The MCP server exposes 18 tools that map to Intruder API endpoints. Your AI agent calls these automatically based on your natural language prompts so you don't need to reference them directly.
| Tool | Description |
|---|
get_user | Returns the email address of the authenticated API user |
get_status | Returns the current status of the Intruder API |
| Tool | Description | Key parameters |
|---|
list_targets | Lists all targets with their IDs, addresses, and status (live, license_exceeded, unscanned, unresponsive, agent_uninstalled) | — |
create_targets | Adds one or more targets to your account | addresses — list of target addresses (e.g. ['example.com', 'test.com']) |
delete_target | Removes a target from your account | target_id |
| Tool | Description | Key parameters |
|---|
list_tags | Lists all tags in your account, optionally filtered by target | target_address (optional) |
create_target_tag | Adds a tag to a target (max 40 characters) | target_id, name |
delete_target_tag | Removes a tag from a target | target_id, tag_name |
| Tool | Description | Key parameters |
|---|
list_scans | Lists scans with optional filters | status (optional) — in_progress, completed, cancelled, cancelled_no_active_targets, cancelled_no_valid_targets, analysing_results; scan_type (optional) — assessment_schedule, new_service, cloudbot_new_target, rapid_remediation, advisory, cloud_security |
create_scan | Starts a scan on specified targets or tagged targets | target_addresses (optional), tag_names (optional) |
get_scan | Retrieves full details of a specific scan, including status, timestamps, and target list | scan_id |
cancel_scan | Cancels a running scan | scan_id |
| Tool | Description | Key parameters |
|---|
list_issues | Lists issues with optional filters | target_addresses (optional), tag_names (optional), snoozed (optional), severity (optional) — critical, high, medium, low |
list_occurrences | Lists all occurrences for a specific issue | issue_id, plus optional filters: target_addresses, tag_names, snoozed |
get_scanner_output | Retrieves raw scanner output for an occurrence, including plugin details, CVEs, and scan evidence | issue_id, occurrence_id |
snooze_issue | Snoozes an issue and all its current and future occurrences | issue_id, reason (ACCEPT_RISK, FALSE_POSITIVE, MITIGATING_CONTROLS), plus optional details, duration, duration_type |
snooze_occurrence | Snoozes a specific occurrence of an issue | issue_id, occurrence_id, reason (ACCEPT_RISK, FALSE_POSITIVE, MITIGATING_CONTROLS), plus optional details, duration, duration_type |
| Tool | Description |
|---|
list_licenses | Shows infrastructure and application license totals, available counts, and consumed counts. Licenses are tied to a target for 30 days once used. |
When listing or filtering scans, the scan_type parameter corresponds to how the scan was triggered:
| Scan type | What it means |
|---|
assessment_schedule | Scans that run on a regular schedule |
new_service | Triggered when a new service is exposed on a target |
cloudbot_new_target | Triggered when CloudBot discovers a new target in a connected cloud account |
rapid_remediation | User-triggered scan to test if a specific issue has been remediated |
advisory | An issue created by the Intruder security team based on their manual work |
cloud_security | Scans of cloud accounts, checking the configuration of the resources in the cloud account |
