ISAC Reports Dashboard

MCP Server Documentation

This server exposes an MCP (Model Context Protocol) endpoint using the StreamableHTTP transport. Any MCP-compatible AI client can connect over HTTP to query threat intelligence data using the tools below.

Quick Start

Test with the MCP Inspector:

npx @modelcontextprotocol/inspector --transport streamableHttp http://localhost:3000/mcp

Or use the stdio transport for local CLI usage:

npm run mcp

Endpoint

Method	Path	Purpose
`POST`	`/mcp`	Send JSON-RPC requests (initialize, tools/list, tools/call). Creates a new session if no `mcp-session-id` header is provided.
`GET`	`/mcp`	SSE stream for server-initiated notifications. Requires `mcp-session-id` header.
`DELETE`	`/mcp`	Close an MCP session. Requires `mcp-session-id` header.

Connection Flow

# 1. Initialize a session
curl -X POST http://localhost:3000/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{
    "jsonrpc": "2.0", "id": 1,
    "method": "initialize",
    "params": {
      "protocolVersion": "2025-03-26",
      "capabilities": {},
      "clientInfo": { "name": "my-client", "version": "1.0.0" }
    }
  }'
# Response includes mcp-session-id header — use it for subsequent requests

# 2. List available tools
curl -X POST http://localhost:3000/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "mcp-session-id: SESSION_ID" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'

# 3. Call a tool
curl -X POST http://localhost:3000/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -H "mcp-session-id: SESSION_ID" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"search_threats","arguments":{"severity":"critical","limit":5}}}'

# 4. Close session when done
curl -X DELETE http://localhost:3000/mcp \
  -H "mcp-session-id: SESSION_ID"

Available Tools

generate_report

Run the full OSINT pipeline and return a markdown report. Uses a 24h disk cache.

sources (string[], optional) — filter to specific source keys
refresh (boolean, default: false) — force re-fetch, ignoring cache

search_threats

Search and filter cached threat intelligence items.

query (string, optional) — text search across titles and descriptions
severity (enum, optional) — critical, high, medium, low, unknown
tag (string, optional) — e.g. ransomware, apt, zeroday, rce, supply-chain
source (string, optional) — e.g. nvd, cisa-kev, general-news
limit (number, default: 20) — max items to return (1–100)

list_sources

List all available threat intelligence sources and their enabled/disabled status.

No parameters.

validate_urls

Check if URLs are reachable. Useful for verifying reference links before sharing.

urls (string[], required) — 1–10 URLs to validate

Client Configuration

To add this server to an MCP-compatible client (e.g. Claude Desktop, Cursor, Windsurf), use this config:

{
  "mcpServers": {
    "isac-reports": {
      "url": "http://localhost:3000/mcp"
    }
  }
}

Web API

Method	Path	Purpose
`GET`	`/`	This dashboard
`GET`	`/report`	Full interactive HTML report
`POST`	`/refresh`	Trigger pipeline re-fetch, returns JSON status
`GET`	`/api/status`	Cache metadata as JSON (age, item count, sources)

cisa-kev	4
nvd	1195
cisa-advisories	10
vendor-blogs	733
general-news	79

malware-bazaar	ABUSECH_AUTH_KEY not set
abuse-ipdb	ABUSEIPDB_API_KEY not set
threatfox	ABUSECH_AUTH_KEY not set
otx	OTX_API_KEY not set