utem-mcp
v1.0.1
Published
UTEM MCP Server — Unified Threat Exposure Management for Claude
Readme
UTEM MCP Server
"See everything. Validate everything. Protect everything." -- now from Claude.
Overview
UTEM MCP Server is a TypeScript Model Context Protocol server that exposes the full UTEM (Unified Threat Exposure Management) platform as 100 tools accessible to Claude and other MCP-compatible AI assistants.
It wraps the entire UTEM security platform -- vulnerability scanning, attack path analysis, API security testing, cloud asset discovery, compliance automation, threat intelligence, and platform operations -- into a single MCP server that Claude can use directly.
Who it's for:
- Security analysts running scans, triaging vulnerabilities, and hunting threats via conversational AI
- CISOs pulling executive dashboards, compliance scores, and risk heatmaps through natural language
- Developers integrating security checks into CI/CD pipelines via Claude
Quick Start
Environment Variables
export UTEM_BASE_URL=https://api.utem.innavoto.com
export UTEM_API_KEY=your-api-key-hereRun with npx
npx utem-mcpClaude Desktop Configuration
Add the following to your claude_desktop_config.json:
{
"mcpServers": {
"utem": {
"command": "npx",
"args": ["utem-mcp"],
"env": {
"UTEM_BASE_URL": "https://api.utem.innavoto.com",
"UTEM_API_KEY": "your-api-key-here"
}
}
}
}For self-hosted UTEM instances, replace UTEM_BASE_URL with your platform URL.
Configuration
Environment Variables
| Variable | Required | Default | Description |
| --- | --- | --- | --- |
| UTEM_BASE_URL | Yes | https://api.utem.innavoto.com | UTEM platform base URL |
| UTEM_AUTH_MODE | No | api-key | Authentication mode: api-key or oauth |
| UTEM_API_KEY | Yes (if api-key) | -- | API key for authentication |
| UTEM_CLIENT_ID | Yes (if oauth) | -- | OAuth client ID |
| UTEM_CLIENT_SECRET | Yes (if oauth) | -- | OAuth client secret |
| UTEM_TOKEN_URL | No | .../api/v1/auth/login | OAuth token endpoint URL |
| UTEM_OAUTH_REALM | No | utem | OAuth realm |
| UTEM_MODULES | No | all | Comma-separated list of enabled modules |
| UTEM_LOG_LEVEL | No | info | Logging level: debug, info, warn, error |
| UTEM_CACHE_TTL | No | 60 | Cache TTL in seconds |
| UTEM_RATE_LIMIT | No | 120 | Rate limit (requests per minute) |
| UTEM_TRANSPORT | No | stdio | Transport mode: stdio or sse |
Authentication Modes
API Key (default): Set UTEM_AUTH_MODE=api-key and provide UTEM_API_KEY. The key is sent as a Bearer token on every request.
OAuth/JWT: Set UTEM_AUTH_MODE=oauth and provide UTEM_CLIENT_ID, UTEM_CLIENT_SECRET, and optionally UTEM_TOKEN_URL. The server handles token acquisition and refresh automatically.
Module Enable/Disable
By default all 8 modules are enabled. To load only specific modules, set:
UTEM_MODULES=scan-engine,exposure-manager,attack-pathValid module names: scan-engine, exposure-manager, attack-path, api-security, cloud-assets, compliance, threat-intel, platform-ops.
Modules and Tools
1. Scan Engine (15 tools)
OSINT reconnaissance, vulnerability scanning, CVE database lookups, and scan scheduling.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_start_scan | Start a security scan against a target | target, scan_type?, modules? |
| utem_list_scans | List all scans with pagination and status filtering | page?, page_size?, status_filter? |
| utem_get_scan_status | Get current status and progress of a scan | scan_id |
| utem_get_scan_results | Get full results and findings of a completed scan | scan_id, severity_filter? |
| utem_stop_scan | Stop a running scan | scan_id |
| utem_delete_scan | Delete a scan and its results permanently | scan_id |
| utem_get_scan_logs | Get scanner output logs for debugging | scan_id, tail? |
| utem_get_scan_live_activity | Get real-time activity feed for a running scan | scan_id |
| utem_list_scan_modules | List all available scanner modules and capabilities | -- |
| utem_start_cve_scan | Start a CVE vulnerability scan against targets | targets |
| utem_search_cves | Search the CVE database by keyword, severity, or year | query, severity?, year? |
| utem_get_cve_details | Get full details for a specific CVE | cve_id |
| utem_sync_cve_database | Sync local CVE database with upstream NVD/MITRE feeds | -- |
| utem_create_scan_schedule | Create a recurring scan schedule with cron expression | target, cron, modules? |
| utem_list_scan_schedules | List all configured scan schedules | -- |
2. Exposure Manager (12 tools)
Vulnerability tracking, identity exposures, leaked sessions, risk scoring, and false-positive management.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_list_vulnerabilities | List vulnerability exposures with filters | severity?, status?, page?, page_size? |
| utem_get_vulnerability | Get full details for a single vulnerability | exposure_id |
| utem_list_identity_exposures | List compromised identity exposures | page?, page_size? |
