A Python toolkit providing security checks for domains, URLs, IPs, and more. Integrate easily into any Python application, use via terminal CLI, or run as an MCP server to enrich LLM context with real-time threat insights.
Developed by Montimage, a company specializing in cybersecurity and network monitoring solutions.
- Features
- Installation
- Quick Start
- Usage
- Performance Optimization
- Benchmarking
- Configuration
- Development
- License
- Comprehensive Security Checks: Validate domains, URLs, and IP addresses against multiple blacklist feeds
- Multiple Threat Sources: OpenPhish, PhishTank, PhishStats, URLhaus, BlocklistDE, CINSSCORE, and more
- High Performance: Ultra-fast in-memory storage with 1000-20,000x speedup over database-only approach
- Smart Optimizations: Tiered lookup, URL normalization, and integer IPv4 storage for maximum efficiency
- Flexible Integration: Use as Python library, CLI tool, or MCP server for LLM integration
- Thread-Safe: SQLite storage with WAL mode and in-memory caching for concurrent operations
- Auto-Updates: Scheduled daily updates from threat intelligence sources
- Rich Monitoring: Built-in metrics, health checks, and performance tracking
pip install sec-mcp- Python 3.8+
- SQLite 3
- Optional:
pytriciaandpsutilfor benchmarking
-
Create a virtual environment (recommended):
python3 -m venv .venv source .venv/bin/activate # Windows: .venv\Scripts\activate.bat
-
Install sec-mcp:
pip install sec-mcp
-
Initialize and update the database:
sec-mcp update
-
Check the status:
sec-mcp status
-
Check a URL:
sec-mcp check https://example.com
sec-mcp check https://example.com
sec-mcp check malicious-domain.com
sec-mcp check 192.168.1.1# From a file (one URL/domain/IP per line)
sec-mcp batch urls.txt
# With output to file
sec-mcp batch urls.txt --output results.json# Check blacklist status
sec-mcp status
# Update blacklists
sec-mcp update
# Get detailed statistics
sec-mcp statsfrom sec_mcp import SecMCP
# Initialize client
client = SecMCP()
# Update database (run once after installation)
client.update()
# Single check
result = client.check("https://example.com")
print(f"Safe: {result.is_safe}")
print(f"Source: {result.source}")
# Batch check
urls = ["https://example.com", "https://test.com", "192.168.1.1"]
results = client.check_batch(urls)
for r in results:
print(f"{r.value}: {'SAFE' if r.is_safe else 'BLOCKED'}")
# Get statistics
status = client.get_status()
print(f"Total entries: {status.total_entries}")
print(f"Last update: {status.last_update}")sec-mcp can run as an MCP server for AI/LLM integration (e.g., Claude, Windsurf, Cursor).
-
Install sec-mcp in a virtual environment (see Quick Start)
-
Update the blacklist:
sec-mcp update
-
Configure your MCP client (e.g.,
claude_desktop_config.json):{ "mcpServers": { "sec-mcp": { "command": "/absolute/path/to/.venv/bin/python", "args": ["-m", "sec_mcp.start_server"], "env": { "MCP_USE_V2_STORAGE": "true" } } } }Important: Use the absolute path to your virtual environment's Python executable.
- macOS/Linux:
/path/to/.venv/bin/python - Windows:
C:\path\to\.venv\Scripts\python.exe
- macOS/Linux:
| Tool Name | Description |
|---|---|
check_batch |
Check multiple domains/URLs/IPs in one call |
get_status |
Get blacklist status including entry counts and per-source breakdown |
update_blacklists |
Force immediate update of all blacklists |
get_diagnostics |
Get diagnostic info with modes: summary, full, health, performance, sample |
add_entry |
Manually add a blacklist entry |
remove_entry |
Remove a blacklist entry by URL or IP address |
Note: The tools have been optimized to reduce token usage while maintaining full functionality. The get_diagnostics tool consolidates multiple monitoring functions with different modes.
The get_diagnostics tool provides flexible monitoring with the following modes:
summary(default): Entry counts, sources, and last update timesfull: Complete diagnostic data including health, stats, and performancehealth: Database and scheduler health status onlyperformance: Performance metrics and hit rates (v2 storage only)sample: Random sample of blacklist entries (usesample_countparameter)
Example usage:
# Get basic summary
await get_diagnostics()
# Check system health
await get_diagnostics(mode="health")
# Get performance metrics
await get_diagnostics(mode="performance")
# Sample 20 entries
await get_diagnostics(mode="sample", sample_count=20)Enable ultra-fast in-memory storage for dramatic performance improvements:
export MCP_USE_V2_STORAGE=true| Operation | v1 (Database) | v0.3.0 (Hybrid) | v0.4.0 (Optimized) | Speedup (vs v1) |
|---|---|---|---|---|
| Domain check | 10ms | 0.01ms | 0.006ms | 1,600x |
| URL check | 5ms | 0.001ms | 0.0007ms | 7,000x |
| IP + CIDR check | 200ms | 0.01ms | 0.007ms | 28,000x |
| Batch 100 items | 2-3s | 50-100ms | 50-100ms | 30x |
- v1 (default): ~10MB (database on disk)
- v0.3.0 (v2): ~60-80MB (in-memory for 125K entries)
- v0.4.0 (v2 optimized): ~40-50MB (in-memory for 450K entries) - 30-40% reduction!
