SANS ISC Threat Intel

live Utility

SANS Internet Storm Center (ISC) MCP.

3 tools

0ms auth

free tier 50 calls/day

Tools

ip_reputation

Look up an IPv4 address in the SANS ISC DShield database — its attack-report history, ASN/owner, abuse contact, and risk. A high report_count means the IP is an active attack source (firewall logs sub

No parameters required.

▶ Try it

Response

port_activity

Get recent attack/probe activity for a TCP/UDP port from SANS ISC — daily counts of report records, distinct target IPs, and distinct source IPs hitting the port. Useful for spotting scanning surges a

No parameters required.

▶ Try it

Response

threat_level

Get the global SANS ISC InfoCon threat level — the internet-wide "weather report" for malicious activity. Returns one of green/yellow/orange/red with a plain-English meaning. An at-a-glance signal of

No parameters required.

▶ Try it

Response

Test with curl

The gateway speaks JSON-RPC 2.0 over HTTP POST. You can test any pack directly from the terminal.

List available tools

bash

curl -X POST https://gateway.pipeworx.io/isc-sans/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Call a tool

bash

curl -X POST https://gateway.pipeworx.io/isc-sans/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"ip_reputation","arguments":{}}}'

Use with the SDK

Install @pipeworx/sdk to call tools from any TypeScript/Node project.

TypeScript

import { Pipeworx } from '@pipeworx/sdk';
const px = new Pipeworx();
const result = await px.call("ip_reputation", {});

ask_pipeworx

// Or ask in plain English:
const answer = await px.ask("sans internet storm center (isc) mcp");

MCP Config

claude_desktop_config.json

{
  "mcpServers": {
    "pipeworx-isc-sans": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://gateway.pipeworx.io/isc-sans/mcp"
      ]
    }
  }
}