The tools the agent actually uses.
36 pre-vetted Model Context Protocol servers, each paired to specific skills in the library. Browse the catalog, or install the whole stack as part of the Investigator's MCP Toolkit ($149 one-time — refreshes ship via the Update Subscription).
Free = no key. Freemium = bring your own API key (most have free tiers covering an investigator caseload).
A skill teaches the agent how.
An MCP server gives it the hands to do it.
The Model Context Protocol is the open standard — created by Anthropic, now adopted industry-wide — that lets an LLM actually run a tool and read the result: pull a live WHOIS, fetch a Wayback snapshot, sweep a username across 2,500 sites, trace a crypto wallet on-chain. An “MCP server” is one real tool wrapped in that protocol so your agent can call it.
Turns talk into action
Without tools, an LLM can only produce text. With an MCP server wired in, it executes the lookup, gets back real, current data, and reasons over it — all inside one conversation. The investigation runs in a loop instead of stalling on you.
It has no hands
Ask vanilla ChatGPT 'who owns this domain?' and it does one of two things: invents an answer (the hallucination that gets cases thrown out), or tells YOU to go run WHOIS and paste it back. No live data, no execution. Its handful of sandboxed plugins aren't 36 investigator-grade OSINT tools paired to a methodology.
You stop being the middleman
The agent runs Maigret, parses the 2,500-site sweep, pivots into crt.sh on the email it found, pulls 14 Wayback versions, diffs them, and flags the one that removed the office address — with a source and timestamp on every finding. One chat. Real data. Full provenance.
Bottom line: skills make the agent think like an investigator; MCP servers let it work like one. The two stack — methodology plus live tools — which is why the Investigator's MCP Toolkit pairs every server to the skills it powers.
OSINT — Seed & Pivot
5 serversMaigret MCP
Wraps the `maigret` CLI to enumerate username presence across 2,500+ platforms and parse the result graph.
Sherlock MCP
Wraps the Sherlock tool for fast username searching. Complementary to Maigret — different platform list, fewer false positives on niche sites.
OSINT-Tools MCP (frishtik)
One-stop seed and pivot toolbox. Bundles four tools under a single MCP namespace: Sherlock (username), Holehe (email presence across sites), Maigret (username, 2,500+ sites), and theHarvester (email/subdomain harvesting per domain).
Have I Been Pwned MCP
Queries the HIBP API to return breach data for a given email address or domain. Lets Claude reason over breach overlap, infer source breaches, estimate when an email was first compromised, and prioritize credential-stuffing risk.
EXIF MCP
Extracts EXIF and XMP metadata from images locally, without uploading to any third-party service. Fast and offline.
OSINT — Media & Geolocation
3 serversMCP Image Recognition
Wraps Anthropic or OpenAI vision APIs to extract text and visual elements from images. Used as a describe-then-search pivot for reverse image search and geolocation work.
OpenStreetMap MCP (NERV)
Full-featured OSM MCP using public Nominatim + Overpass endpoints. Forward/reverse geocoding, Overpass tag queries, routing, and SVG map generation for visual reasoning.
OpenStreetMap MCP (jagan-shanmugam)
Alternate OSM MCP with emphasis on neighborhood analysis and points-of-interest density queries. Easier `uvx` install than the NERV variant.
OSINT — Archival & Deep Web
2 serversWayback Machine MCP (Mearman)
Pulls CDX snapshot lists, fetches archived page content, and diffs versions over time. The primary recommended Wayback MCP.
Wayback Machine MCP (Cyreslab)
Alternate Wayback MCP with a `get_archived_page` tool that returns rendered text rather than raw CDX output. Useful when the Mearman variant's raw CDX output is too low-level for a given task.
OSINT — Records
3 serversEdgarTools MCP
13+ tools for pulling, parsing, and monitoring SEC EDGAR filings in real time. Covers all major form types and includes XBRL financial parsing.
CourtListener MCP
Free Law Project's official MCP. Searches case law, retrieves PACER docket entries (via the RECAP archive), pulls judge profiles, and traces citation networks.
ADS-B MCP
Connects to an ADS-B feeder (your own RTL-SDR setup or a community endpoint like adsb.lol) to provide live and historical aircraft position data.
