Ctscout
FreeNot checkedEnables named-entity attribution from Certificate Transparency logs (OV/EV only) for mapping legal-entity digital footprints and domain discovery via LLM-driven
About
Enables named-entity attribution from Certificate Transparency logs (OV/EV only) for mapping legal-entity digital footprints and domain discovery via LLM-driven workflows.
README
MCP server for ctscout.dev — named-entity attribution from Certificate Transparency logs (OV/EV only), with optional multi-signal corroboration on Pro. For mapping legal-entity digital footprints, sibling-domain discovery, and SAN-cohort analysis from LLM-driven workflows.
DV-only infrastructure (Let's Encrypt, ZeroSSL, cloud-native shops) is invisible to ctscout by design. See LIMITATIONS.md for what that means in practice.
Three tools:
ctscout_search_company— find apex domains attributed to an organization by namectscout_search_company_batch— the same, for up to 10 organization names in one callctscout_lookup_domain— reverse-lookup the organization attributed to one or more domains
All three work over the public ctscout.dev /scan API (the batch tool wraps /scan/batch). Free tier requires an API key (no email, no signup). Pro tier returns a confidence_band per attribution plus the underlying signal evidence (DNS brand tokens, og:site_name match, RDAP, IP/ASN, VLM verdict).
Not a cyber-risk-scoring tool. See LIMITATIONS.md for what ctscout is and isn't, the DV-cert coverage gap, and the corrections path.
Release history: see CHANGELOG.md.
Install
For Claude Code, Claude Desktop, Cursor, or any other MCP client. Two ways to connect: hosted (recommended, no install) or local npm (this package).
1. Get a free API key
Visit ctscout.dev and click "Get a free API key". Solve the Turnstile captcha. Copy the key (you can't recover it later — save it now).
2a. Hosted endpoint (recommended — zero install)
The same tools are hosted at https://ctscout.dev/mcp. Nothing to install — just point your MCP client at the URL with your API key as the X-API-Key header.
Claude Code (CLI):
claude mcp add ctscout \
-s user \
--transport http \
--header "X-API-Key: YOUR_KEY_HERE" \
https://ctscout.dev/mcp
This writes to ~/.claude.json.
Claude Desktop / Cursor / Cline / any HTTP-transport MCP client — edit the client config:
{
"mcpServers": {
"ctscout": {
"type": "http",
"url": "https://ctscout.dev/mcp",
"headers": { "X-API-Key": "YOUR_KEY_HERE" }
}
}
}
Config file locations:
- Claude Desktop:
~/Library/Application Support/Claude/claude_desktop_config.json(Mac),%APPDATA%\Claude\claude_desktop_config.json(Windows). HTTP-transport MCP support requires a recent Desktop build; if your client doesn't recognize"type": "http", use the local npm fallback below. - Cursor:
~/.cursor/mcp.json. If Cursor's HTTP transport doesn't connect, swap theurltohttps://ctscout.dev/sse— the same tools are served over the legacy SSE transport.
After adding, fully quit and restart your MCP client (not just close the window). The tools will appear under "ctscout".
2b. Local npm (fallback — if you can't use the hosted endpoint)
If you're behind a network policy that blocks ctscout.dev, prefer running the published Node binary locally:
claude mcp add ctscout \
-s user \
-e CTSCOUT_API_KEY=YOUR_KEY_HERE \
-- npx -y ctscout-mcp-server
Or in JSON config:
{
"mcpServers": {
"ctscout": {
"command": "npx",
"args": ["-y", "ctscout-mcp-server"],
"env": { "CTSCOUT_API_KEY": "YOUR_KEY_HERE" }
}
}
}
The two paths talk to the same /scan API on the backend — feature-parity is automatic. The hosted endpoint just skips the Node install.
3. Use it
In Claude Code or Claude Desktop, just ask the model:
"Find all domains attributed to Cloudflare"
"Who is gs.com attributed to? What about goldmansachs.com — same parent?"
"Given an OV/EV-cert domain, pivot from its cert subject and surface sibling apex domains attributed to the same legal entity."
"List the domains attributed to The Hartford."
The model will pick the right ctscout tool, call it, and summarize.
