SecurityTrails MCP. Map every digital asset and historical record of a target domain.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
SecurityTrails exposes domain intelligence for OSINT, bug bounty, and threat hunting. Connect your AI client to access historical DNS records, discover forgotten subdomains, map associated domains by IP, and query ownership data using a specialized DSL.
What your AI agents can do
Get api usage
Checks how much of your current SecurityTrails API quota you have used.
Get associated domains
Finds other domains that are known to be related or associated with a given target domain.
Get dns history
Retrieves historical DNS records (A, MX, NS, TXT) for a specific domain name over time.
Finds other domains strongly associated with a primary target domain, expanding the scope of an investigation.
Retrieves historical A, MX, and NS records for any given domain, showing how infrastructure migrated years ago.
Lists every single domain that has ever pointed to a specific IP address, useful for shared hosting audits.
Automatically discovers both active and inactive subdomains for a target domain.
Runs complex boolean queries across the entire database, looking for specific combinations of IPs, emails, or tags.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
SecurityTrails MCP Server: 10 Tools for Infrastructure Mapping
These tools let you query historical DNS records, map associated domains, enumerate subdomains, and execute advanced searches across the entire domain and IP database.
019d847bget api usage
Checks how much of your current SecurityTrails API quota you have used.
019d847bget associated domains
Finds other domains that are known to be related or associated with a given target domain.
019d847bget dns history
Retrieves historical DNS records (A, MX, NS, TXT) for a specific domain name over time.
019d847bget domain details
Gathers comprehensive intelligence and current DNS records for an entire target domain.
019d847bget domain tags
Retrieves classification tags assigned to a specific domain name.
019d847bget domains by ip
Lists all domains that resolve or point to a single, specified IP address.
019d847bget subdomains
Discovers and lists both active and inactive subdomains for any given domain name.
019d847bget whois
Retrieves the current ownership details (WHOIS) for a specified domain name.
019d847bget whois history
Looks up historical WHOIS records, useful for finding owners before privacy protection was implemented.
019d847bsearch dsl
Runs advanced searches across the entire database using a specialized Domain Specific Language (DSL).
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with SecurityTrails, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
SecurityTrails gives your agent deep visibility into domain and IP infrastructure, making it a core tool for OSINT, bug bounty hunting, and threat analysis. You connect your AI client to access years of historical records that standard lookups just can't touch.
Domain Intelligence & Mapping:
You’ve got get_domain_details which gathers comprehensive intelligence and the current DNS records for any target domain right off the bat. If you need more context, get_associated_domains finds every other domain known to be related or associated with a primary target—it expands your scope immediately. You can also run through get_domain_tags to see what classification tags are assigned to a specific name.
Tracing History and Ownership:
Want to know who owned the damn thing last year? Use get_whois_history for historical WHOIS records; this is crucial because it tracks ownership changes before privacy services kicked in. For current details, get_whois gives you the live owner information for a domain. When tracking infrastructure migration, get_dns_history retrieves time-stamped DNS records—A, MX, and NS records—showing exactly how a domain's underlying systems changed over years.
Discovering Hidden Assets:
The best part is mapping out what you can’t see right now. You use get_subdomains to automatically discover both active and inactive subdomains for any target domain name, giving you the full external footprint. If a bunch of different websites point to one single IP address, get_domains_by_ip lists every single domain that has ever resolved or pointed to that specific address—perfect for shared hosting audits.
You can also use get_associated_domains to map out related targets.
Advanced Search and Querying:
When you need a pattern match across the whole database, you run search_dsl. This specialized Domain Specific Language lets your agent perform complex boolean queries against IPs, emails, or tags. It’s how you find specific tech stacks or infrastructure patterns across multiple targets. You can also check out your usage with get_api_usage to see exactly how much of your current quota you've burned through.
This setup means your agent doesn't just look up what's current; it builds a complete timeline and network map of the target, revealing forgotten subdomains and historical owners that nobody else can find.
How SecurityTrails MCP Works
- 1 Subscribe to this server and generate an API key at SecurityTrails.
