Wraps the GreyNoise reputation API to check whether IP addresses are internet background noise or potentially targeted threats. Exposes check_ip for single lookups and check_ips for batch queries (up to 10 at once), returning classifications like malicious scanner, benign service (RIOT), or critically, NOT NOISE, which suggests someone is specifically targeting you rather than mass scanning. Works out of the box with 10 free daily lookups, or 50 with a free API key. Most useful during SOC triage and incident response when you need to quickly separate routine scanner traffic from IPs that deserve closer attention. The server only reads from GreyNoise and stores nothing between requests.
claude mcp add --transport stdio io.github.nickjlucker-greynoise -- npx -y mcp-greynoise