npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

utem-mcp

v1.0.1

Published

UTEM MCP Server — Unified Threat Exposure Management for Claude

Readme

UTEM MCP Server

"See everything. Validate everything. Protect everything." -- now from Claude.

Overview

UTEM MCP Server is a TypeScript Model Context Protocol server that exposes the full UTEM (Unified Threat Exposure Management) platform as 100 tools accessible to Claude and other MCP-compatible AI assistants.

It wraps the entire UTEM security platform -- vulnerability scanning, attack path analysis, API security testing, cloud asset discovery, compliance automation, threat intelligence, and platform operations -- into a single MCP server that Claude can use directly.

Who it's for:

  • Security analysts running scans, triaging vulnerabilities, and hunting threats via conversational AI
  • CISOs pulling executive dashboards, compliance scores, and risk heatmaps through natural language
  • Developers integrating security checks into CI/CD pipelines via Claude

Quick Start

Environment Variables

export UTEM_BASE_URL=https://api.utem.innavoto.com
export UTEM_API_KEY=your-api-key-here

Run with npx

npx utem-mcp

Claude Desktop Configuration

Add the following to your claude_desktop_config.json:

{
  "mcpServers": {
    "utem": {
      "command": "npx",
      "args": ["utem-mcp"],
      "env": {
        "UTEM_BASE_URL": "https://api.utem.innavoto.com",
        "UTEM_API_KEY": "your-api-key-here"
      }
    }
  }
}

For self-hosted UTEM instances, replace UTEM_BASE_URL with your platform URL.

Configuration

Environment Variables

| Variable | Required | Default | Description | | --- | --- | --- | --- | | UTEM_BASE_URL | Yes | https://api.utem.innavoto.com | UTEM platform base URL | | UTEM_AUTH_MODE | No | api-key | Authentication mode: api-key or oauth | | UTEM_API_KEY | Yes (if api-key) | -- | API key for authentication | | UTEM_CLIENT_ID | Yes (if oauth) | -- | OAuth client ID | | UTEM_CLIENT_SECRET | Yes (if oauth) | -- | OAuth client secret | | UTEM_TOKEN_URL | No | .../api/v1/auth/login | OAuth token endpoint URL | | UTEM_OAUTH_REALM | No | utem | OAuth realm | | UTEM_MODULES | No | all | Comma-separated list of enabled modules | | UTEM_LOG_LEVEL | No | info | Logging level: debug, info, warn, error | | UTEM_CACHE_TTL | No | 60 | Cache TTL in seconds | | UTEM_RATE_LIMIT | No | 120 | Rate limit (requests per minute) | | UTEM_TRANSPORT | No | stdio | Transport mode: stdio or sse |

Authentication Modes

API Key (default): Set UTEM_AUTH_MODE=api-key and provide UTEM_API_KEY. The key is sent as a Bearer token on every request.

OAuth/JWT: Set UTEM_AUTH_MODE=oauth and provide UTEM_CLIENT_ID, UTEM_CLIENT_SECRET, and optionally UTEM_TOKEN_URL. The server handles token acquisition and refresh automatically.

Module Enable/Disable

By default all 8 modules are enabled. To load only specific modules, set:

UTEM_MODULES=scan-engine,exposure-manager,attack-path

Valid module names: scan-engine, exposure-manager, attack-path, api-security, cloud-assets, compliance, threat-intel, platform-ops.

Modules and Tools

1. Scan Engine (15 tools)

OSINT reconnaissance, vulnerability scanning, CVE database lookups, and scan scheduling.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_start_scan | Start a security scan against a target | target, scan_type?, modules? | | utem_list_scans | List all scans with pagination and status filtering | page?, page_size?, status_filter? | | utem_get_scan_status | Get current status and progress of a scan | scan_id | | utem_get_scan_results | Get full results and findings of a completed scan | scan_id, severity_filter? | | utem_stop_scan | Stop a running scan | scan_id | | utem_delete_scan | Delete a scan and its results permanently | scan_id | | utem_get_scan_logs | Get scanner output logs for debugging | scan_id, tail? | | utem_get_scan_live_activity | Get real-time activity feed for a running scan | scan_id | | utem_list_scan_modules | List all available scanner modules and capabilities | -- | | utem_start_cve_scan | Start a CVE vulnerability scan against targets | targets | | utem_search_cves | Search the CVE database by keyword, severity, or year | query, severity?, year? | | utem_get_cve_details | Get full details for a specific CVE | cve_id | | utem_sync_cve_database | Sync local CVE database with upstream NVD/MITRE feeds | -- | | utem_create_scan_schedule | Create a recurring scan schedule with cron expression | target, cron, modules? | | utem_list_scan_schedules | List all configured scan schedules | -- |

