for Desktop with a custom config file pointing to the server. Alternatively, run locally with uv run --env-file .env server.py after creating a .env file with API keys and copying config.yaml.example to config.yaml. The server exposes tools like observable-lookup, lookup-ipaddress, lookup-domain, lookup-url, and lookup-email.

Key features of Enrichment MCP Server

  • Routes observables to appropriate enrichment services automatically.
  • Supports IPv4, domain, URL, and email lookups.
  • Integrates with VirusTotal, HybridAnalysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, and HaveIBeenPwned.
  • Uses a custom YAML config file for service and template management.
  • Prompt templates are written in Jinja2 and customizable.
  • All services require an API key, which can be set via environment variables.

Use cases of Enrichment MCP Server

  • Enrich an IP address with reputation data from multiple threat intelligence feeds.
  • Investigate a suspicious domain or URL using aggregated service results.
  • Assess an email address against HaveIBeenPwned’s breach database.
  • Automate observable enrichment for security analysts via Claude for Desktop.
  • Test and develop MCP-based enrichment workflows in a sandboxed environment.

FAQ from Enrichment MCP Server

What services are supported and do they require API keys?

All supported services (VirusTotal, HybridAnalysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, HaveIBeenPwned) require an API key. Keys can be provided in a .env file using specific environment variable names (e.g., ENRICHMENT_MCP_VIRUSTOTAL_KEY).

Where are the API keys and configuration data stored?

API keys are stored in an environment file (.env) or optionally in config.yaml. The server itself does not store any data; third-party enrichment results are returned as prompts.

What transport does the server use?

The server is configured to run via the command line, typically launched by Claude for Desktop using the MCP stdio transport. The example Claude config specifies a command with arguments.

Are there any known limitations?

This project has not been used in production. The tool relies on regex patterns for observable type detection, which may need updates. Not all observable types (e.g., MD5, SHA1, SHA256) are currently implemented for enrichment.

What are the runtime requirements?

Python and uv (Astral’s package manager) are required. The server depends on a .env file for secrets and a config.yaml file for service and template configuration.

Tags

More from Other