SecurityScorecard MCP Connector A production-grade Model Context Protocol (MCP) server that integrates SecurityScorecard's cyber risk intelligence platform with Claude and other MCP-compatible AI assistants.
Security Ratings : Retrieve company security scores, grades (A-F), and factor breakdownsPortfolio Management : Create, manage, and analyze portfolios of monitored companiesFindings & Issues : Access detailed security findings, active issues, and vulnerability dataVendor Risk Intelligence : Discover third-party and fourth-party vendor relationshipsAttack Surface Intelligence : Search exposed assets, CVEs, threat actors, and ransomware dataQuestionnaires : Send and manage security assessment questionnaires (SIG, NIST, PCI)Action Plans : Create and track security improvement plansReports : Generate summary, detailed, and full scorecard reportsIndustry Benchmarks : Compare companies against industry averages
npm install
npm run build Running with Claude Desktop (stdio mode) Add to your Claude Desktop config (claude_desktop_config.json):
{
"mcpServers" : {
"securityscorecard" : {
"command" : " node" "args" : [" /path/to/securityscorecard-mcp/dist/index.js" "env" : {
"SSC_API_KEY" : " your_api_key_here" TRANSPORT_MODE=http SSC_API_KEY=your_api_key_here npm start The server will start on port 3000 (configurable via PORT env var).
SSC_API_KEY=your_api_key_here docker compose up Scorecards & Company Information
Tool
Description
get-company-scoreGet security score, grade, and factor breakdown for any company
get-company-infoGet detailed company information and metadata
search-companiesBulk search multiple companies by domain
get-factor-detailsDetailed breakdown of all security factors
get-historical-scoresHistorical score data over time
get-historical-factor-scoresHistorical factor-level scores
get-active-issuesActive security issues summary
get-expanded-riskExpanded risk analysis including supply chain
get-score-improvement-planRecommendations to reach a target score
Tool
Description
list-portfoliosList all monitoring portfolios
get-portfolio-companiesCompanies in a portfolio with scores
create-portfolioCreate a new monitoring portfolio
update-portfolioUpdate portfolio name/description
delete-portfolioDelete a portfolio
add-company-to-portfolioAdd a company to a portfolio
remove-company-from-portfolioRemove a company from a portfolio
get-portfolio-riskPortfolio-wide risk analysis
Tool
Description
get-issue-detailsDetails on specific issue types
get-issue-contextScoring context for an issue type
get-industry-benchmarkIndustry average scores
get-industry-factorsIndustry factor breakdown
get-industry-historical-scoresIndustry score trends
Tool
Description
get-vendor-detectionThird-party vendors for a company
get-fourth-party-riskFourth-party (supply chain) vendors
get-vendor-productsProducts/technologies detected
get-vendor-riskVendor risk score
get-portfolio-vendorsVendor analysis across a portfolio
Questionnaires & Action Plans
Tool
Description
get-questionnaire-templatesAvailable questionnaire templates
send-questionnaireSend a questionnaire to a vendor
get-questionnaire-statusCheck questionnaire status
get-questionnaire-responsesGet questionnaire responses
list-action-plansList all action plans
create-issue-resolution-planCreate issue resolution plan
create-score-improvement-planCreate score improvement plan
delete-action-planDelete an action plan
Attack Surface Intelligence & Events
Tool
Description
search-attack-surfaceSearch ASI for exposed assets and vulnerabilities
get-asset-detailsDetails on a specific IP/asset
get-cve-detailsCVE details from ASI
get-threat-actor-detailsThreat actor group information
get-ransomware-detailsRansomware strain details
get-security-eventsSecurity events over time
get-breach-eventsBreach-related events
generate-reportGenerate security reports
list-recent-reportsList recently generated reports
1. Vendor Risk Assessment "What's the security score for acme.com? Show me their factor breakdown and any active security issues."
"List my portfolios and show me all companies in my 'Critical Vendors' portfolio that have a score below 70."
"Search the attack surface for any exposed assets related to example.com and check if they have any CVEs being actively exploited."
"Who are the fourth-party vendors for microsoft.com? Are any of them below a B grade?"
"How does acme.com compare to the healthcare industry average? Show me the historical trend for the past year."
src/
├── cli/ # CLI entry point
├── controllers/ # Business logic (extensible)
├── services/
│ ├── securityscorecard.service.ts # SSC API client
│ └── securityscorecard.types.ts # Type definitions
├── tools/
│ ├── index.ts # Tool registration hub
│ ├── scorecard.tools.ts
│ ├── portfolio.tools.ts
│ ├── findings.tools.ts
│ ├── vendor.tools.ts
│ ├── questionnaire.tools.ts
│ ├── actionplan.tools.ts
│ ├── asi.tools.ts
│ └── events.tools.ts
├── resources/
│ └── scorecard.resources.ts # MCP resources
├── utils/
│ ├── config.ts # Zod-validated config
│ ├── logger.ts # Pino structured logging
│ └── error.ts # Error formatting
└── index.ts # Server entry point
Variable
Description
Default
TRANSPORT_MODEstdio or httpstdio
PORTHTTP server port
3000
SSC_API_KEYSecurityScorecard API key
required
SSC_API_BASE_URLAPI base URL
https://api.securityscorecard.io
LOG_LEVELLogging level
info
NODE_ENVEnvironment
production
API Endpoints (HTTP mode)
Endpoint
Method
Description
/mcpPOST
MCP Streamable HTTP endpoint
/mcpGET
SSE notification stream
/mcpDELETE
Session cleanup
/healthGET
Health check
/.well-known/oauth-protected-resourceGET
OAuth metadata (RFC 9728)
MIT