2. Exposure Manager (12 tools)

Vulnerability tracking, identity exposures, leaked sessions, risk scoring, and false-positive management.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_list_vulnerabilities | List vulnerability exposures with filters | severity?, status?, page?, page_size? | | utem_get_vulnerability | Get full details for a single vulnerability | exposure_id | | utem_list_identity_exposures | List compromised identity exposures | page?, page_size? | | utem_list_leaked_sessions | List leaked or hijacked session tokens | -- | | utem_get_exposure_trends | Get exposure trend data over a time period | period? (7d, 30d, 90d) | | utem_get_risk_score | Get the Cyber Risk Index (CRI) score | -- | | utem_get_threat_trends | Get threat trend data over time | -- | | utem_list_information_exposures | List data leaks and sensitive file exposures | page?, page_size? | | utem_mark_false_positive | Mark a finding as a false positive | finding_id, reason | | utem_list_false_positives | List all findings marked as false positives | -- | | utem_create_filter_rule | Create a filter rule for automatic finding processing | criteria, action | | utem_get_exposure_summary | Get high-level exposure summary by severity and category | -- |

3. Attack Path (20 tools)

Attack graph analysis, MITRE ATT&CK mapping, Monte Carlo simulation, remediation prioritization, and executive reporting.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_generate_attack_paths | Generate attack paths between assets | source_asset?, target_asset? | | utem_list_attack_paths | List all discovered attack paths | page? | | utem_get_attack_path | Get full details for a specific attack path | path_id | | utem_identify_choke_points | Identify network choke points where paths converge | -- | | utem_get_attack_graph | Retrieve the full attack graph | layout? | | utem_run_monte_carlo | Run Monte Carlo simulation for probabilistic risk | iterations? | | utem_simulate_remediation | Simulate impact of remediation actions on risk | actions | | utem_prioritize_remediation | Get prioritized remediation actions by risk reduction | -- | | utem_get_mitre_techniques | List MITRE ATT&CK techniques mapped to the environment | tactic_filter? | | utem_sync_mitre_attack | Sync latest MITRE ATT&CK framework data | -- | | utem_get_risk_metrics | Get aggregated risk metrics across all attack paths | -- | | utem_run_comprehensive_analysis | Full analysis combining paths, scoring, and MITRE mapping | -- | | utem_execute_playbook | Execute a response playbook | playbook_id | | utem_list_playbooks | List all available response playbooks | -- | | utem_get_network_topology | Retrieve network topology graph | -- | | utem_detect_segmentation_bypass | Detect paths that bypass network segmentation | -- | | utem_run_correlation | Correlate findings across scanners and threat intel | -- | | utem_get_visualization | Get attack graph visualization data | type? (force, 3d, heatmap, attack-flow) | | utem_get_executive_dashboard | Get executive-level risk dashboard | -- | | utem_generate_report | Generate attack path analysis report | report_type?, format? (pdf, json) |

4. API Security (15 tools)

API discovery, OWASP security testing, toxic combination detection, and CI/CD integration.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_create_api_target | Register a new API target for security testing | url, name | | utem_list_api_targets | List all registered API targets | -- | | utem_discover_api_endpoints | Trigger endpoint discovery via crawling or spec import | target_id, method? | | utem_start_api_scan | Start a security scan against an API target | target_id, tests? | | utem_get_api_findings | Retrieve security findings from API scans | scan_id?, severity? | | utem_get_toxic_combinations | Get exploitable endpoint combination chains | target_id? | | utem_import_har | Import API traffic from a HAR file | har_data | | utem_import_openapi | Import an OpenAPI/Swagger specification | spec_url | | utem_get_api_posture | Get overall security posture score for an API target | target_id | | utem_list_api_changes | List recently detected API changes | -- | | utem_trigger_cicd_scan | Trigger an API security scan for CI/CD pipelines | target_id | | utem_get_api_issues | Get open API security issues and remediation status | status? | | utem_create_custom_test | Create a custom API security test | name, config | | utem_schedule_api_scan | Schedule recurring API security scans | target_id, cron | | utem_analyze_jwt | Analyze a JWT token for security issues | token |

5. Cloud Assets (10 tools)

Multi-cloud (AWS, GCP, Azure) and on-prem (VMware, Hyper-V, OpenStack, Nutanix) asset discovery.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_discover_cloud_assets | Start cloud asset discovery for AWS, GCP, or Azure | provider, regions? | | utem_list_cloud_assets | List discovered cloud assets with filters | provider?, asset_type?, page? | | utem_get_asset_stats | Get asset summary statistics by provider, type, and risk | tenant_id? | | utem_get_discovery_status | Check status of a running cloud discovery scan | tenant_id, scan_id | | utem_cancel_discovery | Cancel a running cloud discovery scan | tenant_id, scan_id | | utem_test_cloud_credentials | Test cloud credentials for connectivity | provider | | utem_discover_vmware | Start VMware vCenter/vSphere asset discovery | vcenter_url? | | utem_discover_hyperv | Start Hyper-V asset discovery | host? | | utem_discover_openstack | Start OpenStack asset discovery | auth_url? | | utem_discover_nutanix | Start Nutanix cluster asset discovery | cluster_url? |