- 2 Your AI client (Claude, Cursor, etc.) calls a function like
get_subdomains(domain)with the target domain. - 3 The MCP Server sends the query to the SecurityTrails API and returns structured data containing the requested records or asset list.
The bottom line is: you run deep infrastructure queries through your agent, and it gets back organized network data that would take hours to compile manually.
Who Is SecurityTrails MCP For?
Security researchers. Threat intelligence analysts. Bug bounty hunters who need more than a simple search engine. You're the person who spends late nights tracing domain ownership changes and mapping out an opponent’s forgotten assets.
Uses get_subdomains to find overlooked entry points and runs get_associated_domains to broaden the scope of a target company.
Correlates data by using get_dns_history with search_dsl to map out an APT group's infrastructure changes over years.
Performs deep audits using get_domains_by_ip and get_whois_history to find common vulnerabilities or patterns in shared hosting environments.
What Changes When You Connect
- You map the full attack surface instantly. Running
get_subdomainsshows you more than just what's currently live—it finds inactive subdomains too. This is key for finding forgotten assets. - Historical context solves mysteries. If the current WHOIS record looks clean, use
get_whois_history. You can track domain ownership changes over years to uncover who really owns a setup. - You pinpoint shared infrastructure with
get_domains_by_ip. This tool is essential when dealing with poorly configured or shared hosting environments. It lists every domain on that single IP. - Your investigation scope expands automatically. Use
get_associated_domainsto find related domains, preventing you from having to guess the next target in your research cycle. - You cut through noise using
search_dsl. Instead of running 10 different checks, you write one complex query—like finding all domains with a specific email and IP—and get the results immediately.
Real-World Use Cases
Investigating Domain Misdirection
A user reports an old phishing site is active. The agent first runs get_whois_history on the domain to see when ownership changed, then uses get_dns_history to check if any legacy IP addresses were used in the past. This combination pinpoints a specific time window and infrastructure change, confirming malicious intent.
Mapping Corporate Expansion
A company launches several new internal tools. The agent runs get_associated_domains on the primary corporate domain. It finds three related subdomains that weren't publicly listed in the initial scope, giving the security team a complete picture of the firm’s digital presence.
Auditing Shared Hosting Risks
The goal is to find all tenants sharing an IP. The agent runs get_domains_by_ip against the suspicious IP. It then cross-references these domains with get_subdomains to see if any of the co-located hosts have neglected subdomains that can be exploited.
Finding forgotten infrastructure
The team suspects an old, vulnerable development server exists. They run get_dns_history on the main domain and specify A records from 2018. The results reveal a retired IP that still resolves to an unpatched service.
The Tradeoffs
Only checking current DNS
Running only get_domain_details and assuming the data is comprehensive. This misses domains or IPs used two years ago, which are often more valuable for threat actors.
→
Always pair a current check with history. Run get_dns_history and combine it with get_whois_history. That gives you both the 'now' and the full timeline.
Running tools in isolation
Calling get_subdomains(target) and then calling get_associated_domains(target). You get two separate lists that don't speak to each other, leaving you with disjointed data.
→
Start broad. Use the DSL via search_dsl first. Define your query (e.g., 'IP X AND related domain Y') so the agent pulls all relevant data points in one go.
Stopping at IP lookups
Finding a bunch of domains via get_domains_by_ip but failing to check who owns them. You know what is there, but not who controls it.
→
After identifying suspicious domains using the IP lookup, immediately run get_whois or get_whois_history on each one to unmask ownership and potential threat actors.
When It Fits, When It Doesn't
Use this server if your investigation requires mapping external digital footprints over time. You need to know who owned a domain last year, what IPs were used two years ago, or every single asset associated with a primary target.
Don't use this if you only need to verify that the current DNS records are correct—use a simple public lookup for that. Also, remember this tool provides network intelligence; it doesn't provide real-time packet capture data or internal firewall logs. If your issue is determined to be local client policy enforcement (like an ISP routing block), this server won't solve it. It only confirms the external digital record.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by SecurityTrails. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Figuring out a target’s full digital footprint shouldn't require jumping between five different websites.
