.svg){kind=icon}
What is Whisper Security MCP?
Whisper Security MCP connects your AI assistant to professional-grade threat intelligence APIs. Just ask Claude to investigate an IP address, scan a domain, or monitor a website - the MCP handles everything automatically.
Example conversations:
- "Investigate the suspicious IP 203.0.113.50"
- "Find all subdomains of company.com"
- "Is this domain safe? Check example.com"
- "Set up monitoring for our API endpoint"
- "Take a screenshot of this phishing site"
Capabilities
Threat Intelligence
- Investigate IP addresses and domains
- Get geolocation, WHOIS, DNS, and reputation data
- ML-based risk scoring with predictions
- Historical indicator analysis
AI-Powered Investigation
- Deep threat analysis with LLM integration
- Threat actor attribution (MITRE ATT&CK)
- Infrastructure pivoting and expansion
- Global indicator correlation
Infrastructure Discovery
- Subdomain enumeration
- Typosquatting detection
- SSL certificate analysis
- Technology stack detection
Monitoring & Operations
- Website uptime monitoring
- Screenshot capture and scheduling
- Change tracking and alerts
- Async job management
Advanced Queries
- Graph database queries (Cypher)
- Bulk indicator processing
- WHOIS record search
Installation
Claude Desktop
Add to your Claude Desktop configuration:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:${WHISPER_API_KEY}"
],
"env": {
"WHISPER_API_KEY": "Bearer whisper-YOUR_API_KEY"
}
}
}
}
Replace whisper-YOUR_API_KEY with your actual API key from dash.whisper.security.
Restart Claude Desktop after saving the configuration.
Claude Code (CLI)
Claude Code supports MCP servers via configuration. Add to your Claude Code settings:
Global config: ~/.claude/settings.json
Project config: .claude/settings.json in your project root
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
After configuring, restart Claude Code or run /mcp to reload MCP servers.
Usage in Claude Code:
# Start Claude Code
claude
# Ask about threat intelligence
> Investigate the IP 8.8.8.8
> Find subdomains for example.com
> Is this domain malicious? suspicious-site.com
GitHub Copilot
GitHub Copilot supports MCP servers through VS Code settings. Add to your VS Code settings.json:
Open settings: Cmd+Shift+P (macOS) or Ctrl+Shift+P (Windows/Linux) → "Preferences: Open User Settings (JSON)"
{
"github.copilot.chat.mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
Reload VS Code after saving.
Usage in Copilot Chat:
- Open Copilot Chat (
Cmd+Shift+IorCtrl+Shift+I) - Use
@whisper-securityto invoke tools or just ask naturally:- "Investigate this suspicious IP: 203.0.113.50"
- "Check if example.com is safe"
- "Find all subdomains for company.com"
Cursor IDE
Add to your Cursor MCP settings (Settings > MCP Servers):
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:${WHISPER_API_KEY}"
],
"env": {
"WHISPER_API_KEY": "Bearer whisper-YOUR_API_KEY"
}
}
}
}
VS Code with Continue
Add to your Continue configuration (~/.continue/config.json):
{
"mcpServers": [
{
"name": "whisper-security",
"transport": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
]
}
Cline (VS Code Extension)
Add to Cline's MCP settings:
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
Zed Editor
Add to your Zed settings (~/.config/zed/settings.json):
{
"language_models": {
"mcp_servers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
}
Windsurf
Add to Windsurf's MCP configuration:
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
Amazon Q Developer
Configure MCP in Amazon Q settings:
{
"mcpServers": {
"whisper-security": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://bison.whisper.security:9042/mcp",
"--header",
"Authorization:Bearer whisper-YOUR_API_KEY"
]
}
}
}
Generic MCP Client (HTTP)
For any MCP-compatible client supporting HTTP transport:
Endpoint: https://bison.whisper.security:9042/mcp
Protocol: Streamable HTTP
Authentication: Bearer token in Authorization header
HTTP Request Example:
curl -X POST https://bison.whisper.security:9042/mcp \
-H "Authorization: Bearer whisper-YOUR_API_KEY" \
-H "Content-Type: application/json" \
-H "Accept: application/json, text/event-stream" \
-d '{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
}'
OpenAI (ChatGPT)
OpenAI doesn't natively support MCP. However, you can use Whisper Security's threat intelligence with OpenAI through:
Option 1: Direct REST API Integration
Use OpenAI's function calling with direct Whisper API calls:
import openai
import requests
# Define Whisper tools as OpenAI functions
tools = [{
"type": "function",
"function": {
"name": "investigate_ip",
"description": "Get threat intelligence for an IP address",
"parameters": {
"type": "object",
"properties": {
"ip": {"type": "string", "description": "IP address to investigate"}
},
"required": ["ip"]
}
}
}]
def call_whisper_api(ip):
response = requests.post(
"https://api.whisper.security/v1/enrich/ip",
headers={"Authorization": "Bearer whisper-YOUR_API_KEY"},
