Integration

Connect LLM agents to CipherCue

CipherCue exposes an MCP (Model Context Protocol) server so Claude Desktop, Cursor, Claude Code, and any other MCP-aware agent can query observed cybersecurity infrastructure directly from your prompts.

For Paid and Enterprise workspace owners connecting CipherCue to their team's AI workflows.

What is MCP?

MCP (Model Context Protocol) is Anthropic's open standard for letting LLM agents discover and call external tools over a uniform interface. With CipherCue's MCP server connected, you can ask Claude or Cursor questions like "find German companies running Fortinet VPNs" or "give me the dossier for ciphercue.com" and the agent will call the right tool and synthesise an answer over the structured response.

CipherCue's MCP server is hosted at https://ciphercue.com/mcp. It speaks the Streamable HTTP transport, so no local install or npm package is needed: paste the URL plus your CipherCue API token into your agent's MCP configuration.

Paid and Enterprise only. The MCP server requires a Paid or Enterprise subscription. Free workspaces can read these docs, but cannot generate API tokens or use the /mcp endpoint until they upgrade. See pricing.

Generate an API token

MCP reuses the same workspace API tokens as the REST API. Owners and admins can issue tokens from Settings › API tokens.

Open Settings › API tokens.
Choose Create token. Give it a descriptive name (e.g. claude-desktop-chris).
Tick the abilities your tools need (most workflows want all four):
- read:entities — required for search_entities, get_entity, match_domains, tech_vendor_search
- read:facts — required for get_entity_facts, get_entity_changes, tech_vendor_search
- read:signals — required for list_signals
- read:accounts — required for list_accounts
Copy the token shown on the next screen. The full token is only visible once. Store it in your password manager.

The CipherCue settings page showing the API tokens screen with the Create token form expanded and the four ability checkboxes ticked. — Create a token with the abilities your MCP tools need. Most workflows want all four.

The CipherCue settings page after token creation, showing the full token string with a copy button. The token value is partially redacted as cc_pat_dots. — Copy the token immediately — it is only shown once.

Claude Desktop setup

Claude Desktop's config file supports only stdio MCP servers. The HTTP transport CipherCue uses is reached via a small open-source shim called mcp-remote, which runs locally and forwards your requests over HTTPS (including your bearer token). You need Node.js installed.

Open the Claude Desktop config file. The path depends on your operating system:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

Add (or extend) the mcpServers object:

{
  "mcpServers": {
    "ciphercue": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://ciphercue.com/mcp",
        "--header",
        "Authorization:Bearer cc_pat_your_token_here"
      ]
    }
  }
}

Fully quit Claude Desktop (Cmd+Q on macOS — not just close the window) and reopen it. On first launch, npx will download mcp-remote from npm (10–20 seconds). Open a new conversation and click the tool picker; you should see eight CipherCue tools listed.

The claude_desktop_config.json file open in an editor with the CipherCue mcp-remote block highlighted. — Add the CipherCue block under `mcpServers`. Replace the placeholder token with the one you generated.

Claude Desktop tool picker showing the eight CipherCue tools after a successful MCP connection. — After restart, all eight CipherCue tools appear in the tool picker.

Why not the "Add custom connector" GUI?

Claude Desktop's in-app Add custom connector dialog only accepts MCP servers that implement the full OAuth 2.1 authorisation flow with dynamic client registration. CipherCue uses workspace API tokens (bearer auth), which is simpler to issue and revoke per integration but not what the GUI dialog expects. The mcp-remote shim is the official path for bearer-auth servers and works identically once connected.

Cursor setup

Open Cursor's settings, navigate to Features › MCP, and add a new MCP server:

{
  "name": "ciphercue",
  "url": "https://ciphercue.com/mcp",
  "headers": {
    "Authorization": "Bearer cc_pat_your_token_here"
  }
}

Cursor will probe the connection and list the available tools when the server is reachable.

Cursor MCP settings panel showing CipherCue listed as a connected MCP server. — Cursor's MCP settings panel after CipherCue is added.

