servers / scry

Scry MCP server

communitystreamable_httpremoteverifiedhealthy

Free IPv4 lookups against a distributed attacker-observation corpus.


01Tools · 12
ToolRiskSide effectsApproval
scry_country
Roll-up of corpus activity by ISO country code. Same shape as scry_asn.
unknownunknownunknown
scry_tools
List detected attack tools — (protocol, payload, path) tuples sent by 3+ distinct source IPs. Aggregate metadata only; never lists member actors.
readfalseunknown
scry_tool
Single tool detail by 16-char hex id from scry_tools.
unknownunknownunknown
scry_campaigns
Active threat campaigns — coordinated attacker activity that exceeds the noise floor. ≥5 distinct actors, ≥3 ASNs, ≤5 destination ports, ≥1h history.
unknownunknownunknown
scry_campaign
Single campaign detail by id (format: c[0-9a-f]{15}).
unknownunknownunknown
scry_recent
Recent observations feed — aggregated by source IP within a time window. Cursor-paginated via since_ms.
unknownunknownunknown
scry_stats
Returns aggregate Scry corpus telemetry: total observation count, distinct source IPs, first/last observation timestamps, last-24h activity, and per-protocol breakdowns. Useful as a liveness/density check before issuing per-IP queries — lets an agent decide whether the corpus has enough data to be authoritative. Use this tool when: - An agent is planning a multi-step investigation and wants to know if Scry has corpus density worth querying. - You want a 'corpus health' signal in a dashboard or report. Do NOT use this tool when: - You want details about a specific IP — use `scry_check`. - You want sensor fleet size or node identities — never exposed at any tier. Inputs: none. Returns: total_observations, distinct_source_ips, first_seen_ms, last_seen_ms, observations_last_24h, distinct_source_ips_last_24h, by_protocol, as_of_ms. Cost: free, anonymous, rate-limited. Latency: <100ms typical.
readfalseunknown
scry_check
Returns Scry's corpus knowledge for a single IPv4 address: when it was first/last observed, observation count, protocols and ports targeted, ASN, country, category (actor/scanner/not_observed), and confidence_bucket (low/medium/high). Use when an agent needs IP triage, hostility assessment, or risk signaling. Do NOT use for raw payloads (never exposed) or IPv6 (corpus is v4-only at v0.1).
readfalseunknown
scry_check_bulk
Look up many IPv4 addresses in one request. Up to 100 IPs per call. Same per-IP shape as scry_check, keyed by IP.
unknownunknownunknown
scry_top
Top-N source dimensions over a time window. Useful for situational awareness — 'where is the noise coming from right now?'
unknownunknownunknown
scry_timeseries
Bucketed observation counts over time. Detect bursts, plot trends, sanity-check whether attacker activity is rising or falling.
unknownunknownunknown
scry_asn
Roll-up of corpus activity for a single ASN — observation count, distinct source IPs, actor count, scanner count, high-confidence actor count, and per-protocol breakdown.
readfalseunknown

02Install & source
https://mcp.tunnelmind.ai/mcp
remote_url

05Provenance & freshness
sourcesOfficial MCP Registry [p1]
last_checked2026-07-06 20:51Z
next_check2026-07-08 20:41Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:passed
index_statusindex7 unique facts >= 5

06Badge

Add the “as seen on MCPExplorer” badge to your README. Scry MCP — as seen on mcpexplorer.com

[![Scry MCP — as seen on mcpexplorer.com](https://mcpexplorer.com/badge/scry.svg)](https://mcpexplorer.com/servers/scry)

Next step

This is one server. A loadout combines the right servers, governance, and proven plays for a whole job — assembled deliberately, not tool-dumped.

Explore loadouts →