Model Context Protocol · Live

Security tools your AI assistant
can actually call.

Plug Defenso into Claude Code, Cursor, Windsurf, VS Code, or codex. Six deterministic tools return live signal — not model guesses. Your assistant uses them when it needs real data, and its own reasoning for everything else.

Terminal · one line copy
$ npx -y @defen.so/mcp link

Six real tools. Six real answers.

Each tool comes with explicit WHEN TO USE guidance so the assistant reaches for us only when it needs live data — and answers general security questions from its own knowledge. You save quota; we save inference.

scan_domain Live · graded A–F

Surface pentest against any URL — TLS, HSTS, CSP, cookie flags, exposed .env/.git, security headers. Per-check evidence.

Use when the user asks to audit / pentest / check a specific URL and needs fresh data.
check_headers Live · ~1 s

Fetch the URL and return the current security-header set (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy) plus server banner.

Use when the question is about the current header state of a specific site.
list_sites Account

Every site under the account with plan, connection method (SDK / CNAME), and verification status.

Use when the user asks about their coverage or "which sites do I have on defenso."
list_monitors Live · up/down

Every uptime monitor — current status, last checked, 24h uptime %.

Use when the user asks "are my sites up" or wants uptime state.
list_recent_attacks Live · WAF + honeypot

Most recent WAF and honeypot events with rule, IP, path, and action. Pass hours to widen the window.

Use when the user asks "any attacks recently" or is investigating an incident.
explain_verdict Reference

For a given rule or verdict ID, return the pattern, target, action, plan tier, and mitigation steps.

Use when a specific rule ID is referenced. General "what is XSS" answers should come from your own knowledge.

Wire it into your assistant. One block.

Same JSON works everywhere. Pick your editor.

Add to ~/.claude/mcp.json
{
  "mcpServers": {
    "defen.so": {
      "command": "npx",
      "args": ["-y", "@defen.so/mcp"]
    }
  }
}
Cursor Settings → Features → MCP → Add server
Name:    defen.so
Command: npx
Args:    -y @defen.so/mcp
Windsurf Settings → Cascade → MCP servers → Add server (same JSON as Claude)
{
  "mcpServers": {
    "defen.so": {
      "command": "npx",
      "args": ["-y", "@defen.so/mcp"]
    }
  }
}
VS Code Copilot Chat → Settings → Model Context Protocol → Add server
Command: npx
Args:    -y @defen.so/mcp
Any codex-cli or MCP-speaking client — pipe stdio
npx -y @defen.so/mcp

Why it matters. Three reasons.

Live signal, not guesses

The assistant sees your actual header state, actual attack log, actual monitor status — not what a model imagines they might be.

Cheaper for everyone

Every tool description tells the assistant when NOT to call us. General questions stay in-model. You save quota, we save inference.

Auditable by design

Each tool returns structured JSON with raw evidence. Read-only by default. Write actions require Pro tier and explicit confirmation.

Free forever

Give your assistant real security tools.

One command. No card. Free tier includes scan_domain, check_headers, list_sites, list_monitors, list_recent_attacks, and explain_verdict.