6. Compliance (8 tools)

Framework scoring (SOC2, ISO 27001, PCI-DSS, HIPAA), gap analysis, control tracking, and SIEM integration.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_get_compliance_scores | Get compliance scores across frameworks | framework? | | utem_get_compliance_gaps | Get failing or missing controls for a framework | framework? | | utem_get_compliance_controls | List controls with implementation status | framework?, status? | | utem_get_compliance_history | Get historical compliance score trends | period? | | utem_run_compliance_assessment | Trigger a fresh compliance assessment | framework | | utem_configure_siem | Configure a SIEM integration for log forwarding | type, config | | utem_test_siem_connection | Test the configured SIEM connection | -- | | utem_get_siem_config | Get current SIEM integration configuration | -- |

7. Threat Intelligence (10 tools)

Risk management, AI-powered threat hunting, correlation engine, and threat intelligence feeds.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_list_risks | List tracked risks with severity and status filters | severity?, status? | | utem_create_risk | Register a new risk in the risk register | title, severity, likelihood, impact | | utem_update_risk | Update a risk entry status or severity | risk_id, status?, severity? | | utem_get_risk_heatmap | Get risk heatmap -- likelihood vs impact matrix | -- | | utem_hunt_threats | Start AI-powered threat hunt using natural language | query, scope? | | utem_get_hunt_findings | Get findings from a threat hunt session | session_id? | | utem_list_hunt_sessions | List all threat hunt sessions | -- | | utem_run_threat_correlation | Run correlation engine across alerts and vulnerabilities | rules? | | utem_get_threat_indicators | Get threat indicators (IOCs) from the correlation engine | -- | | utem_manage_threat_feeds | Enable, disable, or test a threat intelligence feed | feed_id, action |

8. Platform Operations (10 tools)

Dashboards, health monitoring, notifications, integrations, audit trail, and billing.

| Tool | Description | Key Parameters | | --- | --- | --- | | utem_get_dashboard | Get executive dashboard overview | -- | | utem_get_platform_health | Get platform health -- service status, DB, queues | -- | | utem_list_notifications | List platform notifications | unread_only? | | utem_get_executive_kpis | Get KPIs: MTTD, MTTR, risk reduction, compliance | -- | | utem_list_alerts | List active platform alerts | severity? | | utem_get_integration_status | Get health of all configured integrations | -- | | utem_list_integrations | List all available and configured integrations | -- | | utem_configure_integration | Configure an external integration | type, config | | utem_get_audit_trail | Get the platform audit trail | action?, user? | | utem_get_billing_usage | Get current billing period usage | -- |

Architecture

Claude / AI Assistant
        |
   MCP Protocol (stdio or SSE)
        |
  UTEM MCP Server (TypeScript)
   |    |    |    |    |    |    |    |
   v    v    v    v    v    v    v    v
  Scan  Exp  Atk  API  Cloud Comp Threat Plat
  Eng   Mgr  Path Sec  Asset      Intel  Ops
        |
  UTEM API Client (axios, auth, cache, rate-limit)
        |
  UTEM Platform APIs
  (utem-platform-backend, utem-apm, utem-apiwatch, utem-platform-multitenant)

The server uses a modular architecture where each capability module registers its own tools and handles API calls independently. The shared API client provides authentication, caching, and rate limiting. A job manager tracks long-running operations (scans, discovery, analysis) across all modules.

Development

Install Dependencies

npm install

Run in Development Mode

npm run dev

Build

npm run build

Run Tests

npm test
npm run test:coverage

Lint and Type Check

npm run lint
npm run typecheck

Project Structure

utem-mcp/
  src/
    index.ts              # Entry point and transport setup
    server.ts             # MCP server registration and routing
    core/
      api-client.ts       # HTTP client with auth, cache, rate-limit
      job-manager.ts      # Long-running job tracker
    modules/
      base.ts             # CapabilityModule interface and helpers
      scan-engine/        # 15 tools — scanning and CVE
      exposure-manager/   # 12 tools — vulnerabilities and risk
      attack-path/        # 20 tools — APM and MITRE
      api-security/       # 15 tools — API testing
      cloud-assets/       # 10 tools — asset discovery
      compliance/         #  8 tools — frameworks and SIEM
      threat-intel/       # 10 tools — hunting and correlation
      platform-ops/       # 10 tools — dashboard and ops
    types/
      common.ts           # Shared type definitions
      mcp.ts              # MCP protocol types
      utem.ts             # UTEM domain types

Requirements

  • Node.js >= 20.0.0
  • UTEM platform access -- either api.utem.innavoto.com (cloud) or a self-hosted UTEM instance
  • A valid API key or OAuth credentials for the target UTEM platform

License

MIT -- Innavoto Technologies