A new open-source project called CVE MCP Server<\/a> is redefining how security teams triage vulnerabilities, transforming Anthropic\u2019s Claude AI into a fully capable security analyst by giving it direct, correlated access to 27 intelligence tools spanning 21 external APIs all through a single natural-language query.<\/p>\n Every security analyst knows the painful reality: triaging even a single CVE can mean opening a dozen browser tabs simultaneously, NVD for CVSS scores, EPSS for exploitation probability, CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog<\/a>, GitHub for patch status, VirusTotal for malware associations, Shodan for exposed hosts, and more.<\/p>\n Industry data confirms this bottleneck is severe, with EPSS v4 research showing that 96% of CVE alerts that fall below an exploitation threshold go completely uninvestigated due to manual workload alone.<\/p>\n For teams managing 50 or more CVEs simultaneously, that fragmented workflow can consume an entire workday.<\/p>\n Released on GitHub by developer Mahipal (mukul975), CVE MCP Server is a production-grade implementation of Anthropic\u2019s Model Context Protocol (MCP) an open standard that enables seamless integration between LLM applications and external data sources and tools.<\/p>\n The server integrates Claude with 27 security tools organized into five categories: Core Vulnerability Intelligence, Exploit & Attack Intelligence, Advanced Risk & Reporting, Network Intelligence, and Threat Intelligence.<\/p>\n Built with Python, FastMCP, httpx, aiosqlite, Pydantic v2, and defusedxml, the entire stack operates via outbound HTTPS only, no inbound ports, no telemetry, no API keys ever logged.<\/p>\n The tool catalog is extensive and immediately production-ready. Core vulnerability tools include Exploit intelligence tools map CVEs to MITRE ATT&CK techniques<\/a>, check PoC availability across GitHub and Exploit-DB, and retrieve CAPEC attack patterns.<\/p>\n Network intelligence layers in AbuseIPDB reputation scoring, GreyNoise scan activity, Shodan host profiling, and CIRCL Passive DNS. Threat intelligence tools<\/a> connect to VirusTotal, MalwareBazaar, ThreatFox for IOC lookups, and Ransomwhere for ransomware Bitcoin address tracking.<\/p>\n At the heart of the project is a weighted risk scoring formula that moves beyond CVSS-only prioritization, a methodology aligned with the industry shift toward multi-signal triage.<\/p>\n The formula weights EPSS probability at 35%, CISA KEV status at 30%, CVSS at 20%, and PoC availability at 15%, with boost multipliers applied for active KEV+PoC combinations, CVSS \u2265 9.0 with high EPSS, and recently published CVEs.<\/p>\n A score of 76\u2013100 triggers a CRITICAL label requiring patching within 24\u201348 hours under an emergency change window.<\/p>\n One notable design decision is accessibility: eight tools require zero API keys to function, including EPSS, CISA KEV, OSV.dev, MITRE ATT&CK, CWE lookups, CVSS parsing, Ransomwhere, and NVD at a reduced rate.<\/p>\n Teams can deploy and begin querying immediately, then progressively add Tier 1 keys (NVD, GitHub) for 10\u00d7 throughput and Tier 2 keys (AbuseIPDB, VirusTotal, GreyNoise, Shodan) for full multi-domain intelligence.<\/p>\n The server also addresses the software supply chain angle with three DevSecOps tools: In a single Claude prompt, a developer can scan an entire The CVE MCP Server is available now at github.com\/mukul975\/cve-mcp-server<\/a> under an open-source license, with Claude Desktop and Claude Code configuration supported out of the box.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post CVE MCP Server Turns Claude Into a Fully Capable Security Analyst With 27 Tools Across 21 APIs<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCVE MCP Server With 27 Tools<\/strong><\/h2>\n
lookup_cve<\/code> (NVD), get_epss_score<\/code> (FIRST), check_kev_status<\/code> (CISA), and bulk_cve_lookup<\/code> for batch-fetching up to 20 CVEs in parallel.<\/p>\nscan_dependencies<\/code> queries OSV.dev for vulnerable package versions, scan_github_advisories<\/code> searches GitHub Security Advisories by ecosystem, and urlscan_check<\/code> analyzes suspicious URLs.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghqrDYCAqO-ejGou9K7f_Q0uWZrek3FF_nblbk57mlZEFya-ZVi7A2t8PlhTDZso6Wdg0rQq9P3GVzl_y3WY60cBCYUEBrE-fgkakVT9w4icqhHzBCHojXefqHQnmvhHBD9aWsc7ApX-78JTkAn21Dtmrl-bIglFMz-cQK25X-Mxt7iehhV92rnnvciIM5\/s16000\/CVE%2520MCP%2520Tool.webp?ssl=1\")
<\/figure>\nrequirements.txt<\/code> and receive prioritized upgrade recommendations.<\/p>\n