OSINT — Technical Infrastructure
7 serversDomain MCP
Covers the core domain-pivoting toolkit: RDAP/WHOIS lookups, DNS-over-HTTPS records, SSL certificate parsing, and crt.sh certificate-transparency queries.
Shodan MCP
Queries Shodan for exposed services, pulls banner and certificate data, runs CVE-tagged searches, and traces shared infrastructure across IP ranges.
Censys MCP
Adversary Investigation platform's official MCP. Often catches infrastructure that Shodan misses, with deeper certificate transparency integration and richer service fingerprints.
DNSTwist MCP
Generates and resolves typosquat permutations of a target domain to find active phishing infrastructure or brand-abuse registrations.
GitHub MCP (official)
GitHub's official MCP server. Runs authenticated code search, pulls commits and file histories, and surfaces secret-scanning alerts.
CVE MCP Server
Comprehensive vulnerability intelligence MCP covering CVE lookup, EPSS exploit prediction, CISA KEV catalog, MITRE ATT&CK, CWE, OSV.dev, and more. 8 of 27 tools require zero API keys.
OSINT-MCP-Server (badchars)
Aggregated alternative to running 8 separate MCPs. Bundles Shodan, VirusTotal, Censys, SecurityTrails, crt.sh, Wayback Machine, GeoIP, and more under one MCP namespace.
OSINT — Platforms
5 serversLinkedIn MCP
Queries LinkedIn directly using your own authenticated session cookie. Profile retrieval, company employee counts, and job postings.
Twitter/X Scraper MCP
Unofficial X scraper. Tweet search by query or user, account metadata, followers/following lists — without an X API subscription.
XActions (nirholas)
Alternate to 022 (twitter-scraper-mcp). Broader X automation scope beyond search — includes posting, DM access, and richer interaction with the X API.
TikTok MCP
Pulls TikTok video metadata, profile information, and captions for content analysis.
YouTube Transcript MCP
Pulls YouTube captions, video metadata, and channel information. Backed by yt-dlp for robust access.
OSINT — Crypto & Financial
3 serversEtherscan MCP
Queries Etherscan for Ethereum wallet histories, ERC20 token movements, ENS name resolution, and contract interaction analysis.
Blockscout MCP
Open-source, self-hostable EVM explorer covering 3,000+ chains. Critical for bridge-tracing investigations that move funds across Polygon, Arbitrum, Optimism, BSC, and other EVM networks beyond Ethereum mainnet.
Bitcoin MCP
Queries the Bitcoin blockchain for address balances, transaction inputs/outputs, and Lightning Network data. Can be pointed at a public node or your own Bitcoin Core instance.
Digital Forensics
6 serversVolatility MCP
Wraps Volatility 3 to let Claude run memory forensics plugins via natural language. Reportedly 5-10x faster than manual plugin selection and execution for triage.
Wireshark MCP
Reads .pcap files, applies tshark display filters, follows TCP/UDP streams, and exports structured JSON. The khuynh22 variant is recommended — cross-platform, typed, and tested.
AWS PCAP Analyzer MCP
AWS-published sample MCP providing layered packet analysis beyond raw tshark output — flow reconstruction, anomaly detection, and IOC extraction from PCAP files.
WinForensics MCP
Wraps Kali Linux forensic tools (regripper, MFT parsing, Prefetch analysis, USB enumeration) for offline analysis of Windows forensic images.
MCP-ThreatIntel
Submit one IOC and the server fans out to OTX, AbuseIPDB, GreyNoise, URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker, and CISA KEV simultaneously, then synthesizes a unified threat picture.
VirusTotal MCP
Direct VT submission and relationship graph traversal. Covers files (hash + content), URLs, IP addresses, and domains with 70+ vendor verdicts and infrastructure relationship mapping.
Geospatial & Imagery
2 serversWeather MCP
Queries historical and current weather for any location and time via Open-Meteo and NOAA. No API key required.
NCEI MCP
Queries NOAA's National Centers for Environmental Information (NCEI) Climate Data Online API. US-focused with higher precision than the global Open-Meteo sources used by 035.
Skip the 36 README files.
The Investigator's MCP Toolkit ($149 one-time) ships pre-configured for Claude Code, Claude Desktop, Cursor, and Windsurf. Refreshes land through the Update Subscription as the ecosystem moves. Bring your own API keys for the freemium ones.