Skip to main content
CyberStrike connects to five official MCP security servers that collectively add 176+ specialized tools across five security domains. All are open source and installable with npx — no separate accounts or licenses required.

hackbrowser-mcp

Browser-based security testing — XSS, CSRF, DOM manipulation, cookie theft. 39 tools.

cloud-audit-mcp

Cloud security audits across AWS, Azure, and GCP with 60+ checks. 38 tools.

github-security-mcp

GitHub security posture — repos, orgs, Actions, secrets, supply chain. 39 tools.

cve-mcp

CVE intelligence from NVD, EPSS, CISA KEV, GitHub Advisory, and OSV. 23 tools.

osint-mcp

OSINT recon via Shodan, VirusTotal, SecurityTrails, Censys, DNS, and WHOIS. 37 tools.

hackbrowser-mcp

39 tools · Browser-based security testing hackbrowser-mcp gives CyberStrike a real browser it can drive programmatically. Agents use it to test client-side vulnerabilities that require JavaScript execution: XSS injection and reflection, CSRF token handling, DOM manipulation, cookie theft, clickjacking, and browser-based authentication flows. Key use cases:
  • Inject and verify XSS payloads across input fields, URL parameters, and HTTP headers
  • Test CSRF protections — verify token validation, SameSite cookie enforcement, and origin checks
  • Inspect and steal cookies via DOM access to assess session security
  • Manipulate the DOM to bypass client-side access controls
  • Test single-page application authentication flows end-to-end
npx -y hackbrowser-mcp
Add to cyberstrike.json:
cyberstrike.json
{
  "mcp": {
    "hackbrowser-mcp": {
      "type": "local",
      "command": ["npx", "-y", "hackbrowser-mcp"]
    }
  }
}

cloud-audit-mcp

38 tools · Cloud security audits cloud-audit-mcp runs structured security checks against AWS, Azure, and GCP accounts. It implements 60+ checks mapped to CIS Benchmarks and common cloud misconfigurations — IAM policy analysis, public resource exposure, encryption gaps, network security group rules, and logging configuration. Key use cases:
  • Enumerate overly permissive IAM roles, policies, and trust relationships
  • Identify publicly exposed storage buckets, databases, and compute instances
  • Check encryption-at-rest and encryption-in-transit across storage and compute services
  • Audit network security groups and firewall rules for over-permissive inbound access
  • Verify logging, monitoring, and alerting configurations against CIS Benchmarks
npx -y cloud-audit-mcp
Add to cyberstrike.json:
cyberstrike.json
{
  "mcp": {
    "cloud-audit-mcp": {
      "type": "local",
      "command": ["npx", "-y", "cloud-audit-mcp"],
      "environment": {
        "AWS_ACCESS_KEY_ID": "{env:AWS_ACCESS_KEY_ID}",
        "AWS_SECRET_ACCESS_KEY": "{env:AWS_SECRET_ACCESS_KEY}",
        "AWS_DEFAULT_REGION": "us-east-1"
      }
    }
  }
}
Use the {env:VARIABLE} syntax to reference existing shell environment variables without hard-coding credentials in your config file.

github-security-mcp

39 tools · GitHub security posture github-security-mcp audits GitHub repositories and organizations for security weaknesses. It covers repository settings, organization-level policies, GitHub Actions workflow security, exposed secrets in code and configuration, and software supply chain risks in dependencies and third-party Actions. Key use cases:
  • Audit branch protection rules, required reviews, and force-push restrictions
  • Check organization security policies — SSO enforcement, two-factor requirements, member permissions
  • Analyze GitHub Actions workflows for dangerous patterns: pull_request_target, script injection, and untrusted input handling
  • Detect secrets committed to repositories across history
  • Review third-party Action dependencies for supply chain risk (pinned SHAs vs. mutable tags)
npx -y github-security-mcp
Add to cyberstrike.json:
cyberstrike.json
{
  "mcp": {
    "github-security-mcp": {
      "type": "local",
      "command": ["npx", "-y", "github-security-mcp"],
      "environment": {
        "GITHUB_TOKEN": "{env:GITHUB_TOKEN}"
      }
    }
  }
}

