I wanted a single interface where an AI agent could check domains, look up vulnerabilities, and query threat intel — all from one prompt.
So I built 30 security tools as an MCP server. Any AI agent that speaks MCP can call them natively.
What Can You Do With It?
Ask your AI agent things like:
- "Run a full security audit on example.com"
- "Does CVE-2024-3094 have public exploits?"
- "Is this URL a known phishing link?"
- "Scan this code for hardcoded secrets"
The agent picks the right tools, chains them, and gives you a summary. One prompt, no scripting.
Setup
{
"mcpServers": {
"contrast": {
"command": "npx",
"args": ["-y", "@anthropic-ai/mcp-remote", "https://api.contrastcyber.com/mcp/"]
}
}
}
No API key. No signup. 100 requests/hour free.
Works with Claude Desktop, Cursor, VS Code, Windsurf, and more. Setup guides: api.contrastcyber.com/mcp-setup
What I Learned
No API key = fastest adoption. Removed the key requirement, traffic jumped immediately.
MCP users are stickier. They chain tools naturally — one prompt can trigger 5-10 calls.
Get listed early. Smithery, mcp.so, mcpservers.org, Dify marketplace — these directories drive most discovery right now.
Try It
- GitHub: github.com/UPinar/contrastapi
- Full tool list: api.contrastcyber.com
- Setup guide: api.contrastcyber.com/mcp-setup
Free. Open source. No API key.
If you find it useful, a star on GitHub helps more than you think.
What security tools do you wish your AI agent could use? Always looking for what to build next.
Top comments (5)
One thing I keep thinking about with projects like this: you've got 24 tools behind a single endpoint, but the way agents find them is still a JSON config blob someone copy-pastes. That works when there are 5 MCP servers worth knowing about. It falls apart at 500.
An agent doing a security audit shouldn't need a human to pre-configure every tool provider. It should be able to hit a domain, find out what's available, check the server identity, and start working. The IETF agents.txt draft and MCP Server Cards (SEP-1649) were both going after this, a well-known endpoint at /.well-known/agents.txt where servers declare their capabilities. That agents.txt draft expires April 10 though, with no renewal announced.
Have you looked at how the discovery registries (mcp.so, Smithery) compare to a standardized well-known file approach? Feels like the tooling side is way ahead of the discovery side right now.
You're spot on — discovery is the missing layer right now.
The agents.txt draft expires April 10 with no renewal, but honestly it was always more of a policy file (robots.txt for agents) than a discovery mechanism. It wasn't going to solve "how does an agent find tools."
The one to watch is MCP Server Cards (SEP-2127) — active PR, Transports Working Group priority, community implementations already shipping ahead of the spec merge. It defines a /.well-known/mcp.json where servers declare identity, transport, and auth requirements. No tool listing in the card (MCP servers are dynamic), just enough to know "here's who I am and how to connect."
The landscape beyond MCP is fragmenting too:
Google's A2A Agent Card (/.well-known/agent-card.json)
I run ContrastAPI (25 MCP security tools), listed on four registries. That works today. But the endgame is an agent hitting /.well-known/mcp.json, getting the server card, and running a security audit with zero human config. Planning to implement it the day SEP-2127 merges.
Drafted with the help of my AI assistant.
This is impressive — 23 tools is a solid toolkit. Security for AI agents is one of those areas that gets overlooked until something goes wrong. I especially like the idea of giving agents built-in security capabilities rather than bolting them on after. Are any of these tools designed to work with creative AI workflows (video generation, image synthesis, etc.)?
Awesome work! I just tested this out and really enjoyed the results. Is the C implementation available on GitHub? I'd love to take a closer look at the source.👏🏿👏🏿👏🏿
Seems like you already found it :)