OSINT & Threat Intelligence MCP Server
One endpoint that lets AI agents investigate any IP, domain, or email.
The hosted ip-api.io MCP server gives AI agents autonomous access to the intelligence a human analyst would gather by hand — geolocation, VPN, proxy, and Tor detection, 0–100 risk scoring, ASN, WHOIS, DNS, and domain age. It speaks Streamable HTTP Model Context Protocol, so your agent calls the tools directly and returns a structured verdict in one loop.
What is agentic OSINT?
Agentic OSINT is open-source intelligence gathering performed by an AI agent instead of a human analyst. The agent calls lookup tools directly, chains them in a single reasoning loop, and returns a structured verdict — no tab-switching, no copy-paste. MCP is what makes it possible: it gives the agent a safe, typed interface to real intelligence data.
An analyst opens a geolocation site, then a WHOIS lookup, then a Tor exit-node list, then a reputation database — pasting the same IP into each and stitching the answers together by hand.
- One investigation at a time, at human speed
- Results scattered across half a dozen tabs
- Hard to reproduce or audit later
- Doesn't scale to hundreds of indicators
The agent calls ip_lookup, risk_score,
dns_whois, and domain_age itself, reasons over the
combined result, and reports a verdict — for one indicator or a thousand.
- Runs lookups autonomously in one loop
- Structured, machine-readable responses
- Every tool call and response is logged
- Scales to bulk sweeps without extra glue code
The ip-api.io MCP server is a hosted, read-only Streamable HTTP endpoint — the same production data behind the REST API, exposed as tools your agent can call safely.
Threat-intelligence tools your agent can call
Every tool maps to a job an OSINT analyst does by hand — now available as a single MCP call.
Geolocation & network — ip_lookup
Country, region, city, coordinates, timezone, ASN, and hosting company for any IP. The first pivot in almost every investigation, in one call.
Threat scoring — risk_score · ip_reputation
A single 0–100 score combining VPN, proxy, Tor, datacenter, and abuse signals. Lets an agent triage an indicator as benign or hostile without a rules engine.
Anonymity infrastructure — tor_check + flags
VPN, proxy, Tor exit node, and datacenter detection — included in every plan. The clearest tell that a connection is trying to hide its origin.
DNS & WHOIS — dns_whois · dns_mx · dns_reverse
Registrar and ownership records, mail servers, and forward/reverse resolution. Pivot from an IP to a domain to its infrastructure and back.
Domain age — domain_age
How long ago a domain was registered — the newly-registered-domain signal that flags throwaway phishing and fraud infrastructure before it's on a blocklist.
Email intelligence — email_risk_score
Syntax, MX, disposable-provider, and risk checks on an address. Enrich a lead, an account, or an alert without leaving the same MCP session.
Agentic MCP vs manual OSINT
Same intelligence, two very different workflows. Here's what changes when the agent does the lookups.
| Dimension | Manual OSINT | Agentic OSINT via ip-api.io MCP |
|---|---|---|
| Data gathering | Analyst pivots between separate sites and APIs | ✓ Agent calls tools directly in one loop |
| Speed per indicator | Minutes of clicking and copy-paste | ✓ Sub-second tool calls |
| VPN / proxy / Tor detection | Extra lookups, often a separate paid service | ✓ Included in every plan |
| Threat scoring | Analyst judgment, hard to standardize | ✓ Consistent 0–100 risk_score |
| Repeatability & audit trail | Manual notes; hard to reproduce | ✓ Every tool call and response logged |
| Scale | One investigation at a time | ✓ Batch tools sweep up to 100 items per call |
| Deep manual pivoting & intuition | ✓ A skilled analyst still wins on novel cases | Best for enrichment and first-pass triage |
Honest take: agentic OSINT doesn't replace an experienced analyst on a hard target — it removes the repetitive enrichment and triage so the analyst spends their time where intuition matters.
What agents build with the OSINT MCP server
From SOC automation to fraud enrichment — the jobs teams are wiring up first.
Automated threat-intel enrichment
An agent takes an alert's IP or domain, calls risk_score, tor_check, and dns_whois, and appends a structured verdict to the ticket — before an analyst ever opens it.
