MCP Tools
The Red Sift MCP Server exposes the following tools. Most product-specific tools accept an optional instance_id parameter — if omitted, the default instance is used.
Account & IAM tools
Section titled “Account & IAM tools”iam_account_info
Section titled “iam_account_info”Retrieve the authenticated user’s account information and available Red Sift product instances. Returns a JSON object containing: ‘email’ (user’s email address), ‘instances’ (available product instances by product name, where each instance includes ‘id’, ‘name’, and ‘description’ fields), and ‘default_instances’ (currently selected default instance for each product). Use this tool first to discover which Red Sift products and instances are available before making product-specific API calls. Products include: Brand Trust, Certificates, OnDMARC.
Parameters: None required.
iam_invite_user
Section titled “iam_invite_user”Invite a new user to a Red Sift product instance by email address. Creates an invitation that grants the specified user access to the product instance. Returns invitation details including invitationId, invitationCode, and status. By default, an invitation email is automatically sent to the recipient - set skip_email=True to generate the invitation without sending email (useful for programmatic access or custom invitation workflows). Valid products: ‘ondmarc’, ‘brandtrust’, ‘certificates’, ‘pulse’. Valid roles: ‘owner’, ‘superadmin’, ‘superreader’. If roles are not specified, defaults to ‘superreader’ role. Use ‘iam_account_info’ first to discover available products and instance IDs. Use ‘iam_list_sift_users’ to check existing access before inviting. The invitation is created immediately and can be used to access the instance once accepted.
| Parameter | Type | Required | Notes |
|---|---|---|---|
product | string | Yes | — |
instance | string | Yes | — |
email | string | Yes | — |
roles | array | No | — |
skip_email | boolean | No | — |
iam_update_instance_metadata
Section titled “iam_update_instance_metadata”Updates the name and description metadata for a Red Sift product instance. This allows you to set friendly names and descriptions for your instances to help organize and identify them. Call ‘iam_account_info’ first to discover available products and instance IDs. Valid products: ‘ondmarc’, ‘brandtrust’, ‘certificates’, ‘pulse’. Both name and description are optional - provide only the fields you want to update.
| Parameter | Type | Required | Notes |
|---|---|---|---|
product | string | Yes | — |
instance | string | Yes | — |
name | string | No | — |
description | string | No | — |
hardenize_get_assessment
Section titled “hardenize_get_assessment”Performs comprehensive security assessment for a domain using Hardenize. Evaluates TLS configuration, certificate validity, DNS security, email authentication, HTTP headers, web application security, and more. Returns assessment summary with overall scores and detailed information about security tests. Use this to audit domain security posture, identify vulnerabilities, troubleshoot security issues, or validate security improvements.
Optional JSONPath filtering: Use the jsonpath_filter parameter to extract specific data from the assessment using JSONPath syntax. This allows you to retrieve only the data you need, reducing response size and processing time.
Examples of jsonpath_filter usage:
- “$.summary” - Extract only the assessment summary section
- “$.problematic_tests[*].testType” - Get list of all test types from problematic tests
- “$.scores[?(@.category==‘dns’)]” - Get scores for DNS category only
- “$.problematic_tests[?(@.quality==‘error’)]” - Get only tests with error quality
Set include_good=true to include passed tests in the response (default: false, only shows tests needing attention).
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
include_good | boolean | No | — |
jsonpath_filter | string | No | — |
refresh | boolean | No | — |
hardenize_get_certificate_by_sha256
Section titled “hardenize_get_certificate_by_sha256”Retrieves a specific X.509 certificate from the Hardenize Certificate Transparency (CT) database using its SHA-256 fingerprint. Returns certificate details including issuer, subject, validity dates, subject alternative names (SANs), public key information, and the certificate in PEM format. Set include_unpacked=true to receive additional parsed certificate fields (extensions, key usage, policies). Use this to investigate certificates found in security scans, validate certificate chains, analyze historical certificates, or retrieve certificates for offline inspection.
