# Scry MCP server

Free IPv4 lookups against a distributed attacker-observation corpus.

## Links
- Registry page: https://www.getdrio.com/mcp/ai-tunnelmind-scry
- Repository: https://github.com/TunnelMind/scry-mcp
- Website: https://api.tunnelmind.ai

## Install
- Endpoint: https://mcp.tunnelmind.ai/mcp
- Auth: Not captured

## Setup notes
- Remote endpoint: https://mcp.tunnelmind.ai/mcp

## Tools
- scry_stats - Returns aggregate Scry corpus telemetry: total observation count, distinct
source IPs, first/last observation timestamps, last-24h activity, and
per-protocol breakdowns. Useful as a liveness/density check before issuing
per-IP queries — lets an agent decide whether the corpus has enough data
to be authoritative.

Use this tool when:
- An agent is planning a multi-step investigation and wants to know if Scry
  has corpus density worth querying.
- You want a 'corpus health' signal in a dashboard or report.

Do NOT use this tool when:
- You want details about a specific IP — use `scry_check`.
- You want sensor fleet size or node identities — never exposed at any tier.

Inputs: none.
Returns: total_observations, distinct_source_ips, first_seen_ms, last_seen_ms, observations_last_24h, distinct_source_ips_last_24h, by_protocol, as_of_ms.
Cost: free, anonymous, rate-limited.
Latency: <100ms typical. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_check - Returns Scry's corpus knowledge for a single IPv4 address: when it was first/last
observed, observation count, protocols and ports targeted, ASN, country, category
(actor/scanner/not_observed), and confidence_bucket (low/medium/high).

Use when an agent needs IP triage, hostility assessment, or risk signaling.
Do NOT use for raw payloads (never exposed) or IPv6 (corpus is v4-only at v0.1). Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_check_bulk - Look up many IPv4 addresses in one request. Up to 100 IPs per call. Same per-IP shape as scry_check, keyed by IP. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_top - Top-N source dimensions over a time window. Useful for situational awareness — 'where is the noise coming from right now?' Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_timeseries - Bucketed observation counts over time. Detect bursts, plot trends, sanity-check whether attacker activity is rising or falling. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_asn - Roll-up of corpus activity for a single ASN — observation count, distinct source IPs, actor count, scanner count, high-confidence actor count, and per-protocol breakdown. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_country - Roll-up of corpus activity by ISO country code. Same shape as scry_asn. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_tools - List detected attack tools — (protocol, payload, path) tuples sent by 3+ distinct source IPs. Aggregate metadata only; never lists member actors. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_tool - Single tool detail by 16-char hex id from scry_tools. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_campaigns - Active threat campaigns — coordinated attacker activity that exceeds the noise floor. ≥5 distinct actors, ≥3 ASNs, ≤5 destination ports, ≥1h history. Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_campaign - Single campaign detail by id (format: c[0-9a-f]{15}). Endpoint: https://mcp.tunnelmind.ai/mcp
- scry_recent - Recent observations feed — aggregated by source IP within a time window. Cursor-paginated via since_ms. Endpoint: https://mcp.tunnelmind.ai/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: ai.tunnelmind
- Version: 0.4.0
- Runtime: Streamable Http
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 9, 2026
- Source: https://registry.modelcontextprotocol.io