ContrastAPI — 29 Security Tools for AI Agents

Security intelligence API and MCP server for AI agents. Domain audit, CVE lookup with EPSS+KEV, IP threat reports, IOC enrichment, tech fingerprinting, and 23 more. Free, no API key, 100 credits/hour.

English | 中文 · Live: api.contrastcyber.com

---

30-Second Setup

Pick your integration:

Option 1: MCP (Claude Desktop / Cursor / VS Code / Windsurf / OpenClaw)

Add to your MCP config:

{
  "mcpServers": {
    "contrastapi": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://api.contrastcyber.com/mcp/"]
    }
  }
}

Restart your agent. Done. Full setup guide: api.contrastcyber.com/mcp-setup

Option 2: Node.js SDK

npm install contrastapi

const api = require("contrastapi")();

const audit = await api.domain.audit("example.com");        // full audit
const cve   = await api.cve.lookup("CVE-2024-3094");        // EPSS + KEV
const ip    = await api.ip.threatReport("8.8.8.8");         // Shodan + AbuseIPDB + ASN
const bulk  = await api.cve.bulk(["CVE-2021-44228", "CVE-2024-3094"]);

Zero dependencies, Node 14+. Full SDK docs: sdk/node/

Option 3: cURL

curl https://api.contrastcyber.com/v1/cve/CVE-2024-3094
curl https://api.contrastcyber.com/v1/audit/example.com
curl https://api.contrastcyber.com/v1/threat-report/8.8.8.8

More examples: API Quick Start (cURL, Node.js, Python, CI/CD)

Option 4: VS Code Extension

Install ContrastAPI — Security Intelligence from the Marketplace. 29 commands, sidebar tree, right-click context menu. No API key required.

---

Try It Now

After setup, ask your AI agent:

• "Is CVE-2024-3094 being exploited in the wild? Check EPSS + KEV."
• "Show me CVEs indexed before NVD — what's leading right now?"
• "Audit example.com, then look up CVEs for every technology detected"

More example prompts: docs/PROMPTS.md · /playground (interactive tester)

---

What's Inside

• 30 MCP tools across 6 categories — full list: docs/ENDPOINTS.md
• 340K+ CVEs from NVD + MITRE cvelistV5 + GitHub Security Advisories, enriched with EPSS + CISA KEV. cve_lookup exposes sources, first_seen_source, first_seen_at — agents detect CVEs indexed before NVD publishes. cve_search supports kev, epss_min, sort, and offset pagination — agents can filter to actively exploited CVEs, sort by exploit probability, and page through large result sets.
• Weighted credits — 1 for simple calls, 4 for heavy orchestration (audit, threat report), N for bulk lookups
• LLM-optimized summaries — every response includes a summary field so agents reason without parsing nested JSON
• Distribution — npm SDK · VS Code Extension · Smithery MCP (96/100 quality) · REST API

Why ContrastAPI?

• One call, full picture — audit returns report + tech fingerprint + live headers in a single response
• Machine-readable — structured JSON, LLM-optimized summaries, OpenAPI spec, MCP-first
• Free forever — 100 credits/hour, no API key, no signup, no credit card

Docs & Links

• API Quick Start: api.contrastcyber.com/quickstart
• MCP Setup: api.contrastcyber.com/mcp-setup
• Full endpoint list: docs/ENDPOINTS.md
• OpenAPI spec: api.contrastcyber.com/openapi.json
• LLM discovery: api.contrastcyber.com/llms.txt
• Interactive playground: api.contrastcyber.com/playground

Self-Hosting

git clone https://github.com/UPinar/contrastapi.git
cd contrastapi
python3 -m venv venv
venv/bin/pip install -r requirements.txt
cd app
../venv/bin/uvicorn main:app --host 127.0.0.1 --port 8002

Requires Python 3.12. SQLite databases auto-initialize on first run. See docs/ENDPOINTS.md for the full endpoint reference.

Tests

cd app && PYTHONPATH=. python -m pytest tests/ -v

893 tests, 36/36 smoke-test coverage on every 15-minute cron. Covers auth, rate limiting, validation, database ops, domain intelligence, CVE intelligence, threat intelligence, code security (ReDoS protection, concurrency limits), tech fingerprinting, IP reputation, email security, phone validation, web archive, MCP endpoint, bulk endpoints, weighted credit system, and API routes.

Stack & Architecture

• Runtime: Python 3.12, FastAPI, uvicorn (2 workers)
• MCP: Official mcp-python-sdk with Streamable HTTP transport, mounted as sub-app at /mcp
• Domain audit: 8+ parallel checks (SSL, DNS, WHOIS, SPF/DMARC/DKIM, CT logs, tech fingerprint, security headers) via ThreadPoolExecutor, with 1-hour SQLite caching for warm-path responses
• Database: SQLite with WAL mode (3 databases: API rate-limit, CVE cache, domain cache)
• DNS: dnspython with _SSRFSafeBackend (custom httpcore backend that validates all resolved IPs before connecting — catches DNS rebinding)
• HTTP: httpx
• Rate limiting: SQLite sliding window, shared across workers via WAL mode
• Weighted credits: Atomic BEGIN IMMEDIATE consumption — either the whole N-credit batch fits or the request is rejected

Also Available On

• Smithery: smithery.ai/servers/contrastcyber/contrastapi (96/100 quality score)
• npm: npmjs.com/package/contrastapi
• VS Code Marketplace: ContrastAPI — Security Intelligence
• Awesome OSINT MCP Servers: soxoj/awesome-osint-mcp-servers
• RapidAPI: rapidapi.com/UPinar/api/contrastapi

Multi-Agent Usage

ContrastAPI responses include a verdict metadata block on key endpoints (cve_lookup, domain_report, ip_lookup, threat_intel, ioc_lookup):

{
  "verdict": {
    "deterministic": true,
    "falsifiable_fields": ["cve_id", "severity", "cvss_v3", "published", "references"],
    "data_age_seconds": 1834,
    "sources_queried": ["mitre_cache", "nvd_cache"],
    "sources_unavailable": [],
    "completeness": "complete"
  },
  "sources": ["mitre", "nvd"],
  "first_seen_source": "mitre",
  "first_seen_at": "2024-06-01T03:22:00Z"
}

This lets an orchestrator run Agent A (calling ContrastAPI) and Agent B (independently verifying a subset of falsifiable_fields against the upstream authority — NVD, RDAP, CT logs, URLhaus). deterministic: true means the same query will return the same answer; data_age_seconds is the distance from the latest upstream sync (or 0 for live fetches).

sources_queried lists upstream providers consulted for this response; sources_unavailable lists any that failed (timeout, parse error, rate-limit, upstream 5xx). completeness is "partial" whenever sources_unavailable is non-empty — agents should treat partial responses as best-effort and re-query later.

sources lists which upstream feeds have indexed this CVE (ordered by first observation). first_seen_source and first_seen_at reveal which feed saw it earliest — during 0-day bursts, MITRE and GHSA typically lead NVD by hours to weeks. completeness: "minimal" means only MITRE/GHSA have the CVE so far (no severity/CVSS from NVD yet).

Probe GET /v1/capabilities — responses with "verdict_metadata": true support this pattern across the endpoints listed above.

License

MIT