mcp server

40 tools for AI agents. full threat intelligence in every conversation. works with Claude, Cursor, Windsurf, and any MCP-compatible client.

rest api docs openapi schema

setup

add to your MCP client config. the server runs as a Docker container and communicates over stdio.

claude desktop / cursor / windsurf

{
  "mcpServers": {
    "rdintel": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-e", "RDINTEL_API_KEY=your_key",
        "ghcr.io/rdintel/mcp-server:latest"
      ]
    }
  }
}

from source (docker compose)

{
  "mcpServers": {
    "rdintel": {
      "command": "docker",
      "args": ["compose", "--profile", "mcp", "run", "--rm", "-T", "mcp-server"],
      "env": { "RDINTEL_API_KEY": "your_key" }
    }
  }
}

get your API key from the dashboard. the MCP server uses the same key and rate limits as the REST API.

cve lookup & search

look up specific CVEs or search across the database with filters.

lookup_cve cve_id

full intelligence report: threat score, CVSS, EPSS, exploitation status, exploits, detection templates, news, reddit, threat actors. the primary tool for investigating a CVE.

get_cve cve_id

basic CVE metadata: description, severity, CVSS score, dates, CWE. lighter than lookup_cve when you only need core details.

get_cve_enriched cve_id

CVE with enrichment data: EPSS score, exploit count, KEV status, and composite threat score.

search_cves query severity? has_poc? has_kev? min_threat_score? limit?

full-text search across CVE IDs and descriptions with optional filters. e.g. "log4j CRITICAL with exploits".

list_cves severity? cvss_min? cvss_max? published_after? cwe? product? limit? offset?

list CVEs with advanced filtering: date ranges, CVSS ranges, CWE, product, exploit status. supports pagination.

get_cve_stats

database statistics: total CVEs, severity breakdown, coverage metrics.

cve intelligence

deep-dive into a specific CVE. each tool returns one dimension of intelligence.

get_cve_timeline cve_id

chronological event timeline: disclosure, NVD publication, exploit appearances, KEV addition, news, advisories.

get_cve_exploits cve_id

known exploits and PoC code from GitHub and ExploitDB. includes repo URLs, descriptions, stars, publish dates.

get_cve_github_activity cve_id

GitHub events for this CVE's exploit repos: commits, stars, forks, issues. tracks exploit maturity.

get_cve_products cve_id

affected software products with vendor details and version ranges.

get_cve_news cve_id

security news articles mentioning this CVE. title, source, date, relevance.

get_cve_reddit cve_id

Reddit discussions from r/netsec, r/cybersecurity, and other security communities.

get_cve_hackerone cve_id

disclosed HackerOne bug bounty reports with severity and bounty amounts.

get_cve_trends cve_id

trend data across platforms: mention counts, engagement, sentiment over time.

get_cve_poc_archives cve_id

archived PoC repositories. preserved even if the original repo is deleted from GitHub.

get_cve_enisa cve_id

ENISA EU regulatory data: classification, advisories, European relevance.

get_cve_msrc cve_id

Microsoft MSRC patch data: KB articles, fixed builds, exploitation likelihood, affected products.

get_cve_threat_actors cve_id

threat actors and APT groups known to exploit this vulnerability.

detection rules

get detection rules to find or block exploitation. nuclei for scanning, sigma for SIEM, YARA for files, plus AI-generated templates.

get_detection_rules cve_id

all four rule types in one call: nuclei, sigma, YARA, and AI-generated nuclei. use this when you want everything.

get_cve_nuclei cve_id

official ProjectDiscovery Nuclei templates for vulnerability scanning.

get_cve_sigma cve_id

Sigma SIEM detection rules with MITRE ATT&CK mappings. works with Splunk, Elastic, and other SIEMs.

get_cve_yara cve_id

YARA rules for file-level detection of exploit payloads and associated malware.

get_cve_nuclei_generated cve_id

AI-generated Nuclei templates for CVEs that lack official ones. validated and scored before publishing.

threat feeds

prioritized vulnerability feeds for SOC dashboards, morning briefings, and automated triage. ranked by real-world evidence.

get_daily_threats days?

daily digest: what's hot in news, discussed on reddit, new KEV additions, new exploit code. start your day here.

get_top_threats min_score? year? limit?

highest-risk CVEs by composite threat score. combines CVSS, EPSS, and real-world evidence.

get_weaponized_cves limit?

CVEs both in CISA KEV (actively exploited) and with public exploit code. highest priority for patching.

get_recent_exploits days? limit?

CVEs with recently published PoC or exploit code on GitHub.

get_recent_kev days? limit?

recently added to CISA Known Exploited Vulnerabilities catalog. confirmed in-the-wild exploitation.

get_trending_cves days? limit?

CVEs trending in security news and Reddit. early signal for emerging threats.

get_high_epss min_epss? limit?

CVEs with high EPSS scores (exploitation probability in next 30 days). default threshold: 50%.

get_eu_relevant_cves limit?

CVEs relevant to European organizations: EU vendors, GDPR systems, ICS/SCADA, ENISA flagged.

get_suspicious_pocs min_score? limit?

PoC repos flagged as potentially malicious: backdoors, credential stealers, honeypots disguised as security tools.

github activity

real-time exploit development tracking. a spike in GitHub activity is often the first sign of weaponization.

get_github_activity hours? limit?

recent GitHub events across all CVE exploit repos: commits, stars, forks, issues.

get_github_trending hours? limit?

CVEs with the most GitHub activity right now. early weaponization indicator.

vendor & product search

search CVEs by vendor or product name. useful for vendor risk assessments and software inventory audits.

list_vendors limit? offset?

all vendors in the database sorted by CVE count.

get_vendor vendor

vendor details: metadata, product breakdown, and CVE counts per product.

search_vendor_cves vendor limit?

all CVEs affecting a vendor's products, ranked by threat score.

list_products limit? offset?

all products in the database sorted by CVE count.

get_product product

product details with vendor information.

search_product_cves product limit? offset?

all CVEs affecting a specific product. useful for assessing exposure of software in your environment.

example prompts

once connected, ask your AI agent anything about vulnerabilities. it will call the right tools automatically.

> "what are the most dangerous vulnerabilities right now?"

calls get_daily_threats, get_weaponized_cves

> "tell me everything about CVE-2024-3400"

calls lookup_cve, get_cve_timeline, get_detection_rules

> "what microsoft CVEs have exploits this month?"

calls search_vendor_cves with vendor="microsoft"

> "get me sigma rules for log4shell"

calls get_cve_sigma with cve_id="CVE-2021-44228"

> "are there any suspicious PoC repos I should watch out for?"

calls get_suspicious_pocs

> "what's trending on github in exploit development?"

calls get_github_trending

rest api docs get api key