GreyNoise
Guides
Start typing to search…

MCP Server

Integrate GreyNoise threat intelligence directly into your AI workflow. The GreyNoise MCP Server exposes tools for IP reputation, RIOT/business-service checks, tag and vulnerability intelligence, GNQL stats, and more—so your agent can answer “is this noise or targeted?”, enrich investigations, and summarize activity without leaving your environment.

Download GreyNoise MCP Server

One-click install (Claude Desktop)

Requires a GreyNoise Enterprise API key.

Download: GreyNoise MCP Server (.dxt) Double-click the file. Claude Desktop will open an install panel, prompt for your GreyNoise API key, and finish setup.

  • Built with Anthropic’s Desktop Extensions (DXT) format
  • Runs locally with a bundled runtime
  • Updates automatically when a new version is published
📘

Tip: After installation, open Claude Desktop → Settings → Extensions to confirm it’s enabled. You can edit or rotate your API key there at any time.

Why this matters

  • Fast enrichment: ask for IP context, RIOT/business service status, or tag activity on the fly.
  • Less swivel-chair: bring GreyNoise into chat, coding, and analysis sessions.
  • Local execution: the MCP server runs on your machine; secrets are stored via the OS keychain (through DXT).

Quick start

Claude Desktop

  1. Install the .dxt from the link above.
  2. When prompted, paste your GREYNOISE_API_KEY (Enterprise).
  3. In any chat, ask things like:
    • “What does GreyNoise know about 203.0.113.55?”
    • “Is 8.8.8.8 noise or a common business service?”
    • “Show trending exploitation and notable tags this week.”
    • “Summarize activity for tag scanner over the last 30 days.”

Other MCP clients (stdio)

Prefer a manual setup in an IDE that supports MCP (VS Code, Cursor, Windsurf, etc.)?

{
  "mcpServers": {
    "greynoise": {
      "command": "npx",
      "args": ["@greynoise/greynoise-mcp-server"],
      "env": {
        "GREYNOISE_API_KEY": "your-greynoise-api-key"
      }
    }
  }
}
  • Run: npx @greynoise/greynoise-mcp-server --help
  • Default transport is stdio.
  • HTTP transport is available if you install Express (npm i express) and run:
  • node @greynoise/greynoise-mcp-server --transport http

Capabilities and tools

The server exposes a focused set of tools for investigation and reporting:

  • lookup-ip-context — detailed IP context from GreyNoise.
  • quick-check-ip — lightweight “noise vs. business service” check (v2/noise/quick/ipaddr).
  • multi-ip-check — batch quick checks for up to 100 IPs (v2/noise/multi/quick via POST).
  • riot-lookup — business service lookup with rich metadata (v2/riot/ipaddr).
  • get-tag-list — enumerate all GreyNoise tags with metadata.
  • search-tags — find tags by query.
  • get-tag-details — in-depth metadata for a specific tag.
  • get-tag-activity — activity and trends over time for a tag (ID or slug).
  • analyze-tags-activity — cross-tag activity analysis for correlations/trends.
  • get-trending-vulnerabilities — vulnerabilities actively exploited in the wild.
  • gnql-stats — GNQL statistical queries.
  • get-cve-details — CVE intelligence with observed exploitation.

Prompts included

  1. vendor-threat-report - Generate a comprehensive threat report for a vendor technology
    • Produces a detailed analysis including executive summary, threat actor activity, recent vulnerabilities, attack patterns, mitigation recommendations, and confidence assessment
    • Automatically orchestrates multiple GreyNoise data queries to assemble a complete picture of the threat landscape
    • Parameters: vendor (required), technology (optional), timeframe in days 1-90 (required)
  2. ip-threat-analysis - Generate a detailed analysis of an IP address to determine if it’s malicious and associated threats
    • Performs comprehensive threat analysis using GreyNoise data to classify IPs as malicious, benign, or unknown
    • Includes classification, associated tags and activities, geographic/network information, historical activity timeline, threat severity assessment, and recommended actions
    • Parameters: ip (required), include_related true/false (optional)
  3. cve-analysis - Generate a comprehensive analysis of a CVE including exploitation status and risk assessment
    • Provides detailed vulnerability analysis including current exploitation status, trends, affected systems, attack vectors, geographical distribution, and risk scoring
    • Combines CVE details with real-time exploitation data from GreyNoise observations
    • Parameters: cve_id (required), timeframe in days 1-90 (optional, defaults to 30)
  4. emerging-threat-report - Generate a report on emerging threats based on recent activity and trending data
    • Identifies and analyzes new and trending threats, attack vectors, vulnerability exploitations, and geographical threat distribution
    • Includes predictions of near-future threats and strategic recommendations
    • Parameters: days (optional: 1, 7, or 30, defaults to 7), focus_area (optional, e.g., ‘ransomware’, ‘IoT’, ‘healthcare’)
  5. security-posture-assessment - Generate a security posture assessment for an organization based on technologies and vulnerabilities
    • Provides comprehensive security assessment tailored to an organization’s technology stack and industry
    • Includes vulnerability analysis for key technologies, exposure assessment, attack surface analysis, risk scoring by component, and prioritized security recommendations
    • Parameters: organization (required), technologies as comma-separated list (required), industry (optional)
  6. threat-hunting - Generate a threat hunting plan based on specific indicators or patterns
    • Creates detailed hunting plans for different indicator types including IPs, tags, behaviors, actors, or CVEs
    • Provides detection methods, data sources, search patterns, timeline, evidence collection methods, and response procedures
    • Parameters: indicator_type (required: ‘ip’, ‘tag’, ‘behavior’, ‘actor’, or ‘cve’), indicator_value (required), environment description (required)

Requirements

  • GreyNoise Enterprise API key
  • Claude Desktop (for one-click DXT) or an MCP-capable client (for stdio/HTTP)
  • Network egress to api.greynoise.io

Security notes

  • With DXT, sensitive values (like your API key) are stored via the operating system’s secure keychain.
  • The server runs locally; requests are proxied from the client to GreyNoise through your machine.
  • Rotate credentials in the Claude Desktop Extensions settings or your MCP client config.

Troubleshooting

  • No tools appear after install? Restart Claude Desktop and confirm the extension is enabled in Settings → Extensions.
  • 401/403 errors? Ensure your Enterprise API key is configured and active.
  • HTTP transport errors? Install Express (npm i express) or use the default stdio transport.
  • Large batch checks? multi-ip-check supports up to 100 IPs per call. Break larger sets into chunks.

Alternative installs (developers)

Clone and build:

git clone https://github.com/greynoise-labs/greynoise-mcp-server
cd greynoise-mcp-server
npm install && npm run build

Run bundled standalone:

npx @greynoise/greynoise-mcp-server --transport stdio

Development runs:

npm run dev          # watch mode
npm run build:dev    # source maps
npm run build        # distribution bundle

Optional test harness (direct API checks, bypassing MCP):

export GREYNOISE_API_KEY=your-api-key
node test-tools.js              # all endpoints
node test-tools.js quick-check-ip
node test-tools.js gnql-stats

Learn more

Updated about 3 hours ago