| utem_list_leaked_sessions | List leaked or hijacked session tokens | -- |
| utem_get_exposure_trends | Get exposure trend data over a time period | period? (7d, 30d, 90d) |
| utem_get_risk_score | Get the Cyber Risk Index (CRI) score | -- |
| utem_get_threat_trends | Get threat trend data over time | -- |
| utem_list_information_exposures | List data leaks and sensitive file exposures | page?, page_size? |
| utem_mark_false_positive | Mark a finding as a false positive | finding_id, reason |
| utem_list_false_positives | List all findings marked as false positives | -- |
| utem_create_filter_rule | Create a filter rule for automatic finding processing | criteria, action |
| utem_get_exposure_summary | Get high-level exposure summary by severity and category | -- |
3. Attack Path (20 tools)
Attack graph analysis, MITRE ATT&CK mapping, Monte Carlo simulation, remediation prioritization, and executive reporting.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_generate_attack_paths | Generate attack paths between assets | source_asset?, target_asset? |
| utem_list_attack_paths | List all discovered attack paths | page? |
| utem_get_attack_path | Get full details for a specific attack path | path_id |
| utem_identify_choke_points | Identify network choke points where paths converge | -- |
| utem_get_attack_graph | Retrieve the full attack graph | layout? |
| utem_run_monte_carlo | Run Monte Carlo simulation for probabilistic risk | iterations? |
| utem_simulate_remediation | Simulate impact of remediation actions on risk | actions |
| utem_prioritize_remediation | Get prioritized remediation actions by risk reduction | -- |
| utem_get_mitre_techniques | List MITRE ATT&CK techniques mapped to the environment | tactic_filter? |
| utem_sync_mitre_attack | Sync latest MITRE ATT&CK framework data | -- |
| utem_get_risk_metrics | Get aggregated risk metrics across all attack paths | -- |
| utem_run_comprehensive_analysis | Full analysis combining paths, scoring, and MITRE mapping | -- |
| utem_execute_playbook | Execute a response playbook | playbook_id |
| utem_list_playbooks | List all available response playbooks | -- |
| utem_get_network_topology | Retrieve network topology graph | -- |
| utem_detect_segmentation_bypass | Detect paths that bypass network segmentation | -- |
| utem_run_correlation | Correlate findings across scanners and threat intel | -- |
| utem_get_visualization | Get attack graph visualization data | type? (force, 3d, heatmap, attack-flow) |
| utem_get_executive_dashboard | Get executive-level risk dashboard | -- |
| utem_generate_report | Generate attack path analysis report | report_type?, format? (pdf, json) |
4. API Security (15 tools)
API discovery, OWASP security testing, toxic combination detection, and CI/CD integration.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_create_api_target | Register a new API target for security testing | url, name |
| utem_list_api_targets | List all registered API targets | -- |
| utem_discover_api_endpoints | Trigger endpoint discovery via crawling or spec import | target_id, method? |
| utem_start_api_scan | Start a security scan against an API target | target_id, tests? |
| utem_get_api_findings | Retrieve security findings from API scans | scan_id?, severity? |
| utem_get_toxic_combinations | Get exploitable endpoint combination chains | target_id? |
| utem_import_har | Import API traffic from a HAR file | har_data |
| utem_import_openapi | Import an OpenAPI/Swagger specification | spec_url |
| utem_get_api_posture | Get overall security posture score for an API target | target_id |
| utem_list_api_changes | List recently detected API changes | -- |
| utem_trigger_cicd_scan | Trigger an API security scan for CI/CD pipelines | target_id |
| utem_get_api_issues | Get open API security issues and remediation status | status? |
| utem_create_custom_test | Create a custom API security test | name, config |
| utem_schedule_api_scan | Schedule recurring API security scans | target_id, cron |
| utem_analyze_jwt | Analyze a JWT token for security issues | token |
5. Cloud Assets (10 tools)
Multi-cloud (AWS, GCP, Azure) and on-prem (VMware, Hyper-V, OpenStack, Nutanix) asset discovery.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_discover_cloud_assets | Start cloud asset discovery for AWS, GCP, or Azure | provider, regions? |
| utem_list_cloud_assets | List discovered cloud assets with filters | provider?, asset_type?, page? |
| utem_get_asset_stats | Get asset summary statistics by provider, type, and risk | tenant_id? |
| utem_get_discovery_status | Check status of a running cloud discovery scan | tenant_id, scan_id |
| utem_cancel_discovery | Cancel a running cloud discovery scan | tenant_id, scan_id |
| utem_test_cloud_credentials | Test cloud credentials for connectivity | provider |
| utem_discover_vmware | Start VMware vCenter/vSphere asset discovery | vcenter_url? |