Free tier vs Pro tier
| Free | Pro | |
|---|---|---|
| Queries per day | 10 | unlimited |
| Results per query | top 5 | full set |
| Data freshness | weekly snapshot | live (DNS, RDAP, homepage, IP/ASN, VLM) |
| Per-attribution evidence | — | confidence_band + named signals |
| Price | $0 | concierge — email for early access |
The MCP server uses the same API key for both — your tier is determined by the key. If you hit the daily quota, the tool returns a 429 error with an upgrade hint.
Pro is currently concierge-only (manual key mint + invoice) while usage data justifies whether automated commerce is worth building. Email [email protected] if you want a Pro key.
What the Pro response looks like
Free tier returns the legacy (domain, organization, certs, subdomains) table. Pro tier replaces it with a richer attribution table you can defend in a meeting:
| Domain | Attributed to | Band | Signals | Evidence |
|---|---|---|---|---|
| coalition.com | Coalition Inc | ✅ verified | dns_txt_brand_token, og_site_name_match, +1 | verified via google-site-verification, atlassian-domain... |
| imposter.com | Coalition Inc | ⚪ insufficient 🚫VLM-veto | dns_txt_brand_token, vlm_verdict_no | Logo on screenshot is a different brand |
Bands map to confidence intervals (verified ≥ multiple strong independent signals, down to insufficient = no signals or signals disagree). The 🚫VLM-veto tag appears when visual brand verification overrode the positive-signal accumulation. Full structured payload is available via response_format: "json".
What this is, and isn't
ctscout is a digital entity resolution tool — it maps apex domains to organizations attributed in their Certificate Transparency records, optionally corroborated by DNS / RDAP / IP/ASN / favicon / visual brand verification on the Pro tier.
It is NOT a cyber-risk quantification platform. It does not score security posture, predict breaches, or produce risk ratings. See LIMITATIONS.md for the full disclaimer, coverage gaps, and corrections path.
Coverage at a glance
ctscout's warehouse is built from OV/EV certificates only — the ones where the issuing CA validated the org's legal identity. DV-only infrastructure (Let's Encrypt, ZeroSSL, ACME-defaulting cloud hosts) is invisible to the warehouse.
The warehouse is strongest on: established US/EU enterprise, government, financial services, traditional infrastructure, defense, education.
The warehouse is weak on: modern cloud-native shops (most domains entirely behind Cloudflare/Vercel/Netlify), pre-launch / stealth-mode startups, anything that defaults to DV certs.
When ctscout_lookup_domain returns 0 results, the apex isn't in the warehouse — not necessarily that nobody owns it. See LIMITATIONS.md for the full coverage discussion and ~5,976-org / 329K-pair scale stats.
Local development
git clone https://github.com/minghsuy/ctscout-mcp.git
cd ctscout-mcp
npm install
npm run build
# Run the test suite (Vitest, no network)
npm test
# Run the server (will fail without CTSCOUT_API_KEY)
node dist/index.js
# With a real key
CTSCOUT_API_KEY=your_key node dist/index.js
# Inspect with the official MCP inspector (browser UI)
npm run inspect
Test the protocol handshake without a real key
echo '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}},"id":1}' | \
CTSCOUT_API_KEY=fake node dist/index.js
Should respond with the server's capabilities + tool registration. (Tool calls themselves require a real key.)
How it relates to ctscout.dev
This MCP server is a thin client over the public ctscout.dev /scan API. It does no auth-handling magic, no caching, no extra logic — just translates MCP tool calls into HTTP requests and formats the response for an LLM consumer.
If you're building your own integration in Python or another language, you can hit the same /scan endpoint directly. See ctscout.dev for curl examples.
License
MIT. See LICENSE.
The underlying ctscout service uses domain-scout (also MIT) for cert log analysis.
Installing Ctscout
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/minghsuy/ctscout-mcpFAQ
Is Ctscout MCP free?
Yes, Ctscout MCP is free — one-click install via Unyly at no cost.
Does Ctscout need an API key?
No, Ctscout runs without API keys or environment variables.
Is Ctscout hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Ctscout in Claude Desktop, Claude Code or Cursor?
Open Ctscout on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
by modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
by xuzexin-hzCompare Ctscout with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All ai MCPs