| Parameter | Type | Required | Notes |
|---|---|---|---|
sha256 | string | Yes | — |
include_unpacked | boolean | No | — |
hardenize_search_certificates_by_hostname
Section titled “hardenize_search_certificates_by_hostname”Searches the Hardenize Certificate Transparency (CT) database for certificates matching a hostname pattern. By default returns certificates that match the hostname exactly, as wildcard (*.example.com), or as subdomains, filtering out expired certificates. Returns up to 50 matches by default (configurable via limit parameter). Each result includes SHA-256 fingerprint, issuer, validity dates, and optionally the PEM-encoded certificate (set include_pem=true). Use this to discover all certificates issued for a domain, investigate potential certificate mis-issuance, audit certificate usage across subdomains, or monitor certificate transparency logs for your domains.
| Parameter | Type | Required | Notes |
|---|---|---|---|
host | string | Yes | — |
include_exact_match | boolean | No | — |
include_wildcard_match | boolean | No | — |
include_subdomains | boolean | No | — |
include_pem | boolean | No | — |
limit | number | No | — |
Brand Trust tools
Section titled “Brand Trust tools”brandtrust_activity_summary
Section titled “brandtrust_activity_summary”Get a summary report from your Brand Trust account. Returns information about image detection (logos, faces, and keywords), priority review items (high risk rating and highest similarity matches), potential assets, and lookalike domains. Use this for a quick overview of your brand protection status.
Parameters: None required.
brandtrust_list_domains
Section titled “brandtrust_list_domains”Lists all domains being monitored in your Brand Trust account. Returns both active domains (actively scanned for lookalikes) and inactive domains (registered but not monitored).
Parameters: None required.
brandtrust_add_domain
Section titled “brandtrust_add_domain”Adds a new domain to Brand Trust monitoring. By default, domains are added with ‘inactive’ status (registered but not scanned). Set status to ‘active’ to enable lookalike detection and monitoring for that domain. If the domain exists as a lookalike already, it won’t be added automatically and an error will be returned — use the brandtrust_add_lookalike_as_domain tool in this case.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
status | string | No | inactive, active |
brandtrust_list_takedown
Section titled “brandtrust_list_takedown”Lists all takedown requests tracked in your Brand Trust account. Shows the status and details of domains or content you have requested to be taken down for brand infringement.
Parameters: None required.
brandtrust_list_lookalikes
Section titled “brandtrust_list_lookalikes”Retrieves lookalike domains detected by Brand Trust monitoring with their security assessment and metadata. Returns domains similar to your protected brands based on risk ratings. Filter by risk_level to prioritize investigation: ‘high-risk’ indicates a high threat level, ‘low-risk’ indicates a minimal threat, ‘unclassified’ for newly discovered domains awaiting analysis. Supports pagination for large result sets.
| Parameter | Type | Required | Notes |
|---|---|---|---|
risk_level | string | No | unclassified, low-risk, high-risk |
page | number | No | — |
page_size | number | No | — |
brandtrust_read_lookalike
Section titled “brandtrust_read_lookalike”Sets one or more lookalike domains as read or unread. Use this to track which lookalikes have been reviewed. The domains parameter should be a list of full domain names (e.g., [‘suspicious-domain.com’]). Setting status=‘read’ indicates the domain has been reviewed, ‘unread’ resets it.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domains | string[] | Yes | — |
status | string | No | read, unread |
brandtrust_classify_lookalike
Section titled “brandtrust_classify_lookalike”Classifies one or more lookalike domains by risk level. Moves domains between unclassified, low-risk, and high-risk categories. The current classification is auto-detected. Use this after reviewing a lookalike to indicate its threat level.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domains | string[] | Yes | — |
classify_as | string | Yes | unclassified, low-risk, high-risk |
brandtrust_get_lookalike_details
Section titled “brandtrust_get_lookalike_details”Retrieves detailed metadata for a specific lookalike domain including web presence data, screenshot metadata, logo detection locations, text detection locations, and visual similarity indicators. Does not include the actual screenshot image (use brandtrust_get_lookalike_screenshot for that). The domain parameter should be the full domain name (e.g., suspicious-domain.com).
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
brandtrust_get_lookalike_screenshot
Section titled “brandtrust_get_lookalike_screenshot”Retrieves the screenshot image for a specific lookalike domain. Returns visual evidence of the domain’s appearance. