{"name":"DugganUSA Threat Intelligence MCP (Jeevesus)","title":"Jeevesus — DugganUSA Threat Intelligence MCP","tagline":"Jeevesus saves.","version":"1.0.0","protocol":"2024-11-05","transport":"http+jsonrpc","endpoint":"https://analytics.dugganusa.com/api/v1/mcp","method":"POST application/json with JSON-RPC 2.0 body","docs":"https://analytics.dugganusa.com/mcp","threat_model":"https://github.com/pduggusa/enterprise-extraction-platform/blob/main/compliance/security/mcp-threat-model.md","registry":"https://registry.modelcontextprotocol.io/v0/servers?search=dugganusa-threat-intel","icons":[{"src":"https://analytics.dugganusa.com/jeevesus-icon.svg","mimeType":"image/svg+xml","sizes":["any"]}],"tags":["threat-intelligence","security","ioc","stix","taxii","cisa-kev","otx","malware","ransomware","apt","phishing","mcp","jsonrpc","read-only","dugganusa","jeevesus","mandiant-class","unit42-class"],"categories":["security","threat-intelligence","research"],"description":"Live threat-intelligence MCP. Search 17.9M+ indexed documents (1.13M IOCs, 1.83M Tor relay records, 22K MCP server catalog, 366 named adversaries, 1,600 CISA KEV CVEs, 16K OTX pulses, 400K Epstein archive). Enrich any IP/domain/URL/hash. Pull live STIX feed stats. Read-only, secure-by-default. Caught Apothecary/ClearFake May 1 left-of-boom; predicted Medtronic 6 weeks before public disclosure.","why_use_this":["Daily-refreshed IOC corpus from URLhaus, Spamhaus DROP, ThreatFox, OTX, vendor blogs (Mandiant, Unit 42, CrowdStrike, Microsoft, Elastic, Volexity, Talos, Check Point Research)","Indexes nobody else has: Tor consensus history (hourly snapshots), Epstein archive, MCP server registry, our own edge-honeypot catches","Read-only by design — no write tools, allow-listed indexes, prompt-injection sanitized output, hashed-IP audit log","Already vetted by the official MCP Registry (status: active, listed as io.github.pduggusa/dugganusa-threat-intel)"],"tools":[{"name":"search","description":"Full-text search across the DugganUSA threat-intelligence corpus — 17.9M+ indexed documents. Public indexes only, read-only, prompt-injection sanitized. Returns up to 25 hits with title, snippet, source, and timestamp. Available indexes:\n  • iocs (1.13M indicators of compromise — IPs, domains, URLs, hashes, with actor attribution)\n  • adversaries (366 threat actor profiles — Handala, ShinyHunters/UNC6040, MuddyWater, Lazarus, etc.)\n  • cisa_kev (1,600+ CVEs in CISA's Known Exploited Vulnerabilities catalog, daily-synced)\n  • pulses (16K+ OTX community pulses)\n  • blog (1,800+ DugganUSA threat-intel blog posts including our left-of-boom predictions)\n  • epstein_files (400K+ documents from the Epstein archive)\n  • oz_decisions (auto-blocker decisions from our edge — 7.5M+ rows)\n  • paranormal (3,400 fringe-research docs)\n  • tor_relays (1.83M hourly Tor consensus snapshots)\n\nExamples:\n  query=\"ClearFake\" → returns our May 1 Apothecary/ClearFake DXNP2C7 left-of-boom catch with operator analysis.\n  query=\"ShinyHunters\" indexes=\"iocs,adversaries,blog\" → cross-correlate the UNC6040 actor across IOCs, adversary profile, and predictive coverage.\n  query=\"CVE-2026-31431\" → Linux Kernel KEV entry plus the GitHub PoCs our exploit-harvester caught.","input_schema":{"type":"object","properties":{"query":{"type":"string","minLength":1,"maxLength":500,"description":"Search query."},"indexes":{"type":"string","maxLength":200,"pattern":"^[a-z0-9_,]+$","description":"Optional comma-separated allow-listed indexes. Defaults to all public indexes."},"limit":{"type":"integer","minimum":1,"maximum":25,"description":"Max results (default 10, hard max 25)."}},"required":["query"],"additionalProperties":false}},{"name":"enrich-ioc","description":"Look up a single indicator of compromise (IP, domain, URL, or hash) in the DugganUSA corpus and return everything we know about it: threat type, malware family, source feeds, related actor (if attributed), confidence score, references, and the full description from each source. Read-only.\n\nUse this AFTER `search` finds something interesting — drill in for the full attribution + cross-feed correlation. Or use it directly when triaging a single indicator from your SIEM.\n\nPass the IOC as either `indicator` or `value` (both work). Optional `type` hint: ip / domain / url / hash / auto.\n\nExamples:\n  indicator=\"185.93.3.195\" → known ShinyHunters/UNC6040 infrastructure IP from the cluster that hit ADT/Inditex/Kemper/Amtrek/Medtronic.\n  indicator=\"goldenleafway.lat\" → fresh Apothecary/ClearFake .lat rotation domain.\n  indicator=\"ee28b3137d65d74c0234eea35fa536af\" → Volexity-attributed malware MD5 (BrazenBamboo/DEEPDATA campaign).