Agentic SOC triage
Wire the MCP server into your assistant so "investigate 203.0.113.5" returns geolocation, anonymity flags, ASN, and reputation in one turn — no runbook, no pivoting.
Phishing & domain investigation
Combine domain_age with dns_whois and dns_mx to flag freshly-registered lookalike domains and trace their mail infrastructure — the classic phishing tell.
Fraud-signal enrichment at signup
During account creation, an agent scores the IP for VPN/proxy/Tor and checks the email with email_risk_score, blocking anonymized fraud before it reaches your rules engine.
Bulk IOC & IP reputation sweeps
Feed a list of indicators to the batch tools — up to 100 items per call — and let the agent return a reputation table for the whole set in seconds.
Investigate-this-IP copilots
Ship the MCP endpoint inside an internal copilot so any engineer can ask natural-language questions about an IP, domain, or email and get sourced, tool-backed answers.
Connect an agent in two minutes
Add the hosted Streamable HTTP endpoint to any MCP client, then call tools with your API key.
Point your MCP client at the endpoint
{
"mcpServers": {
"ip-api-io": {
"url": "https://ip-api.io/mcp",
"transport": "streamable-http"
}
}
}
Call a tool with your API key
{
"name": "risk_score",
"arguments": {
"api_key": "YOUR_API_KEY",
"ip": "8.8.8.8"
}
}
Keep your key in the client or agent secret store — never in a user-visible prompt. MCP tool calls use the same quota pools as the REST API.
OSINT MCP Server FAQs
Common questions about giving AI agents intelligence tooling.
What is an OSINT MCP server?
An OSINT MCP server is a Model Context Protocol server that exposes open-source
intelligence lookups — IP geolocation, VPN/proxy/Tor detection, WHOIS, DNS, and
reputation scoring — as tools an AI agent can call directly. Instead of a human
analyst pivoting between separate websites and APIs, the agent invokes the tools
itself. The ip-api.io MCP server is a hosted Streamable HTTP endpoint at
https://ip-api.io/mcp that provides these lookups over the full v1 API surface.
How is agentic OSINT different from manual OSINT?
Manual OSINT means an analyst clicks through geolocation sites, WHOIS lookups, and reputation databases and copies results between them. Agentic OSINT means an AI agent runs those same lookups autonomously through MCP tools, chains them in a single reasoning loop, and returns a structured verdict. It's faster, repeatable, and auditable, because every tool call and response is logged.
Which OSINT and threat-intelligence tools does the ip-api.io MCP server expose?
The server exposes the full v1 API surface as read-only tools: ip_lookup
(geolocation, ASN, company), risk_score and ip_reputation
(0–100 threat scoring), tor_check plus VPN/proxy/datacenter flags,
asn_lookup, dns_whois, dns_mx,
dns_reverse, dns_forward, domain_age,
email_validate and email_risk_score, plus quota and usage
tools. Full argument reference is in the
MCP tool reference.
Does the MCP server detect VPNs, proxies, and Tor?
Yes. VPN, proxy,
Tor, and datacenter detection are included in every
ip-api.io plan and are returned by the risk_score,
ip_reputation, and tor_check tools — no add-on or higher tier
required. This is a core threat-intelligence signal for spotting anonymized infrastructure.
How do AI agents authenticate to the MCP server?
Customer-facing tools take your ip-api.io API key as an api_key argument.
Keep the key in your MCP client or agent secret store rather than pasting it into
user-visible prompts. The public api_status health tool needs no key.
MCP tool calls consume the same IP and advanced-email quota pools as the REST API.
Is the ip-api.io MCP server free to use?
There's a free tier with no card required, which is enough to connect an agent and run real lookups. Paid plans start at €10/month and include VPN/proxy/Tor detection and email validation in every tier.
Give your agent real intelligence
Geolocation, VPN/proxy/Tor detection, risk scoring, WHOIS, DNS, and domain age — exposed as MCP tools your AI agent can call directly. Every signal included from the €10/month plan. Start on the free tier, no card required.