cve-mcp

23 tools · CVE intelligence cve-mcp aggregates vulnerability data from five authoritative sources: the NIST National Vulnerability Database (NVD), EPSS exploit prediction scores, the CISA Known Exploited Vulnerabilities (KEV) catalog, GitHub Advisory Database, and the Open Source Vulnerability (OSV) database. Agents use it to assess the real-world severity and exploitability of vulnerabilities they discover. Key use cases:
  • Look up CVE details and CVSS scores from NVD
  • Query EPSS scores to assess the probability a CVE will be exploited in the wild
  • Check whether a CVE appears in the CISA KEV list, indicating active exploitation
  • Search GitHub Advisory for package-level vulnerability data
  • Cross-reference OSV data for open-source dependency vulnerabilities
npx -y cve-mcp
Add to cyberstrike.json:
cyberstrike.json
{
  "mcp": {
    "cve-mcp": {
      "type": "local",
      "command": ["npx", "-y", "cve-mcp"]
    }
  }
}
cve-mcp queries public APIs and does not require API keys for basic usage. Rate limits apply to unauthenticated NVD requests; set NVD_API_KEY in environment if you need higher throughput.

osint-mcp

37 tools · OSINT and reconnaissance osint-mcp connects CyberStrike to 12 external intelligence sources for open-source reconnaissance. It wraps Shodan, VirusTotal, SecurityTrails, Censys, and passive DNS and WHOIS providers — giving agents structured access to internet-wide scan data, domain history, IP reputation, and certificate transparency logs. Key use cases:
  • Search Shodan for exposed services, banners, and CVEs on target IP ranges
  • Query VirusTotal for file, URL, and domain reputation
  • Enumerate subdomains and DNS history via SecurityTrails
  • Search Censys for certificate and service data across the internet
  • Perform passive DNS lookups and WHOIS lookups without touching the target directly
npx -y osint-mcp
Add to cyberstrike.json:
cyberstrike.json
{
  "mcp": {
    "osint-mcp": {
      "type": "local",
      "command": ["npx", "-y", "osint-mcp"],
      "environment": {
        "SHODAN_API_KEY": "{env:SHODAN_API_KEY}",
        "VIRUSTOTAL_API_KEY": "{env:VIRUSTOTAL_API_KEY}",
        "SECURITYTRAILS_API_KEY": "{env:SECURITYTRAILS_API_KEY}",
        "CENSYS_API_ID": "{env:CENSYS_API_ID}",
        "CENSYS_API_SECRET": "{env:CENSYS_API_SECRET}"
      }
    }
  }
}
Tools that rely on a specific API key will fail gracefully if that key is not provided — other tools in the server remain available.

Using all servers together

You can configure multiple MCP servers in a single cyberstrike.json. CyberStrike agents will have access to all connected servers simultaneously.
cyberstrike.json
{
  "mcp": {
    "hackbrowser-mcp": {
      "type": "local",
      "command": ["npx", "-y", "hackbrowser-mcp"]
    },
    "cloud-audit-mcp": {
      "type": "local",
      "command": ["npx", "-y", "cloud-audit-mcp"],
      "environment": {
        "AWS_ACCESS_KEY_ID": "{env:AWS_ACCESS_KEY_ID}",
        "AWS_SECRET_ACCESS_KEY": "{env:AWS_SECRET_ACCESS_KEY}"
      }
    },
    "github-security-mcp": {
      "type": "local",
      "command": ["npx", "-y", "github-security-mcp"],
      "environment": {
        "GITHUB_TOKEN": "{env:GITHUB_TOKEN}"
      }
    },
    "cve-mcp": {
      "type": "local",
      "command": ["npx", "-y", "cve-mcp"]
    },
    "osint-mcp": {
      "type": "local",
      "command": ["npx", "-y", "osint-mcp"],
      "environment": {
        "SHODAN_API_KEY": "{env:SHODAN_API_KEY}",
        "VIRUSTOTAL_API_KEY": "{env:VIRUSTOTAL_API_KEY}"
      }
    }
  }
}
Set "enabled": false on servers you don’t need for a particular engagement. This keeps the config intact while reducing startup time and API noise.
For more on MCP configuration options — including timeout, headers, and OAuth — see the MCP integration guide.

Build docs developers (and LLMs) love

Get started for freeTalk to us