Securitytrails
SecurityTrails is a cybersecurity platform providing comprehensive domain, IP, DNS, and WHOIS intelligence data. It offers historical DNS records, subdomain discovery, WHOIS history, associated domains, passive DNS datasets, and website technology detection to support threat hunting, brand protection, cyber forensics, and attack surface management.
Verdict
Common use cases
- Investigate phishing domains during security incidents
- Audit SSL certificate chains for compliance
- Enrich CRM records with company IP ranges
- Map infrastructure before penetration tests
- Monitor DNS changes for brand protection
Integration
- Vendor
- Securitytrails
- Category
- other
- Auth
- API_KEY
- Tools
- 12
- Composio slug
securitytrails
Tools
- Bulk Static Asset Rules
Tool to bulk add or remove static asset rules for a project. Use when performing batch updates (up to 1000 rules total) asynchronously; verify changes via the Get Static Assets endpoint.
- Get Company Associated IPs
Tool to retrieve IPs associated with a company domain. Use when you need to find all IP addresses linked to an organization's domain name.
- Get Domain
Tool to retrieve current data about a given domain, including DNS record statistics. Use when you need to fetch detailed domain insights after determining the target hostname.
- Get Domain SSL
Tool to fetch current and historical SSL certificate details for a hostname. Use when you need to retrieve SSL data after identifying the domain.
- IP Search Statistics
Tool to fetch summary statistics for an IP DSL query. Use when you need metrics for IP search queries.
- List ASI Projects
Tool to list ASI projects available to the account. Use when you need project IDs for subsequent ASI operations.
- Ping
Tool to test authentication and connectivity with the SecurityTrails API. Use after configuring API key.
- Scroll Results
Tool to continue scrolling through DSL search results. Use after receiving a scroll_id from a prior search to fetch the next batch of data.
- Search IPs
Tool to search IP addresses via SecurityTrails DSL. Use when you need to filter IPs with custom DSL queries.
- SQL API Execute Query
Tool to execute SQL queries across Hosts and IPs. Use when you need to retrieve data via SecurityTrails SQL API.
- SQL API Scroll Results
Tool to fetch next page of SQL query results. Use after obtaining scroll_id from initial SQL API response.
- Temp Scrape Securitytrails Usage
Temporary action for scraping Securitytrails usage from documentation.
Setup
Setup guide
- 11. Open your Switchy workspace and navigate to Settings > Integrations > MCP Servers. 2. Click 'Add MCP Server' and select SecurityTrails from the catalog. 3. Log into your SecurityTrails account at securitytrails.com, go to Account Settings > API, and generate a new API key (copy it immediately — you won't see it again). 4. Paste the API key into Switchy's configuration field and click 'Connect'. 5. Test the connection by creating a new Space, typing '@SecurityTrails ping' in the chat, and sending the message — you should see a success response confirming authentication. 6. Try a real query like '@SecurityTrails get domain for example.com' to fetch DNS statistics and verify the integration works end-to-end. 7. Check your SecurityTrails plan tier if certain tools return permission errors — some endpoints require paid subscriptions.
What teammates see: by default, memories from Securitytrails are scoped to the Space (PROJECT visibility) - you can mark any memory PRIVATE or share it ORG-wide.
Works well with
Top models
Compatibility data appears once enough Spaces have used this MCP together with a given model.
How Switchy teams use it
Starter prompts
Domain Reconnaissance
@SecurityTrails get domain data for acme-corp.com and summarize the DNS record types, subdomain count, and any notable historical changesOpen in a Space →
SSL Certificate Audit
@SecurityTrails fetch SSL certificate details for api.example.com and list all issuers, expiration dates, and any certificates that expired in the last 90 daysOpen in a Space →
Company IP Mapping
@SecurityTrails get all IPs associated with bigcorp.com and group them by ASN, then count how many are in cloud hosting rangesOpen in a Space →
Threat Intelligence Lookup
@SecurityTrails run an IP search for 203.0.113.42 and tell me the ASN, hosting provider, country, and whether it appears in any abuse databasesOpen in a Space →
Bulk Asset Rule Update
@SecurityTrails bulk add these 50 IP ranges to project ID 12345 as static asset rules, then confirm the operation completed successfullyOpen in a Space →
Example outputs
Illustrative - representative of the model's voice and quality, not literal recordings.
@securitytrails what SSL certificates are currently active for example.com and when do they expire?
SecurityTrails returned SSL certificate details for example.com. The current certificate is issued by Let's Encrypt, valid from January 15, 2025 to April 15, 2025 (expires in 47 days). Subject Alternative Names include www.example.com and api.example.com. Historical records show three prior certificates dating back to 2022, all using Let's Encrypt with 90-day validity periods. No expired certificates are currently serving traffic.
This example demonstrates SSL certificate enumeration, useful for security audits and expiration tracking. Requires API key authentication. Historical data depth depends on your SecurityTrails subscription tier; free accounts see limited history. Use this to monitor certificate rotation patterns or identify misconfigured domains.
