Edgewatch MCP Client Guide
1.0.0 MCP

Use this guide to connect MCP clients, including Claude Web and Claude Desktop, to the Edgewatch MCP server. It reflects the current tool registry. Tool names are intentionally limited to letters, numbers, underscores, and hyphens so they are accepted by clients that enforce MCP tool-name validation.

Access Notice

The Edgewatch MCP server uses OAuth 2.1. MCP clients discover authorization automatically — no API credentials in headers. On first connect, your browser opens a one-time linking page where you enter your Edgewatch client-id and client-secret. After that, manage connected applications at /connected-apps.

Server URL: https://mcp.edgewatch.net/mcp
Protocol: MCP over Streamable HTTP (OAuth 2.1)
Tool name pattern: ^[a-zA-Z0-9_-]{1,64}$
Legacy tools removed: getInsight and getExplorer

MCP clients use OAuth 2.1 — no x-client-id or x-client-secret headers on POST /mcp.

Step 1: Add the MCP server URL in your client (ChatGPT, Claude, Cursor, etc.).
Step 2: Complete the browser linking flow when prompted — enter your Edgewatch API credentials once.
Step 3: The client receives a Bearer token and calls POST /mcp with Authorization: Bearer ….
Manage access: Visit /connected-apps to revoke individual MCP clients or disconnect your account.
{ "edgewatch": { "url": "https://mcp.edgewatch.net/mcp", "name": "Edgewatch" } }

The current registry exposes these tool names. Tools marked feature-gated may be omitted unless the corresponding server feature flag is enabled.

Default Tools

edgewatch_investigate_host - all-in-one investigation for an IP, domain, CIDR, or ASN.
edgewatch_map_infrastructure - build an infrastructure graph around a target.
edgewatch_trace_domain_history - trace DNS, WHOIS, RDAP, and related domain history.
edgewatch_lookup_pdns - query passive DNS by domain, IP, rdata, or rrset.
edgewatch_lookup_asn - look up ASN metadata, prefixes, neighbors, and ranking history.
edgewatch_lookup_ioc - enrich an IOC using Explorer, PDNS, CTI, and reputation sources.
edgewatch_cti_classifications - query CTI classifications from /api/classifications*.
edgewatch_cti_trends - query CTI trends from /api/trends*.
edgewatch_cti_feeds - query CTI feeds from /api/feeds*.
edgewatch_cti_export - query CTI export endpoints from /api/export* (json or csv).
edgewatch_lookup_cve - fetch a CVE by identifier with optional public context.
edgewatch_health - report server and upstream health.
edgewatch_capabilities - report feature flags and registered tool descriptors.
getContexts - return available AI agent contexts from the configured Mongo store.
searchCves - search cvedb.cves by free text (summary, text-indexed), exact CVE id (direct id lookup), or indexed filters (status/cwe/assigner/vendor/product/cvss/cvss3/epss/date ranges).
edgewatch_breachspot_search - search Breachspot credentials by email, domain, or username.

Feature-Gated Tools

edgewatch_check_ip_reputation - local IP reputation lookup with optional verification.
edgewatch_search_threat_events - search Open Pulsewire threat events (scope: public | authenticated | auto).
edgewatch_get_threat_trends - retrieve Open Pulsewire trend reports (authenticated).
edgewatch_get_watchlist_matches - read tenant watchlist matches, coincidences and watchlists (authenticated).
edgewatch_search_threat_entities - search Open Pulsewire entities; entity_type=threat_actor for the APT list (authenticated).
edgewatch_get_threat_entity - fetch a single Open Pulsewire entity with related events (authenticated).
edgewatch_search_threat_cves - search Open Pulsewire CVE mentions with event counts (authenticated).
edgewatch_search_threat_iocs - search Open Pulsewire IOCs (authenticated).
edgewatch_search_threat_evidence - search Open Pulsewire evidence records (authenticated).
edgewatch_list_threat_sources - list Open Pulsewire sources from the public sources dashboard (public, no credentials needed).
edgewatch_lookup_network - resolve IP, CIDR, ASN, organisation, or maintainer network records.
edgewatch_search_entities - search entities and correlate Pulsewire mentions (mention correlation requires credentials).
edgewatch_search_breach_exposure - breach exposure search over tenant watchlist data (authenticated).

Open Pulsewire auth: tenant-scoped tools require the caller's own client_id/client_secret on the MCP session — there is no shared default credential. Only the public sources/events feeds, /news/, and /tenants/global/events/ are anonymous.

Investigate an IP Address

await client.request({ method: 'tools/call', params: { name: 'edgewatch_investigate_host', arguments: { target: '8.8.8.8', target_type: 'ip', depth: 'standard', include_ports: true, include_pdns: true, include_cti: true, max_items: 25 } } }, resultSchema);

Trace a Domain

await client.request({ method: 'tools/call', params: { name: 'edgewatch_trace_domain_history', arguments: { domain: 'example.com', rrtype: 'A', include_subdomains: true, include_reverse_ip: true, max_items: 50 } } }, resultSchema);

Search Breachspot

await client.request({ method: 'tools/call', params: { name: 'edgewatch_breachspot_search', arguments: { domain: 'example.com', limit: 100 } } }, resultSchema);

Previous calls to getInsight or getExplorer should use edgewatch_investigate_host. For a fast exposure-style lookup, pass depth: 'fast', include_ports: true, and include_pdns: true.

Install the official SDK:

npm install @modelcontextprotocol/sdk zod

Minimal Client

import { Client } from '@modelcontextprotocol/sdk/client/index.js'; import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js'; import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js'; import { z } from 'zod'; const resultSchema = z.object({ content: z.array(z.object({ type: z.literal('text'), text: z.string() })) }); async function connectToEdgewatch(serverUrl) { const client = new Client({ name: 'edgewatch-client', version: '1.0.0' }); try { const transport = new StreamableHTTPClientTransport(new URL(serverUrl)); await client.connect(transport); return { client, transport }; } catch { const transport = new SSEClientTransport(new URL(serverUrl)); await client.connect(transport); return { client, transport }; } }

{ "mcpServers": { "ewmcp-server": { "url": "https://mcp.edgewatch.net/mcp", "name": "ewmcp-server", "version": "1.0.0" } } }

For access or support, contact support@edgewatch.com.