Enrichment MCP Server

The Enrichment MCP Server is a specialized Model Context Protocol (MCP) service designed to enrich security observables—such as IP addresses, domains, URLs, and email addresses—by querying a curated set of third‑party threat intelligence APIs. Rather than forcing developers to write bespoke integration code for each provider, this server offers a single, unified interface that automatically routes an observable to the appropriate enrichment tools based on its type. This abstraction saves time, reduces boilerplate, and ensures consistency across security workflows.

At the heart of the server lies a configurable mapping between observable types and enrichment services. The tool acts as a dispatcher: it receives an observable, determines its format (IP, domain, URL, or email), and then forwards the request to the corresponding lookup tool—, , , or . Each lookup tool aggregates results from all enabled third‑party services that support that observable type, returning a consolidated response. Because the server reads its configuration from and environment variables, developers can enable or disable providers on the fly without redeploying code.

Key capabilities include:

• Multi‑service aggregation: Simultaneously query VirusTotal, Hybrid Analysis, AlienVault, Shodan, Urlscan.io, AbuseIPDB, and HaveIBeenPwned.
• Dynamic routing: Automatic detection of observable type with regex patterns, reducing manual parsing errors.
• Secure secret management: API keys are injected via environment variables (e.g., ), keeping credentials out of source control.
• Extensible architecture: The configuration schema allows adding new services or lookup actions with minimal effort.

Typical use cases span incident response, threat hunting, and automated triage. For example, an analyst can feed a suspicious URL into the MCP; the server will return reputation scores, historical malware associations, and related IP intelligence in one payload. Security orchestration platforms can embed the MCP as a single step, streamlining workflows that previously required multiple API calls and data transformations.

Because the server exposes standard MCP tools, it plugs seamlessly into any AI assistant that understands MCP. A Claude model can issue a request, receive structured enrichment data, and then generate contextual explanations or remediation guidance—all without leaving the conversational interface. This tight integration empowers developers to build richer, data‑driven AI assistants that can surface actionable threat intelligence in real time.