Exploit Intelligence Platform MCP Server

eip-mcp connects AI assistants to the Exploit Intelligence Platform via the Model Context Protocol. 17 tools to search vulnerabilities, analyze exploits, audit tech stacks, and generate pentest findings — with real-time data from NVD, CISA KEV, VulnCheck KEV, InTheWild.io, ENISA EUVD, EPSS, ransomware attribution, ExploitDB, Metasploit, GitHub, and more.

Source Code PyPI

MCP Server Demo Videos

Explore the Exploit Intelligence Platform MCP Server demos for remote setup, stack auditing, and network-scan-driven vulnerability analysis.

Demo Gallery (3)

Try It Now — No Installation Required

A live remote MCP endpoint is available at mcp.exploit-intel.com/mcp. Connect directly from your AI client — no Python, no pip, no setup. Same 17 tools, real-time data.

Claude Desktop / Claude.ai
Settings → Connectors → Add custom connector → paste the URL
Claude Code
claude mcp add --transport http exploit-intel \
  https://mcp.exploit-intel.com/mcp
Cursor / Any MCP Client
"url": "https://mcp.exploit-intel.com/mcp"
Full Setup Guide & Details No authentication required · 60 req/min rate limit

Local Installation

Requires Python 3.10+. Install with pipx (recommended) or a virtual environment.

macOS
brew install python3
brew install pipx
pipx install eip-mcp

# Alternative: virtual environment
python3 -m venv ~/.venvs/eip-mcp
source ~/.venvs/eip-mcp/bin/activate
pip install eip-mcp
Kali / Debian / Ubuntu
# APT repo (recommended)
curl -fsSL https://repo.exploit-intel.com/setup.sh | sudo bash
sudo apt install eip-mcp

# or pipx
sudo apt install -y pipx
pipx install eip-mcp
Windows
pip install pipx
pipx install eip-mcp

# Alternative: virtual environment
python -m venv %USERPROFILE%\.venvs\eip-mcp
%USERPROFILE%\.venvs\eip-mcp\Scripts\activate
pip install eip-mcp
Arch / Manjaro
sudo pacman -S python python-pip python-pipx
pipx install eip-mcp

Kali 2024+ blocks global pip installs. Use the APT repo, pipx, or a virtual environment.

From Source (all platforms)
git clone https://github.com/exploitintel/eip-mcp.git
cd eip-mcp
python3 -m venv .venv
source .venv/bin/activate      # Linux/macOS
# .venv\Scripts\activate       # Windows
pip install -e .
Updating
# APT
sudo apt update && sudo apt upgrade eip-mcp

# pipx
pipx upgrade eip-mcp

# pip (in virtual environment)
pip install --upgrade eip-mcp

# Restart your AI client after updating

Connect to Your AI

Cursor IDE

Add to .cursor/mcp.json (or ~/.cursor/mcp.json)

{
  "mcpServers": {
    "eip": {
      "command": "eip-mcp",
      "args": [],
      "env": {}
    }
  }
}

If installed in a virtual environment, use the absolute path to the eip-mcp binary instead.

Claude Desktop

Add to claude_desktop_config.json

{
  "mcpServers": {
    "eip": {
      "command": "eip-mcp",
      "args": [],
      "env": {}
    }
  }
}

Restart your AI client after editing config. If it cannot find eip-mcp, switch to the full venv binary path.

Tools (17)

