Use this guide to connect MCP clients, including Claude Web and Claude Desktop, to the Edgewatch MCP server. It reflects the current tool registry. Tool names are intentionally limited to letters, numbers, underscores, and hyphens so they are accepted by clients that enforce MCP tool-name validation.
The Edgewatch MCP server uses OAuth 2.1. MCP clients discover authorization automatically — no API credentials in headers.
On first connect, your browser opens a one-time linking page where you enter your Edgewatch client-id and
client-secret. After that, manage connected applications at
/connected-apps.
https://mcp.edgewatch.net/mcp^[a-zA-Z0-9_-]{1,64}$getInsight and getExplorerMCP clients use OAuth 2.1 — no x-client-id or x-client-secret headers on POST /mcp.
POST /mcp with Authorization: Bearer …./connected-apps to revoke individual MCP clients or disconnect your account.The current registry exposes these tool names. Tools marked feature-gated may be omitted unless the corresponding server feature flag is enabled.
edgewatch_investigate_host - all-in-one investigation for an IP, domain, CIDR, or ASN.edgewatch_map_infrastructure - build an infrastructure graph around a target.edgewatch_trace_domain_history - trace DNS, WHOIS, RDAP, and related domain history.edgewatch_lookup_pdns - query passive DNS by domain, IP, rdata, or rrset.edgewatch_lookup_asn - look up ASN metadata, prefixes, neighbors, and ranking history.edgewatch_lookup_ioc - enrich an IOC using Explorer, PDNS, CTI, and reputation sources.edgewatch_cti_classifications - query CTI classifications from /api/classifications*.edgewatch_cti_trends - query CTI trends from /api/trends*.edgewatch_cti_feeds - query CTI feeds from /api/feeds*.edgewatch_cti_export - query CTI export endpoints from /api/export* (json or csv).edgewatch_lookup_cve - fetch a CVE by identifier with optional public context.edgewatch_health - report server and upstream health.edgewatch_capabilities - report feature flags and registered tool descriptors.getContexts - return available AI agent contexts from the configured Mongo store.searchCves - search cvedb.cves by free text (summary, text-indexed), exact CVE id (direct id lookup), or indexed filters (status/cwe/assigner/vendor/product/cvss/cvss3/epss/date ranges).edgewatch_breachspot_search - search Breachspot credentials by email, domain, or username.edgewatch_check_ip_reputation - local IP reputation lookup with optional verification.edgewatch_search_threat_events - search Open Pulsewire threat events (scope: public | authenticated | auto).edgewatch_get_threat_trends - retrieve Open Pulsewire trend reports (authenticated).edgewatch_get_watchlist_matches - read tenant watchlist matches, coincidences and watchlists (authenticated).edgewatch_search_threat_entities - search Open Pulsewire entities; entity_type=threat_actor for the APT list (authenticated).edgewatch_get_threat_entity - fetch a single Open Pulsewire entity with related events (authenticated).edgewatch_search_threat_cves - search Open Pulsewire CVE mentions with event counts (authenticated).edgewatch_search_threat_iocs - search Open Pulsewire IOCs (authenticated).edgewatch_search_threat_evidence - search Open Pulsewire evidence records (authenticated).edgewatch_list_threat_sources - list Open Pulsewire sources from the public sources dashboard (public, no credentials needed).edgewatch_lookup_network - resolve IP, CIDR, ASN, organisation, or maintainer network records.edgewatch_search_entities - search entities and correlate Pulsewire mentions (mention correlation requires credentials).edgewatch_search_breach_exposure - breach exposure search over tenant watchlist data (authenticated).Open Pulsewire auth: tenant-scoped tools require the caller's own client_id/client_secret on the MCP session — there is no shared default credential. Only the public sources/events feeds, /news/, and /tenants/global/events/ are anonymous.
Previous calls to getInsight or getExplorer should use
edgewatch_investigate_host. For a fast exposure-style lookup, pass
depth: 'fast', include_ports: true, and include_pdns: true.
Install the official SDK:
For access or support, contact support@edgewatch.com.