Claude Code setup

From a terminal, register the MCP server with the claude CLI:

claude mcp add ciphercue \
  --transport http \
  --url https://ciphercue.com/mcp \
  --header "Authorization: Bearer cc_pat_your_token_here"

List configured servers to confirm:

claude mcp list

End-to-end walkthrough

This 90-second screen recording walks through token generation, Claude Desktop config, and a sample query.

Generate a token, paste into Claude Desktop, restart, run a query.

A Claude Desktop conversation showing the search_entities tool being invoked and returning a structured list of German Fortinet-using companies. — Sample interaction: Claude calls `search_entities` + `tech_vendor_search` and synthesises the result.

Available tools

Eight tools are exposed. Use natural-language prompts and the agent will pick the right one.

Tool	What it does	Parameters	Ability
`search_entities`	Filter the entity directory by country, region, type, public index, or signal count.	`query`, `country`, `region`, `type`, `index`, `min_signals`, `limit`	`read:entities`
`get_entity`	Full dossier for one entity: tech stack, DNS, CISA KEV matches, certificate transparency.	`id` or `domain`	`read:entities`
`get_entity_facts`	Raw observed facts (tech_fingerprint, dns_compliance, etc.) for one entity.	`entity_id`, `type`, `since`, `limit`	`read:facts`
`get_entity_changes`	Temporal change events for one entity: what was added, removed, or updated and when.	`entity_id`, `since`, `limit`	`read:facts`
`list_signals`	Signals matched to your tracked accounts.	`since`, `status`, `severity`, `limit`	`read:signals`
`list_accounts`	Accounts you are tracking.	`limit`	`read:accounts`
`match_domains`	Bulk-match up to 50 domains to CipherCue entities.	`domains` (array)	`read:entities`
`tech_vendor_search`	Find entities observed running a given VPN, IAM, email-security, SIEM, or endpoint vendor.	`category`, `vendor`, `country`, `region`, `limit`	`read:entities` + `read:facts`

Sample prompts

"Search CipherCue for German companies running Fortinet VPNs."
"Give me the full dossier for ciphercue.com."
"What changed for entity {uuid} in the last 14 days?"
"Match this list of domains to CipherCue entities: acme.com, contoso.eu, example.fr."
"List all critical signals from the past week."

Quota and rate limits

MCP calls count against the same monthly API quota as the REST API:

Free: API tokens unavailable.
Paid: 1,000 calls / month.
Enterprise: 100,000 calls / month.

Each MCP tool call counts as one API call, with one exception: match_domains charges one call per domain in the batch (a 50-domain batch consumes 50 calls). Burst limit is 60 requests per minute per token.

Every response includes X-Quota-Limit, X-Quota-Remaining, and X-Quota-Reset headers so you can see your current usage.

Troubleshooting

403 tier_required

Your workspace is on the Free tier. MCP requires Paid or Enterprise. Upgrade in settings.

401 Unauthenticated

The bearer token is missing, malformed, or revoked. Generate a fresh token from Settings › API tokens.

Tools don't appear in the picker

The token is missing the abilities the tool requires. The MCP server still connects (so the agent shows it as available), but individual tool calls fail. Regenerate the token with all four abilities ticked.

429 monthly_quota_exceeded

You've hit the monthly call cap. Quota resets at the start of next month UTC. Enterprise quota uplifts are available — contact us.

Tool call returns "opt_out"

That specific entity has opted out of public observation via DNS TXT or email to abuse@ciphercue.com. The entity is filtered from MCP responses to honour the opt-out.

Claude Desktop's "Add custom connector" dialog rejects the URL

The in-app dialog requires OAuth 2.1 with dynamic client registration; CipherCue uses bearer tokens. Use the mcp-remote shim in the config file instead.

Claude Desktop shows "Some MCP servers could not be loaded"

You likely added a url + headers block to claude_desktop_config.json. That format is not supported there — Claude Desktop's config file only accepts stdio servers (command + args). Switch to the mcp-remote config shown above.

← Back to all docs · REST API reference