servers / scry
Scry MCP server
communitystreamable_httpremoteverifiedhealthy
Free IPv4 lookups against a distributed attacker-observation corpus.
01Tools · 12
| Tool | Risk | Side effects | Approval |
|---|---|---|---|
| scry_country Roll-up of corpus activity by ISO country code. Same shape as scry_asn. | unknown | unknown | unknown |
| scry_tools List detected attack tools — (protocol, payload, path) tuples sent by 3+ distinct source IPs. Aggregate metadata only; never lists member actors. | read | false | unknown |
| scry_tool Single tool detail by 16-char hex id from scry_tools. | unknown | unknown | unknown |
| scry_campaigns Active threat campaigns — coordinated attacker activity that exceeds the noise floor. ≥5 distinct actors, ≥3 ASNs, ≤5 destination ports, ≥1h history. | unknown | unknown | unknown |
| scry_campaign Single campaign detail by id (format: c[0-9a-f]{15}). | unknown | unknown | unknown |
| scry_recent Recent observations feed — aggregated by source IP within a time window. Cursor-paginated via since_ms. | unknown | unknown | unknown |
| scry_stats Returns aggregate Scry corpus telemetry: total observation count, distinct
source IPs, first/last observation timestamps, last-24h activity, and
per-protocol breakdowns. Useful as a liveness/density check before issuing
per-IP queries — lets an agent decide whether the corpus has enough data
to be authoritative.
Use this tool when:
- An agent is planning a multi-step investigation and wants to know if Scry
has corpus density worth querying.
- You want a 'corpus health' signal in a dashboard or report.
Do NOT use this tool when:
- You want details about a specific IP — use `scry_check`.
- You want sensor fleet size or node identities — never exposed at any tier.
Inputs: none.
Returns: total_observations, distinct_source_ips, first_seen_ms, last_seen_ms, observations_last_24h, distinct_source_ips_last_24h, by_protocol, as_of_ms.
Cost: free, anonymous, rate-limited.
Latency: <100ms typical. | read | false | unknown |
| scry_check Returns Scry's corpus knowledge for a single IPv4 address: when it was first/last
observed, observation count, protocols and ports targeted, ASN, country, category
(actor/scanner/not_observed), and confidence_bucket (low/medium/high).
Use when an agent needs IP triage, hostility assessment, or risk signaling.
Do NOT use for raw payloads (never exposed) or IPv6 (corpus is v4-only at v0.1). | read | false | unknown |
| scry_check_bulk Look up many IPv4 addresses in one request. Up to 100 IPs per call. Same per-IP shape as scry_check, keyed by IP. | unknown | unknown | unknown |
| scry_top Top-N source dimensions over a time window. Useful for situational awareness — 'where is the noise coming from right now?' | unknown | unknown | unknown |
| scry_timeseries Bucketed observation counts over time. Detect bursts, plot trends, sanity-check whether attacker activity is rising or falling. | unknown | unknown | unknown |
| scry_asn Roll-up of corpus activity for a single ASN — observation count, distinct source IPs, actor count, scanner count, high-confidence actor count, and per-protocol breakdown. | read | false | unknown |
02Install & source
https://mcp.tunnelmind.ai/mcp
remote_url- repohttps://github.com/TunnelMind/scry-mcp
- homepagehttps://mcp.tunnelmind.ai/mcp
- adoption0 stars · 0 forks
05Provenance & freshness
sourcesOfficial MCP Registry [p1]
last_checked2026-07-06 20:51Z
next_check2026-07-08 20:41Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:passed
index_statusindex — 7 unique facts >= 5
06Badge
Add the “as seen on MCPExplorer” badge to your README.
[](https://mcpexplorer.com/servers/scry)
Next step
This is one server. A loadout combines the right servers, governance, and proven plays for a whole job — assembled deliberately, not tool-dumped.
Explore loadouts →