@securitytrails find all IP addresses associated with acme-corp.com and group them by ASN
SecurityTrails identified 47 IP addresses linked to acme-corp.com. Grouped by Autonomous System: AS16509 (Amazon) hosts 31 IPs in us-east-1 and us-west-2 regions. AS15169 (Google Cloud) hosts 12 IPs in us-central1. AS13335 (Cloudflare) hosts 4 IPs serving CDN traffic. All IPs resolved within the last 30 days. Two legacy IPs in AS7018 (AT&T) appear inactive since November 2024.
This read-heavy example shows infrastructure mapping across cloud providers. Useful for attack surface enumeration or validating migration completeness. Results reflect DNS resolution history in SecurityTrails' database, not real-time scanning. Large enterprises may return hundreds of IPs; consider pagination for bulk analysis.
@securitytrails add monitoring rules to flag any new subdomains under *.internal.example.com in our ASI project
SecurityTrails queued 1 static asset rule for project ID proj_abc123. Rule configuration: monitor all subdomains matching *.internal.example.com, trigger alerts on new DNS A/AAAA records. Batch operation accepted; processing asynchronously. Verify rule activation by checking the Get Static Assets endpoint in 2-3 minutes. Once active, you'll receive notifications when SecurityTrails detects new subdomains in this namespace during its next crawl cycle (typically 24-48 hours).
This write example demonstrates proactive subdomain monitoring setup. The bulk rules tool supports up to 1000 rules per batch but processes asynchronously—immediate confirmation doesn't guarantee the rule is live. Requires an active ASI (Attack Surface Intelligence) subscription. Alerts depend on SecurityTrails' crawl frequency, not real-time DNS monitoring.
Use-case deep-dives
When SecurityTrails wins for tracing attack infrastructure
A 6-person security team investigating a phishing campaign needs to map the attacker's infrastructure in under an hour. SecurityTrails is the right call here: the Get Company Associated IPs and Get Domain tools let you pivot from a single suspicious domain to the full IP block and related hostnames in minutes, not days. The 12-tool scope gives you SSL history (Get Domain SSL) to spot certificate reuse patterns across campaigns. The trade-off: if you're triaging more than 50 domains per incident, the API rate limits slow you down—batch the lookups or use the Scroll Results tool to paginate large queries. For small-team IR where speed matters more than exhaustive coverage, this MCP closes the attribution loop fast.
When this MCP speeds up third-party risk assessment
A 3-person compliance team vetting 20 SaaS vendors per quarter can use SecurityTrails to automate the DNS and SSL hygiene checks that usually eat half a workday per vendor. The Get Domain and Get Domain SSL tools surface expired certificates, misconfigured DNS, and IP reputation flags without manual recon. The Ping tool confirms your API key works before you queue the batch. The limitation: SecurityTrails doesn't score or rank findings—you still need a human to decide if a vendor's subdomain sprawl is a red flag or just messy housekeeping. If your vendor list is under 30 domains per review cycle and you already have a scoring rubric, this MCP cuts the data-gathering phase from hours to minutes.
When this MCP fits ongoing typosquatting watch
A 2-person legal ops team at a fintech monitoring 200 lookalike domains for trademark abuse can use SecurityTrails to automate the weekly check for new registrations or SSL changes. The Get Domain tool pulls current DNS stats; the Scroll Results tool handles pagination when your watchlist grows past 100 entries. The Bulk Static Asset Rules tool lets you tag high-risk domains for faster triage next cycle. The catch: SecurityTrails doesn't alert you when a domain changes—you're polling, not streaming. If you need real-time notifications or your watchlist exceeds 500 domains, you'll hit API quota walls and need a dedicated monitoring service. For small teams running weekly or monthly sweeps on a manageable list, this MCP turns a spreadsheet slog into a 15-minute Switchy workflow.
Frequently asked
What does the SecurityTrails MCP do in Switchy?
It connects Switchy to SecurityTrails' threat intelligence database, letting your team query domain DNS records, SSL certificates, IP associations, and company infrastructure directly in conversations. Useful for security research, reconnaissance, or validating external assets without switching to the SecurityTrails web UI. All 12 tools run through your SecurityTrails API key.
Do I need a paid SecurityTrails account to use this MCP?
Yes. You need an active SecurityTrails subscription and a valid API key. The MCP authenticates via API_KEY, so whoever connects it must have key-generation permissions in your SecurityTrails account. Free-tier keys may hit rate limits quickly if your team runs bulk queries or scrolls large result sets.
Can the SecurityTrails MCP modify DNS records or SSL certificates?
No. It's read-only for domain and IP data. The only write operation is Bulk Static Asset Rules, which adds or removes asset-monitoring rules in SecurityTrails projects—it doesn't touch live DNS or certificates. If you need to change DNS, use your registrar or hosting provider directly.
How is this different from querying SecurityTrails in a browser?
The MCP lets you chain queries in a conversation—ask for a domain's SSL history, then pivot to associated IPs, then scroll through results—without copy-pasting between tabs. It's faster for exploratory research. The trade-off: you lose SecurityTrails' web visualisations and can't export CSVs directly from the UI.
Who on the team should connect the SecurityTrails MCP?
Whoever owns your SecurityTrails API key—typically a security lead or infrastructure engineer. Once connected, any Switchy workspace member can invoke the tools, so limit access if your SecurityTrails subscription has strict usage quotas or if queries reveal sensitive internal asset mappings.