-
Tiered Lookup (Hot/Cold Sources):
- Checks frequently-hit sources first for early exit
- 70-90% of lookups hit hot sources
- Based on production data analysis
-
URL Normalization:
- Automatically catches variations:
HTTP://EVIL.COM/βhttp://evil.com - Removes tracking parameters:
?utm_source=spam,?fbclid=123 - 15-25% memory reduction
- Automatically catches variations:
-
Integer IPv4 Storage:
- 4 bytes per IP (vs 13+ bytes as string)
- 5-10% faster comparisons
- ~1-2MB memory savings
# Via MCP tool or Python API
metrics = client.get_storage_metrics()
# Returns:
{
"total_lookups": 1234,
"domain_lookups": 567,
"url_lookups": 432,
"ip_lookups": 235,
"avg_lookup_time_ms": "0.0123",
"memory_usage_mb": "45.3",
"hit_rate": 0.89,
"using_pytricia": true
}unset MCP_USE_V2_STORAGE
# or
export MCP_USE_V2_STORAGE=falseCompare performance across different storage implementations:
# Install dependencies
pip install pytricia psutil
# Quick benchmark (10K entries, ~30 seconds)
./run_benchmark.sh --quick
# Standard benchmark (50K entries, ~2 minutes)
./run_benchmark.sh
# Full benchmark (100K entries, ~5 minutes)
./run_benchmark.sh --full --memory
# Compare specific versions
./run_benchmark.sh --v1 --v2opt # Compare v1 vs v0.4.0
./run_benchmark.sh --all # Compare all versions| Flag | Description |
|---|---|
--quick |
Quick benchmark with 10K entries (500 iterations) |
--full |
Full benchmark with 100K entries (1000 iterations) |
--all |
Compare all versions (v1, v0.3.0, v0.4.0) |
--v1 |
Benchmark v1 (database-only storage) |
--v2 |
Benchmark v0.3.0 (hybrid storage) |
--v2opt |
Benchmark v0.4.0 (optimized hybrid storage) |
--memory |
Include memory profiling (requires psutil) |
BENCHMARK RESULTS COMPARISON
================================================================================
Operation v1 (DB) v0.3.0 (Hybrid) v0.4.0 (Optimized) Speedup
----------------------------------------------------------------------------------------------------
domain_lookup 9.8234ms 0.0098ms 0.0059ms 1,664x
url_lookup 4.5632ms 0.0009ms 0.0007ms 6,519x
ip_lookup 198.2341ms 0.0103ms 0.0071ms 27,920x
batch_100 2453.21ms 87.45ms 72.31ms 33.9x
v0.4.0 OPTIMIZATION METRICS
================================================================================
Domain Lookup Hot source hit rate: 100.0%
URL Lookup Hot source hit rate: 98.9%
IP Lookup Hot source hit rate: 88.9%
For detailed benchmarking instructions and methodology, see BENCHMARK_PLAYBOOK.md.
| Variable | Description | Default |
|---|---|---|
MCP_DB_PATH |
Custom database location | Platform-specific (see below) |
MCP_USE_V2_STORAGE |
Enable high-performance mode | false |
- macOS:
~/Library/Application Support/sec-mcp/mcp.db - Linux:
~/.local/share/sec-mcp/mcp.db - Windows:
%APPDATA%\sec-mcp\mcp.db
export MCP_DB_PATH=/path/to/custom/location/mcp.dbEdit config.json to customize:
{
"blacklist_sources": {
"PhishTank": "https://...",
"URLhaus": "https://..."
},
"update_time": "00:00",
"cache_size": 10000,
"log_level": "INFO"
}# Clone repository
git clone https://github.com/montimage/sec-mcp.git
cd sec-mcp
# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate
# Install in development mode
pip install -e .
# Install development dependencies
pip install pytricia psutil pytest# Run all tests
pytest
# Run with coverage
pytest --cov=sec_mcp --cov-report=htmlsec-mcp/
βββ sec_mcp/ # Main package
β βββ __init__.py
β βββ storage.py # v1 storage (database-only)
β βββ storage_v2.py # v2 storage (hybrid in-memory)
β βββ start_server.py # MCP server
β βββ cli.py # CLI interface
βββ benchmark.py # Benchmark script
βββ run_benchmark.sh # Benchmark helper script
βββ dev-docs/ # Development documentation (git-ignored)
βββ tests/ # Test suite
βββ README.md # This file
MIT License - see LICENSE file for details.
sec-mcp is developed and maintained by Montimage, a company specializing in cybersecurity and network monitoring solutions. Montimage provides innovative security tools and services to help organizations protect their digital assets and ensure the security of their networks.
- Issues: GitHub Issues
- Email: contact@montimage.eu
- Website: https://www.montimage.eu
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add some amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Threat intelligence sources: OpenPhish, PhishTank, PhishStats, URLhaus, BlocklistDE, CINSSCORE, and others
- Built with Model Context Protocol (MCP)
- Powered by Python and SQLite