json={"indicator": ip}
)
return response.json()
# Use with OpenAI
response = openai.chat.completions.create(
model="gpt-4",
messages=[{"role": "user", "content": "Investigate 8.8.8.8"}],
tools=tools
)
# Handle function calls and return results to OpenAI
Option 2: LangChain Integration
from langchain_openai import ChatOpenAI
from langchain.tools import Tool
import requests
def whisper_investigate(indicator: str) -> str:
response = requests.post(
"https://api.whisper.security/v1/enrich",
headers={"Authorization": "Bearer whisper-YOUR_API_KEY"},
json={"indicator": indicator, "type": "auto"}
)
return response.text
whisper_tool = Tool(
name="whisper_investigate",
func=whisper_investigate,
description="Investigate IPs and domains for threat intelligence"
)
llm = ChatOpenAI(model="gpt-4")
# Use with LangChain agents
Google Gemini
Google Gemini doesn't natively support MCP. You can integrate Whisper Security through:
Option 1: Vertex AI Function Calling
import vertexai
from vertexai.generative_models import GenerativeModel, Tool, FunctionDeclaration
import requests
# Define Whisper functions
investigate_func = FunctionDeclaration(
name="investigate_indicator",
description="Get threat intelligence for an IP or domain",
parameters={
"type": "object",
"properties": {
"indicator": {"type": "string", "description": "IP or domain to investigate"},
"type": {"type": "string", "enum": ["ip", "domain"]}
},
"required": ["indicator", "type"]
}
)
whisper_tools = Tool(function_declarations=[investigate_func])
model = GenerativeModel("gemini-pro", tools=[whisper_tools])
def handle_whisper_call(indicator, indicator_type):
response = requests.post(
"https://api.whisper.security/v1/enrich",
headers={"Authorization": "Bearer whisper-YOUR_API_KEY"},
json={"indicator": indicator, "type": indicator_type}
)
return response.json()
# Use in conversation with function calling
Option 2: Google AI Studio with REST API
For simpler integrations, call the Whisper REST API directly and include results in your Gemini prompts:
import google.generativeai as genai
import requests
genai.configure(api_key="YOUR_GEMINI_API_KEY")
def get_threat_intel(indicator):
response = requests.post(
"https://api.whisper.security/v1/enrich",
headers={"Authorization": "Bearer whisper-YOUR_API_KEY"},
json={"indicator": indicator, "type": "auto"}
)
return response.json()
# Get threat data
intel = get_threat_intel("suspicious-domain.com")
# Include in Gemini prompt
model = genai.GenerativeModel("gemini-pro")
response = model.generate_content(
f"Analyze this threat intelligence and provide recommendations: {intel}"
)
Available Tools
Enrichment Tools
- whisper_enrich_indicator Get comprehensive threat intelligence for an IP or domain
- whisper_get_predictive_risk ML-based risk assessment with 7-day and 30-day predictions
- whisper_get_indicator_history Historical changes for an indicator
- whisper_get_subdomains Subdomain enumeration via passive DNS
- whisper_find_similar_domains Typosquatting and lookalike domain detection
- whisper_search_whois Search WHOIS records by registrant, email, org
- whisper_bulk_enrich Batch process up to 100 indicators
Location Tools
- whisper_geolocate_ip Fast IP geolocation with ASN (<150ms)
- whisper_geolocate_network Network/CIDR geolocation
- whisper_bulk_geolocate Bulk geolocate up to 1000 IPs
AI Investigation Tools
- whisper_investigate_threat Deep AI-powered threat investigation
- whisper_correlate_indicators Global indicator correlation
- whisper_attribute_threat Threat actor attribution with MITRE ATT&CK
- whisper_pivot_infrastructure Infrastructure pivoting and expansion
- whisper_find_similar_cases Historical case matching
- whisper_get_industry_benchmarks Security benchmark comparison
Scanning Tools
- whisper_scan_infrastructure Security scanning (SSL, DNS, vulnerabilities)
- whisper_map_infrastructure Infrastructure topology mapping
Monitoring Tools
- whisper_create_monitor Create uptime/SSL/DNS monitoring check
- whisper_list_monitors List all monitors
- whisper_get_monitor Get monitor details
- whisper_delete_monitor Delete a monitor
- whisper_get_monitoring_dashboard Dashboard overview
Screenshot Tools
- whisper_capture_screenshot Capture website screenshot
- whisper_schedule_screenshots Schedule recurring screenshots
- whisper_get_screenshot_history Get screenshot history
Change Tracking Tools
- whisper_track_indicator Start tracking changes to an indicator
- whisper_get_indicator_changes Get detected changes
- whisper_trigger_change_check Force immediate check
- whisper_stop_tracking Stop tracking an indicator
Job Management Tools
- whisper_get_job_status Poll job status and results
- whisper_list_jobs List recent jobs
Graph Query Tools
- whisper_query_graph Execute Cypher queries against threat intelligence graph
Usage Examples
Investigating an IP Address
You: Investigate the IP address 203.0.113.50
Claude: I'll investigate this IP address for you.