\n\nReturns `found: false` cleanly when the indicator isn't in our corpus — that's also a signal worth recording.","input_schema":{"type":"object","properties":{"indicator":{"type":"string","minLength":1,"maxLength":500,"description":"The indicator to enrich (IP, domain, URL, or hash)."},"value":{"type":"string","minLength":1,"maxLength":500,"description":"Alias of `indicator`. Either field works."},"type":{"type":"string","enum":["ip","domain","url","hash","auto"],"description":"Optional type hint. Default auto-detect."}},"additionalProperties":false}},{"name":"stix-feed-summary","description":"Live shape report on the DugganUSA STIX 2.1 threat feed for a chosen lookback window (1-7 days). Returns total indicator count, top malware families, top source feeds, type breakdown (ip/domain/url/hash/cidr), and top countries.\n\nUse this BEFORE pulling the full STIX bundle to gauge feed depth and freshness, plan SIEM ingestion budget, or sanity-check that a campaign you read about is actually in our corpus.\n\nDoes NOT return the full bundle — for that, fetch `https://analytics.dugganusa.com/api/v1/stix-feed` with the same Bearer key. The bundle is STIX 2.1 / TAXII 2.1 with Splunk ES, OPNsense, Suricata, and Unbound DNS sinkhole plugins.\n\nAuthentication required (Bearer token). Anonymous callers get a clear 401 with the registration URL.\n\nExample: `{\"days\": 7}` returns the last week's feed shape — useful for capacity planning and spot-checking recent ingest tags.","input_schema":{"type":"object","properties":{"days":{"type":"integer","minimum":1,"maximum":7,"description":"Lookback window in days (1–7). Default 1."}},"additionalProperties":false}}],"example_queries":[{"tool":"search","arguments":{"query":"ClearFake","indexes":"iocs","limit":5},"description":"Surface our May 1 Apothecary/ClearFake DXNP2C7 left-of-boom catch with operator-level analysis."},{"tool":"search","arguments":{"query":"ShinyHunters","indexes":"iocs,adversaries,blog","limit":10},"description":"Cross-correlate the UNC6040 actor across IOCs, adversary profiles, and our predictive blog coverage."},{"tool":"enrich-ioc","arguments":{"indicator":"185.93.3.195"},"description":"Look up a known ShinyHunters infrastructure IP from the cluster that hit ADT/Inditex/Kemper/Amtrek/Medtronic."},{"tool":"enrich-ioc","arguments":{"indicator":"goldenleafway.lat"},"description":"Check if a fresh Apothecary/ClearFake .lat rotation domain is in our index."},{"tool":"stix-feed-summary","arguments":{"days":7},"description":"Get last-7-day feed shape: top families, sources, type breakdown. Auth required."}],"install":{"claude_desktop":{"config_file":"~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%/Claude/claude_desktop_config.json (Windows)","snippet":{"mcpServers":{"jeevesus":{"url":"https://analytics.dugganusa.com/api/v1/mcp"}}}},"cursor":"Settings → MCP Servers → Add HTTP server → URL: https://analytics.dugganusa.com/api/v1/mcp","curl_test":"curl -X POST https://analytics.dugganusa.com/api/v1/mcp -H \"Content-Type: application/json\" -d '{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/list\"}'"},"auth":{"modes":["Anonymous: hard rate limits, search + enrich-ioc only (no stix-feed-summary)","Bearer token: register free at https://analytics.dugganusa.com/stix/register — applies to all tiers"],"header":"Authorization: Bearer <api_key>"},"pricing":{"free":"$0/mo — 25 queries/day, public-safe indexes, all tools except stix-feed-summary","pro":"$99/mo — 2,000 queries/day, all tools, Splunk ES/OPNsense plugin support","enterprise":"$995/mo — 50,000 queries/day, behavioral intel, attack-surface scanner, dedicated SLA","register":"https://analytics.dugganusa.com/stix/register","promo":"Use code NOTAFAKE at checkout for 20% off the first year"},"rate_limits":{"note":"Limits apply ONLY to tools/call. Protocol overhead (initialize, notifications, tools/list, ping, *.list) is unmetered.","anonymous":"10/min, 50/day on tools/call","free":"60/min, 500/day on tools/call","pro":"400/min, 10000/day on tools/call","enterprise":"2000/min, 100000/day on tools/call"},"capabilities_advertised":{"tools":{"listChanged":false},"prompts":{"listChanged":false},"resources":{"listChanged":false},"logging":{}},"receipts":{"apothecary_catch":"https://www.dugganusa.com/post/praise-jeevesus-we-mapped-every-mcp-server-and-we-re-auditing-them-next","medtronic_prediction":"https://www.dugganusa.com/post/we-predicted-medtronic-the-receipts","microsoft_validation":"https://www.dugganusa.com/post/microsoft-just-published-the-vish-chain-we-warned-medtronic-about","vendor_blog_watcher":"https://www.dugganusa.com/post/day-one-on-the-vendor-blog-watcher-695-iocs-in-3-2-seconds"},"contact":"butterbot@dugganusa.com"}