Today, we’re launching the Threat Hunting MCP Server, a new tool that brings Censys data into your existing workflows through a natural language interface. By leveraging the Model Context Protocol (MCP), we’re giving analysts a more conversational, iterative way to track adversary infrastructure from their AI assistant of choice.
Reasons to Use the Threat Hunting MCP Server
The Threat Hunting MCP Server provides an integrated way to leverage Censys adversary infrastructure intelligence directly within preferred AI environments and enables continuous and iterative conversation, helping reduce friction in workflows.
Don’t Just Query, Converse
The biggest shift here is moving from a transactional model to an iterative one. Instead of a series of one-off queries, the MCP Server lets you have a conversation with the data.
Start with a high-level question, and then refine it based on the results. For example, you can ask, “Tell me about all hosts running the Sliver C2 framework.” The MCP server gives you a list of results. You can immediately follow up with, “Now, show me only the ones hosted in Russia,” and it will filter the results without you having to re-run the entire query. This conversational flow allows you to follow your curiosity and pivot on a whim, which is how real adversarial investigations happen.
Orchestrate Complex Workflows
Beyond simple back-and-forth, the MCP Server is a powerful orchestration engine. We’ve built specific tools within the server to handle complex, multi-step processes with a single natural language prompt.
For instance, an analyst can ask, “Find interesting pivots for the host 38.159.89.211.” The MCP Server, using our custom CensEye Tool, understands this as a multi-step task. It automatically executes a series of API calls—first, getting the host data, then finding how common those values are across the Internet, and finally, summarizing the most relevant pivots. You get a consolidated result through one prompt, versus multiple API calls.
Integrate with Your Toolkit
No tool is an island. The MCP Server is designed to work with other MCP-compatible tools, allowing you to seamlessly share data between platforms. This lets you combine Censys’ view of adversary infrastructure intelligence with other security data.
See it in action
What You Can Do with the Threat Hunting MCP Server Today
Customers leverage the Threat Hunting module, a product offering from Censys, to gain the most accurate and timely view of adversary infrastructure on the Internet – enabling them to take proactive steps to avoid connections with these malicious internet servers.
The Threat Hunting MCP Server allows large language models (LLMs) to query Threat Hunting Specific APIs as well as the common Censys Platform APIs such as search, lookup, and aggregate APIs, enabling users to leverage adversary infrastructure intelligence data, run bulk queries and conduct investigations directly from their conversational AI interface of choice using natural language.
Here are a few examples of what’s possible:
Ready to Start the Conversation?
The Threat Hunting MCP Server is designed to empower your team by making our adversary and Internet intelligence accessible through a familiar conversational AI interface. We’re giving analysts the ability to start exploring Censys data without a steep learning curve.
If you’re a Censys Threat Hunting customer, you can get started with the Threat Hunting MCP Server today. If you are new to Censys or to the Threat Hunting Module, schedule a demo to see how we can improve your adversary infrastructure investigations and help protect your business from advanced threats before they make contact with your network.