[Uses whisper_enrich_indicator]
Here's what I found about 203.0.113.50:
Location: Moscow, Russia Network: AS12345 (Example ISP) Risk Score: 78/100 (HIGH)
Findings:
- Listed on 3 blocklists (Spamhaus, AbuseIPDB, Emerging Threats)
- Associated with 5 suspicious domains
- First seen: 2023-06-15
- Recent activity: Command & control traffic
Recommendation: Block this IP and investigate any connections to your network.
Domain Infrastructure Analysis
You: Map the infrastructure for example.com and find any lookalike domains
Claude: I'll analyze the infrastructure and check for lookalike domains.
[Uses whisper_scan_infrastructure, whisper_get_subdomains, whisper_find_similar_domains]
Infrastructure Analysis for example.com:
Subdomains Discovered (12):
- api.example.com (192.168.1.1)
- mail.example.com (192.168.1.2)
- cdn.example.com (CloudFront)
- staging.example.com
- ...
SSL Certificate:
- Valid until: 2025-06-15
- Issuer: Let's Encrypt
Lookalike Domains Detected (3):
- examp1e.com (registered 2024-01-10) - HIGH RISK
- exampl3.com (registered 2024-02-15) - MEDIUM RISK
- example-login.com (registered 2024-03-01) - HIGH RISK
Setting Up Monitoring
You: Set up monitoring for our production API at api.company.com
Claude: I'll create monitoring for your API endpoint.
[Uses whisper_create_monitor]
Monitor Created Successfully
- Name: Production API
- URL: https://api.company.com/health
- Type: HTTP endpoint monitoring
- Check Interval: Every 5 minutes
- Alerts when:
- Status code is not 200
- Response time exceeds 1000ms
You'll receive alerts if the API becomes unavailable or slow.
Threat Investigation
You: I found this suspicious domain in our logs: malware-c2.example.com. Can you investigate?
Claude: I'll perform a comprehensive threat investigation.
[Uses whisper_investigate_threat with depth="comprehensive"]
Threat Investigation Report
Verdict: MALICIOUS (Confidence: 94%)
Timeline:
- 2024-01-15: Domain registered (privacy protected)
- 2024-01-16: First DNS resolution
- 2024-01-18: First appearance in threat feeds
- 2024-02-01: Associated with Emotet campaign
Infrastructure:
- Hosted on bulletproof hosting (AS12345)
- 3 related domains identified
- Uses fast-flux DNS
MITRE ATT&CK TTPs:
- T1071.001: Application Layer Protocol (Web)
- T1573: Encrypted Channel
- T1105: Ingress Tool Transfer
Recommendations:
- Block domain at DNS and firewall
- Search logs for any connections
- Check for indicators of compromise
- Consider incident response procedures
Capturing Evidence
You: Take a screenshot of this phishing site: https://suspicious-login.example.com
Claude: I'll capture a screenshot for documentation.
[Uses whisper_capture_screenshot]
Screenshot Captured
- URL: https://suspicious-login.example.com
- Timestamp: 2024-12-10 14:32:45 UTC
- Screenshot: [Link to image]
- Page Title: "Login - Secure Account Access"
- HTTP Status: 200
The screenshot has been saved and timestamped for evidence.