Today, mapping an organization requires manual clicks: checking current DNS records on one site, then opening another to check historical WHOIS data. You copy-paste domain names into a third tool just to see which IPs are associated with them. It's slow, it's fragmented, and you always miss the connections between these disparate data points.
With SecurityTrails MCP Server, your agent handles this entire process in one query flow. Instead of jumping sites, you ask for 'all assets related to X.' The server combines `get_subdomains`, `get_dns_history`, and `get_associated_domains` into a single output, giving you the complete picture immediately.
SecurityTrails MCP Server: Track domain ownership history with get_whois_history.
Manually checking historical records is almost impossible. You'd have to rely on archives that might be incomplete or paid access services. This process is tedious, and you’ll likely miss the crucial details—like when a domain was sold or who registered it before privacy protection kicked in.
The `get_whois_history` tool changes everything. It surfaces records of previous owners and registration dates directly to your agent. You track ownership shifts effortlessly, giving you intel on potential threat actors long before they start operating.
Common Questions About SecurityTrails MCP
Can I find old IPs with get_dns_history? +
Yes. get_dns_history lets you look back at historical A, MX, and NS records for a domain. This is useful because an IP address used last year might still point to vulnerable, unpatched software.
How do I find related domains? Use get_associated_domains. +
get_associated_domains finds other domains that are strongly linked to your main target. It's useful for expanding the scope of an investigation without manually guessing names.
Is there a way to search across multiple criteria? Use search_dsl. +
Yes, search_dsl lets you run advanced queries using specific language syntax. You can combine IPs, WHOIS emails, and tags into one powerful command.
What is the difference between get_subdomains and get_associated_domains? +
get_subdomains finds sub-branches of a specific domain (e.g., dev.company.com). get_associated_domains finds entirely separate domains that are related to the company but don't share the root name.
How do I check my current usage with get_api_usage? +
You use get_api_usage to see your remaining API quota. It's essential for planning complex investigations, letting you know exactly how many calls you have left before hitting a rate limit.
What key data points does get_domain_details provide that other tools miss? +
get_domain_details gives a complete intelligence profile for a domain. It compiles current DNS records and core infrastructure data in one call, saving you from running multiple single-purpose queries.
When should I use get_whois_history instead of get_whois? +
You run get_whois_history when tracking ownership changes over time. It retrieves historical records, which is crucial for finding owners before current privacy protection was active.
How does get_domains_by_ip help identify shared hosting environments? +
get_domains_by_ip lists every domain associated with a specific IP address. This is key for mapping out shared infrastructure and identifying related corporate assets pointing to the same host.
Is the SecurityTrails API free to use? +
SecurityTrails offers a Free Tier API plan which allows 50 API requests per month. This is excellent for specific, targeted OSINT investigations. For automated or large-scale recon, you would need a commercial subscription.
What is historical DNS good for? +
Companies often migrate infrastructure and hide behind WAFs like Cloudflare. Historical DNS reveals the original origin IP addresses used before the WAF was implemented, which might still be active and vulnerable to direct attacks. It's a critical tool in penetration testing.
How can I find related domains for a target company? +
Use the get_associated_domains tool. It uses proprietary correlation to find other domains owned by the same entity. You can also use get_domains_by_ip to find what else is hosted on their IP space.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Azure Cosmos DB Container
This MCP does exactly one thing: it manages documents in a single Azure Cosmos DB Container. That's its only function, and nothing else. Incredible for giving your AI a secure NoSQL database.
Collibra
Enable your AI agent to manage data assets, domains, and communities via the Collibra Data Intelligence API.
Cloudmersive
Validate data, scan files for viruses, and process documents with a suite of utility APIs for security and compliance.
You might also like
Cadmium Harvester
Manage educational event content via Cadmium — track presentations, speakers, and assets directly from any AI agent.
BoardEffect
Manage board activities via BoardEffect — list meetings, members, and documents directly from any AI agent.
Levo.ai (API Security & Observability)
Secure your APIs via Levo.ai — audit endpoints, monitor sensitive data (PII/PHI), and manage OWASP vulnerabilities.