| utem_discover_hyperv | Start Hyper-V asset discovery | host? |
| utem_discover_openstack | Start OpenStack asset discovery | auth_url? |
| utem_discover_nutanix | Start Nutanix cluster asset discovery | cluster_url? |
6. Compliance (8 tools)
Framework scoring (SOC2, ISO 27001, PCI-DSS, HIPAA), gap analysis, control tracking, and SIEM integration.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_get_compliance_scores | Get compliance scores across frameworks | framework? |
| utem_get_compliance_gaps | Get failing or missing controls for a framework | framework? |
| utem_get_compliance_controls | List controls with implementation status | framework?, status? |
| utem_get_compliance_history | Get historical compliance score trends | period? |
| utem_run_compliance_assessment | Trigger a fresh compliance assessment | framework |
| utem_configure_siem | Configure a SIEM integration for log forwarding | type, config |
| utem_test_siem_connection | Test the configured SIEM connection | -- |
| utem_get_siem_config | Get current SIEM integration configuration | -- |
7. Threat Intelligence (10 tools)
Risk management, AI-powered threat hunting, correlation engine, and threat intelligence feeds.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_list_risks | List tracked risks with severity and status filters | severity?, status? |
| utem_create_risk | Register a new risk in the risk register | title, severity, likelihood, impact |
| utem_update_risk | Update a risk entry status or severity | risk_id, status?, severity? |
| utem_get_risk_heatmap | Get risk heatmap -- likelihood vs impact matrix | -- |
| utem_hunt_threats | Start AI-powered threat hunt using natural language | query, scope? |
| utem_get_hunt_findings | Get findings from a threat hunt session | session_id? |
| utem_list_hunt_sessions | List all threat hunt sessions | -- |
| utem_run_threat_correlation | Run correlation engine across alerts and vulnerabilities | rules? |
| utem_get_threat_indicators | Get threat indicators (IOCs) from the correlation engine | -- |
| utem_manage_threat_feeds | Enable, disable, or test a threat intelligence feed | feed_id, action |
8. Platform Operations (10 tools)
Dashboards, health monitoring, notifications, integrations, audit trail, and billing.
| Tool | Description | Key Parameters |
| --- | --- | --- |
| utem_get_dashboard | Get executive dashboard overview | -- |
| utem_get_platform_health | Get platform health -- service status, DB, queues | -- |
| utem_list_notifications | List platform notifications | unread_only? |
| utem_get_executive_kpis | Get KPIs: MTTD, MTTR, risk reduction, compliance | -- |
| utem_list_alerts | List active platform alerts | severity? |
| utem_get_integration_status | Get health of all configured integrations | -- |
| utem_list_integrations | List all available and configured integrations | -- |
| utem_configure_integration | Configure an external integration | type, config |
| utem_get_audit_trail | Get the platform audit trail | action?, user? |
| utem_get_billing_usage | Get current billing period usage | -- |
Architecture
Claude / AI Assistant
|
MCP Protocol (stdio or SSE)
|
UTEM MCP Server (TypeScript)
| | | | | | | |
v v v v v v v v
Scan Exp Atk API Cloud Comp Threat Plat
Eng Mgr Path Sec Asset Intel Ops
|
UTEM API Client (axios, auth, cache, rate-limit)
|
UTEM Platform APIs
(utem-platform-backend, utem-apm, utem-apiwatch, utem-platform-multitenant)The server uses a modular architecture where each capability module registers its own tools and handles API calls independently. The shared API client provides authentication, caching, and rate limiting. A job manager tracks long-running operations (scans, discovery, analysis) across all modules.
Development
Install Dependencies
npm installRun in Development Mode
npm run devBuild
npm run buildRun Tests
npm test
npm run test:coverageLint and Type Check
npm run lint
npm run typecheckProject Structure
utem-mcp/
src/
index.ts # Entry point and transport setup
server.ts # MCP server registration and routing
core/
api-client.ts # HTTP client with auth, cache, rate-limit
job-manager.ts # Long-running job tracker
modules/
base.ts # CapabilityModule interface and helpers
scan-engine/ # 15 tools — scanning and CVE
exposure-manager/ # 12 tools — vulnerabilities and risk
attack-path/ # 20 tools — APM and MITRE
api-security/ # 15 tools — API testing
cloud-assets/ # 10 tools — asset discovery
compliance/ # 8 tools — frameworks and SIEM
threat-intel/ # 10 tools — hunting and correlation
platform-ops/ # 10 tools — dashboard and ops
types/
common.ts # Shared type definitions
mcp.ts # MCP protocol types
utem.ts # UTEM domain typesRequirements
- Node.js >= 20.0.0
- UTEM platform access -- either
api.utem.innavoto.com(cloud) or a self-hosted UTEM instance - A valid API key or OAuth credentials for the target UTEM platform
License
MIT -- Innavoto Technologies
