mcp.sectora.io
What it offers — 14 tools · Developer Tools
lookup_cveGet full threat intelligence enrichment for a CVE including EPSS score, CISA KEV status, public exploits, Nuclei templates, risk level, and risk facto
assess_tech_riskAssess security risk for a list of technologies. Returns known CVEs affecting each technology with severity breakdown. Input: comma-separated technolo
search_cvesSearch for CVEs by keyword, severity, or other filters. Query must be alphanumeric text.
get_kev_recentGet recently added entries to the CISA Known Exploited Vulnerabilities (KEV) catalog.
get_trending_cvesGet currently trending CVEs based on recent KEV additions, high EPSS scores, and exploit availability.
get_weaponization_scoreGet the weaponization score (0-100) for a CVE. Factors in EPSS, KEV status, exploit availability, Nuclei templates, and CVSS. Input must be a valid CV
lookup_ip_reputationLook up community IP reputation from Sectora Shield WAF network. Shows if an IP has been reported for attacks. Accepts IPv4 or IPv6 (the Shield networ
get_threat_statsGet statistics about the Sectora threat intelligence database including counts of EPSS scores, KEV entries, Nuclei templates, and exploits. No input r
list_my_findingsList the API key owner's open security findings across all scans. Use this to answer "what's my current exposure?" Filter by severity, status, or doma
list_my_scansList the API key owner's recent scans with summary counts. Requires API key.
get_scanGet a scan with all its findings (full detail: title, description, evidence, remediation, CVSS). Requires API key.
scan_urlKick off a DAST security scan against a public URL the API key owner controls. Two-step flow: first call returns a preview (target, profile, ETA, quot
get_my_postureGet Shield WAF posture score and breakdown for a domain registered under this account. Returns 0-100 score, letter grade, per-component breakdown (ori
assess_dependencyCheck a single package@version for known vulnerabilities via OSV.dev (npm, PyPI, Go, Maven, NuGet, RubyGems, Packagist, crates.io, etc.). Returns advi
- ✓ initialize → protocolVersion 2025-03-26
- ✓ initialize HTTP 200
- ✓ unknown method → -32601
- ✓ tools/list → 14 tools
- ✓ every tool has name + inputSchema
- 14 tools scanned
- no injection markup
- no secret-path refs
- single-probe latency 762ms (PRELIMINARY — continuous uptime/p95 from proxy telemetry lands in v2)
- 93% of tools have typed inputSchema
- 0/14 declare outputSchema
- no unannotated destructive tools
- HTTPS ✓
- advertises protocol 2025-03-26
Observed behavior
No proxied traffic observed for this host yet. Connect it at /connect and its grade gains a measured Reliability score + per-tool behavioral evidence — the half a static scan can't produce.
Findings
We re-grade mcp.sectora.io on a schedule and alert your Slack/webhook the moment its tools change or its grade drops — rug-pull insurance for the connection.
Share this report card
A 1200×630 card with the grade + audit — drop it in a post, Slack, or your repo.
Embed this grade
A live badge — it re-verifies itself and shows current stability. Static scorecards can't. Paste it in your README or site to show users you're independently audited.
[](https://wmcp.sh/mcp/grade/mcp.sectora.io)
<a href="https://wmcp.sh/mcp/grade/mcp.sectora.io"><img src="https://wmcp.sh/mcp/grade/mcp.sectora.io/badge.svg" alt="MCP Trust Grade B+ · wmcp.sh"></a>
Agents: check this before connecting
Add the wmcp.sh trust oracle as an MCP server and call grade_mcp_server / check_mcp_drift in your agent's pre-connection gate:
https://wmcp.sh/mcp/trust
readOnly vs observed behavior) layer on via the wmcp.sh proxy.