AI Blue Team Tools · MCP Server
Give your AI agent URL threat intelligence
The URLScanner MCP Server connects Claude, Cursor, and any MCP-compatible AI to real-time phishing detection, threat intelligence, DNS analysis, SSL inspection, and WHOIS data — in 30 seconds, free, no account required.
How it works
From suspicious URL to threat verdict in seconds
The AI calls scan_url, URLScanner does the heavy lifting, the AI explains what it means. No integrations to build, no parsing to write.
AI receives a URL to investigate
The URL arrives from a user prompt, a SIEM alert, an email report, or an automated threat feed. The AI determines it needs threat intelligence and calls the scan_url MCP tool.
URLScanner performs full analysis
The MCP server submits the scan and polls until complete. URLScanner runs 8 parallel modules: threat intel, SSL, DNS, WHOIS, HTTP headers, redirect analysis, security scoring, and screenshots.
AI synthesizes a threat assessment
Results return as structured markdown. The AI synthesizes a human-readable threat assessment: verdict, key risk indicators, what each finding means, and a recommended action — in plain language.
Setup
Add to your AI in 30 seconds
One URL is all it takes. The URLScanner MCP Server uses Streamable HTTP transport — no local process, no npm install, no Docker required.
# Add URLScanner MCP to Claude Code (one command)
claude mcp add urlscanner --transport http https://mcp.urlscanner.online/mcp
# Then in any Claude Code session:
# "Investigate this URL for phishing: https://suspicious-site.xyz"https://mcp.urlscanner.online/mcpSee it in action
AI phishing investigation — live example
A user reports a suspicious email link. The AI calls scan_url and returns a full threat assessment with context and recommended action.
User
A user just forwarded this email link to the SOC: https://secure-paypal-verify.xyz/account/confirm
Can you investigate it?
Tool call
scan_url { url: "https://secure-paypal-verify.xyz/account/confirm" }
Tool result
Security Score: 3/100 · Verdict: MALICIOUS
Threat Intelligence: isMalicious: true · Flagging sources: URLhaus, Spamhaus DBL
SSL: valid: false — expired 4 days ago
WHOIS: Registered 3 days ago · Registrar: Namecheap Inc.
DNS: A record → 185.220.101.47 (known Tor exit node)
Claude
⚠ This URL is malicious. Do not click it.
Phishing indicators: The domain secure-paypal-verify.xyz impersonates PayPal but has no affiliation. Registered 3 days ago — consistent with a short-lived phishing campaign. Actively blocklisted by URLhaus and Spamhaus DBL.
SSL: Certificate expired 4 days ago. Legitimate services maintain valid certificates.
Infrastructure: Resolves to 185.220.101.47, a known Tor exit node used to mask the operator's origin.
Recommended action: Block the domain at the email gateway, submit to your SIEM as a confirmed phishing IOC, and notify the user's manager. No further investigation required — verdict is definitive.
What agents can do
Full blue team URL intelligence
Every scan runs 8 parallel modules. AI agents receive all results in a single structured response — no follow-up queries needed.
Phishing URL Detection
Detect phishing pages using domain age, SSL validity, blocklist hits, and visual similarity signals. AI agents get a clear verdict — safe, suspicious, or malicious.
Malware & Threat Intel
Query 70+ threat intelligence sources including URLhaus, Spamhaus, Google Safe Browsing, and SURBL. Returns all flagging sources and confidence indicators.
SSL Certificate Analysis
Full certificate chain inspection: validity, expiry days, issuer, TLS version, OCSP status, and HSTS. Expired or self-signed certs are common phishing indicators.
DNS Infrastructure Mapping
Complete DNS enumeration — A, AAAA, MX, TXT, NS, SOA records. AI agents use this to pivot through attacker infrastructure and identify related malicious domains.
WHOIS & Domain Age
Registrar, registration date, domain age, and expiry. Newly registered domains (< 30 days) are a primary phishing indicator — flagged automatically.
HTTP Security Headers
Audit HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and CORS configuration. Identify misconfigured or missing headers.
Redirect Chain Tracing
Follow the full redirect chain and detect cross-origin hops, trusted-to-unknown redirects, and open redirect abuse — critical for URL shortener analysis.
Security Score 0–100
Weighted composite score combining all modules. AI agents use this for triage prioritization — anything below 40 triggers escalation, anything above 80 is cleared.
AI-Formatted Results
Results returned as structured markdown with a raw JSON block. Designed for LLM consumption — no parsing required, ready for the AI to synthesize and explain.
Blue team use cases
Where AI blue team agents add the most value
SOC Alert Triage
An AI analyst automatically enriches every URL IOC from SIEM alerts. Instead of an analyst manually checking each link, the AI calls scan_url, evaluates the verdict, and writes a one-line triage note — handling 80% of alerts without human intervention.
Phishing Email Investigation
When a user reports a suspicious email, the AI extracts all URLs, calls scan_url on each one, and produces a full phishing assessment in seconds — domain age, blocklist status, SSL validity, and a recommended action for the SOC.
Attacker Infrastructure Mapping
During incident response, the AI pivots through DNS records and WHOIS data to map related malicious domains. Identifying shared infrastructure, registrant patterns, and hosting providers that the human analyst would take hours to correlate.
Threat Feed Validation
Validate URLs from threat intelligence feeds before blocking them in firewalls or proxies. The AI calls scan_url to confirm a URL is still active and malicious — reducing false positives from stale or recycled IOCs.
Security Awareness Training
AI tutors can analyze example phishing URLs in real time during security awareness sessions — showing employees exactly why a URL is dangerous using live threat data rather than static screenshots.
FAQ
Common questions
Get started
Add URL threat intelligence to your AI today
Free. No account. No API key. One command and your AI agent can analyze any URL, detect phishing, and map attacker infrastructure in real time.
claude mcp add urlscanner --transport http https://mcp.urlscanner.online/mcp