GreyNoise MCP Server

Integrate GreyNoise threat intelligence directly into your AI workflow. The GreyNoise MCP Server exposes tools for IP reputation, RIOT/business-service checks, tag and vulnerability intelligence, GNQL stats, and more—so your agent can answer “is this noise or targeted?”, enrich investigations, and summarize activity without leaving your environment.

One-click install (Claude Desktop)

Requires a GreyNoise Enterprise API key.

Download: GreyNoise MCP Server (.dxt) Double-click the file. Claude Desktop will open an install panel, prompt for your GreyNoise API key, and finish setup.

• Built with Anthropic’s Desktop Extensions (DXT) format
• Runs locally with a bundled runtime
• Updates automatically when a new version is published

Tip: After installation, open Claude Desktop → Settings → Extensions to confirm it’s enabled. You can edit or rotate your API key there at any time.

---

Why this matters

• Fast enrichment: ask for IP context, RIOT/business service status, or tag activity on the fly.
• Less swivel-chair: bring GreyNoise into chat, coding, and analysis sessions.
• Local execution: the MCP server runs on your machine; secrets are stored via the OS keychain (through DXT).

---

Quick start

A. Claude Desktop

1. Install the .dxt from the link above.
2. When prompted, paste your GREYNOISE_API_KEY (Enterprise).
3. In any chat, ask things like:
   • “What does GreyNoise know about 203.0.113.55?”
   • “Is 8.8.8.8 noise or a common business service?”
   • “Show trending exploitation and notable tags this week.”
   • “Summarize activity for tag scanner over the last 30 days.”

B. Other MCP clients (stdio)

Prefer a manual setup in an IDE that supports MCP (VS Code, Cursor, Windsurf, etc.)?

{
  "mcpServers": {
    "greynoise": {
      "command": "npx",
      "args": ["@greynoise/greynoise-mcp-server"],
      "env": {
        "GREYNOISE_API_KEY": "your-greynoise-api-key"
      }
    }
  }
}

• Run: npx @greynoise/greynoise-mcp-server --help
• Default transport is stdio.
• HTTP transport is available if you install Express (npm i express) and run:
• node @greynoise/greynoise-mcp-server --transport http

⸻

Capabilities and tools

The server exposes a focused set of tools for investigation and reporting:

1. lookup-ip-context — detailed IP context from GreyNoise.
2. quick-check-ip — lightweight “noise vs. business service” check (v2/noise/quick/{ip}).
3. multi-ip-check — batch quick checks for up to 100 IPs (v2/noise/multi/quick via POST).
4. riot-lookup — business service lookup with rich metadata (v2/riot/{ip}).
5. get-tag-list — enumerate all GreyNoise tags with metadata.
6. search-tags — find tags by query.
7. get-tag-details — in-depth metadata for a specific tag.
8. get-tag-activity — activity and trends over time for a tag (ID or slug).
9. analyze-tags-activity — cross-tag activity analysis for correlations/trends.
10. get-trending-vulnerabilities — vulnerabilities actively exploited in the wild.
11. gnql-stats — GNQL statistical queries.
12. get-cve-details — CVE intelligence with observed exploitation.

⸻

Prompts included

1. vendor-threat-report - Generate a comprehensive threat report for a vendor technology
   • Produces a detailed analysis including executive summary, threat actor activity, recent vulnerabilities, attack patterns, mitigation recommendations, and confidence assessment
   • Automatically orchestrates multiple GreyNoise data queries to assemble a complete picture of the threat landscape
   • Parameters: vendor (required), technology (optional), timeframe in days 1-90 (required)
2. ip-threat-analysis - Generate a detailed analysis of an IP address to determine if it’s malicious and associated threats
   • Performs comprehensive threat analysis using GreyNoise data to classify IPs as malicious, benign, or unknown
   • Includes classification, associated tags and activities, geographic/network information, historical activity timeline, threat severity assessment, and recommended actions
   • Parameters: ip (required), include_related true/false (optional)
3. cve-analysis - Generate a comprehensive analysis of a CVE including exploitation status and risk assessment
   • Provides detailed vulnerability analysis including current exploitation status, trends, affected systems, attack vectors, geographical distribution, and risk scoring
   • Combines CVE details with real-time exploitation data from GreyNoise observations
   • Parameters: cve_id (required), timeframe in days 1-90 (optional, defaults to 30)
4. emerging-threat-report - Generate a report on emerging threats based on recent activity and trending data
   • Identifies and analyzes new and trending threats, attack vectors, vulnerability exploitations, and geographical threat distribution
   • Includes predictions of near-future threats and strategic recommendations
   • Parameters: days (optional: 1, 7, or 30, defaults to 7), focus_area (optional, e.g., ‘ransomware’, ‘IoT’, ‘healthcare’)
5. security-posture-assessment - Generate a security posture assessment for an organization based on technologies and vulnerabilities
   • Provides comprehensive security assessment tailored to an organization’s technology stack and industry
   • Includes vulnerability analysis for key technologies, exposure assessment, attack surface analysis, risk scoring by component, and prioritized security recommendations
   • Parameters: organization (required), technologies as comma-separated list (required), industry (optional)
6. threat-hunting - Generate a threat hunting plan based on specific indicators or patterns
   • Creates detailed hunting plans for different indicator types including IPs, tags, behaviors, actors, or CVEs
   • Provides detection methods, data sources, search patterns, timeline, evidence collection methods, and response procedures
   • Parameters: indicator_type (required: ‘ip’, ‘tag’, ‘behavior’, ‘actor’, or ‘cve’), indicator_value (required), environment description (required)

⸻

Requirements

• GreyNoise Enterprise API key
• Claude Desktop (for one-click DXT) or an MCP-capable client (for stdio/HTTP)
• Network egress to api.greynoise.io

⸻

Security notes

• With DXT, sensitive values (like your API key) are stored via the operating system’s secure keychain.
• The server runs locally; requests are proxied from the client to GreyNoise through your machine.
• Rotate credentials in the Claude Desktop Extensions settings or your MCP client config.

⸻

Troubleshooting

• No tools appear after install? Restart Claude Desktop and confirm the extension is enabled in Settings → Extensions.
• 401/403 errors? Ensure your Enterprise API key is configured and active.
• HTTP transport errors? Install Express (npm i express) or use the default stdio transport.
• Large batch checks? multi-ip-check supports up to 100 IPs per call. Break larger sets into chunks.

⸻

Alternative installs (developers)

Clone and build:

git clone https://github.com/greynoise-labs/greynoise-mcp-server
cd greynoise-mcp-server
npm install && npm run build

Run bundled standalone:

npx @greynoise/greynoise-mcp-server --transport stdio

Development runs:

npm run dev          # watch mode
npm run build:dev    # source maps
npm run build        # distribution bundle

Optional test harness (direct API checks, bypassing MCP):

export GREYNOISE_API_KEY=your-api-key
node test-tools.js              # all endpoints
node test-tools.js quick-check-ip
node test-tools.js gnql-stats

⸻

Learn more

• Anthropic Desktop Extensions (DXT): https://www.anthropic.com/engineering/desktop-extensions
• NPM package: https://www.npmjs.com/package/@greynoise/greynoise-mcp-server
• GitHub repository: https://github.com/GreyNoise-Intelligence/greynoise-mcp-server ⸻