MCP server exposing 3 tools for isc-sans.
This URL is a JSON-RPC 2.0 endpoint over HTTP. Issue POST requests with a JSON-RPC body. Browsers and search crawlers land here on GET.
POST https://gateway.pipeworx.io/isc-sans/mcp
Content-Type: application/json
{"jsonrpc":"2.0","id":1,"method":"tools/list"}ip_reputation — Look up an IPv4 address in the SANS ISC DShield database — its attack-report history, ASN/owner, abuse contact, and risk. A high report_count means the IP is an active attack source (firewall logs submitted by sensors worldwide). report_count null/0 = no malicious activity reported. The comment field often names known infrastructure (e.g. "Google public recursive name server"). Keyless.port_activity — Get recent attack/probe activity for a TCP/UDP port from SANS ISC — daily counts of report records, distinct target IPs, and distinct source IPs hitting the port. Useful for spotting scanning surges against services like SSH (22), RDP (3389), SMB (445), or Telnet (23). Keyless.threat_level — Get the global SANS ISC InfoCon threat level — the internet-wide "weather report" for malicious activity. Returns one of green/yellow/orange/red with a plain-English meaning. An at-a-glance signal of whether a major internet-scale event is underway. Keyless, no arguments.Code samples (curl / TypeScript / one-click client install), schemas, and the live playground are on the pack page:
https://pipeworx.io/packs/isc-sans/
Pipeworx is an open MCP gateway connecting AI agents to live data. pipeworx.io