Tool Description
search_vulnerabilities Search CVEs with filters: severity, vendor, product, ecosystem, CWE, CVSS/EPSS thresholds, KEV, exploited-in-the-wild, ransomware, Nuclei, year, date range. Paginated.
get_vulnerability Full intelligence brief for a CVE or EIP-ID with ranked exploits (AI analysis, MITRE techniques, source URLs), Nuclei templates (with description/impact/remediation), products, and references
search_exploits Search exploits by source, language, classification, author, stars, CVE, vendor, product. Filter by attack_type, complexity, reliability, requires_auth. Paginated.
get_exploit_code Retrieve exploit source code by platform ID (auto-selects main file)
get_exploit_analysis Full AI analysis for a single exploit: classification, attack type, complexity, reliability, MITRE ATT&CK, summary, and trojan/deception indicators
get_nuclei_templates Nuclei scanner templates with description, impact, remediation, and Shodan/FOFA/Google dork queries
list_authors Top exploit researchers ranked by exploit count
get_author Author profile with all their exploits and CVE context
list_cwes CWE categories ranked by vulnerability count
get_cwe CWE detail with description, exploit likelihood, parent hierarchy
list_vendors Software vendors ranked by vulnerability count
list_products Discover exact product names for a vendor (CPE name lookup with vuln counts)
lookup_alt_id Resolve alternate IDs (EDB-XXXXX, GHSA-XXXXX) to their CVE
audit_stack Audit a tech stack for critical/high severity CVEs with exploits, sorted by EPSS risk
generate_finding Generate a Markdown pentest report finding — all sections present with N/A when data is absent
get_platform_stats Platform-wide counts and data freshness
check_health API health and ingestion source timestamps

What to Ask Your AI

Just describe what you need in natural language. The AI picks the right tools automatically.

Ask this Tool used
"What critical Fortinet vulns are being exploited right now?" search_vulnerabilities (any_exploited=true)
"Tell me about CVE-2024-3400" get_vulnerability
"Find reliable RCE exploits for Apache" search_exploits
"Show me the source code of that Metasploit module" get_exploit_code
"Is exploit 61514 a trojan?" get_exploit_analysis
"Get the Nuclei template and Shodan dork for TeamCity" get_nuclei_templates
"Who are the top exploit authors?" list_authors
"Show me all exploits by Chocapikk" get_author
"What are the most common vulnerability types?" list_cwes
"What products does Fortinet have?" list_products
"What CVE is EDB-51996?" lookup_alt_id
"Audit our stack: nginx, postgresql, redis" audit_stack
"Write a pentest finding for CVE-2024-3400" generate_finding

Real Examples

All output below is from real queries against the live platform.

"Show me all backdoored/trojan exploits"
Uses search_exploits with llm_classification=trojan
Found 21 exploits:

  ★0  github       hn1e13/test-mcp
      CVE-2025-54135  HIGH  CVSS:8.5  [markdown] trojan
      AI: RCE | trivial | theoretical
      !! Embedded AI automation commands disguised as configuration
      !! Decoy Python script unrelated to the vulnerability

  ★1  github       Markusino488/cve-2025-8088
      CVE-2025-8088  HIGH  CVSS:8.8  [python] trojan
      AI: other | moderate | reliable
      !! Misleading README describing a security tool
      !! Suspicious download links pointing to the same ZIP file
"Find reliable RCE exploits sorted by GitHub stars"
Uses search_exploits with attack_type=RCE, reliability=reliable, sort=stars_desc
Found 17,720 exploits:

  ★4275  nomisec      zhzyker/exphub
         CVE-2020-14882  CRITICAL  CVSS:9.8  working_poc
         AI: RCE | moderate | reliable

  ★3436  nomisec      fullhunt/log4j-scan
         CVE-2021-44228  CRITICAL  CVSS:10.0  scanner
         AI: RCE | moderate | reliable

  ★1848  nomisec      kozmer/log4j-shell-poc
         CVE-2021-44228  CRITICAL  CVSS:10.0  working_poc
         AI: RCE | moderate | reliable
"Audit our stack: nginx, postgresql, redis"
Uses audit_stack with technologies=nginx, postgresql, redis
STACK AUDIT RESULTS

--- NGINX (66 exploitable CVEs) ---
  CVE-2023-44487  HIGH  CVSS:7.5  EPSS:94.4%  Exploits:22 [KEV]
    HTTP/2 Rapid Reset DoS
  CVE-2017-7529  HIGH  CVSS:7.5  EPSS:91.9%  Exploits:54
    Nginx <1.14 - Info Disclosure

--- POSTGRESQL (56 exploitable CVEs) ---
  CVE-2019-9193  HIGH  CVSS:7.2  EPSS:93.4%  Exploits:41
    PostgreSQL < 11.2 - OS Command Injection

--- REDIS (39 exploitable CVEs) ---
  CVE-2022-0543  CRITICAL  CVSS:10.0  EPSS:94.4%  Exploits:32 [KEV]
    Redis Lua Sandbox Escape
"Tell me about BlueKeep (CVE-2019-0708)"
Uses get_vulnerability — exploits with MITRE ATT&CK techniques and trojan deception detail
CVE-2019-0708  [CRITICAL]  [KEV]
BlueKeep RDP Remote Windows Kernel Use After Free
CVSS: 9.8  EPSS: 94.5% (100th percentile)

EXPLOITS (487 total):
  METASPLOIT MODULES:
    - cve_2019_0708_bluekeep_rce.rb  Rank: manual
      AI: RCE | complex | racy
      MITRE: T1059, T1068 - Exploitation for Privilege Escalation
  VERIFIED (ExploitDB):
    - EDB-47416  verified
      MITRE: T1068, T1210 - Exploitation of Remote Services
  PROOF OF CONCEPT:
    ★1187  Ekultek/BlueKeep  working_poc
      AI: RCE | moderate | reliable
      MITRE: T1189, T1068
  *** TROJAN ***:
    WARNING: ttsite/CVE-2019-0708-
    Summary: The repository is a scam. No actual exploit code.
    Deception indicators:
      - False claims about exploit availability
      - Deceptive contact information
"Get Nuclei dorks for TeamCity auth bypass"
Uses get_nuclei_templates with cve_id=CVE-2024-27198
NUCLEI TEMPLATES (1):
  Template: CVE-2024-27198  [critical] [verified]
  Name: TeamCity < 2023.11.4 - Authentication Bypass
  Author: DhiyaneshDk
  Tags: cve, cve2024, teamcity, jetbrains, auth-bypass, kev

  Recon Queries:
    Shodan:  http.component:"TeamCity" || http.title:teamcity
    FOFA:    title=teamcity
    Google:  intitle:teamcity

  Run: nuclei -t CVE-2024-27198 -u https://target.com
"Write a pentest finding for CVE-2024-3400, target fw.corp.example.com"
Uses generate_finding — outputs a report-ready Markdown finding
# CVE-2024-3400: PAN-OS Unauthenticated Remote Code Execution

Severity: CRITICAL
CVSS v3 Score: 10.0  (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
EPSS Score: 94.3% probability of exploitation
CISA KEV: Yes — confirmed actively exploited in the wild
CWE: CWE-20, CWE-77

Affected Target: fw.corp.example.com

## Exploit Availability
43 public exploit(s) identified.
- Metasploit: panos_telemetry_cmd_exec.rb  (rank: excellent)

## MITRE ATT&CK Techniques
- T1059 - Command and Scripting Interpreter
- T1190 - Exploit Public-Facing Application
- T1202 - Indirect Command Execution
...
"Show me all exploits by Chocapikk"
Uses get_author with author_name=Chocapikk
Author: Chocapikk
Exploits: 90  |  Active since: 2017-04-25

  ★244  CVE-2026-21858  Chocapikk/CVE-2026-21858  working_poc
  ★235  CVE-2023-29357  Chocapikk/CVE-2023-29357  working_poc
  ★179  CVE-2024-25600  Chocapikk/CVE-2024-25600  working_poc
  ★148  CVE-2023-22515  Chocapikk/CVE-2023-22515  working_poc
  ★134  CVE-2024-45519  Chocapikk/CVE-2024-45519  working_poc
   ★99  CVE-2024-3273   Chocapikk/CVE-2024-3273   working_poc
   ★86  CVE-2024-36401  Chocapikk/CVE-2024-36401  working_poc
  ... and 83 more exploits

Security

Input validation — CVE/exploit IDs, enums, numerics, and strings are strictly validated
Path safety — blocks .., absolute paths, and null bytes
Response safety — exploit code responses capped at 50KB
Network safety — HTTPS to trusted EIP host with TLS verification and timeouts
Operational safeguards — local rate limiting and controlled API concurrency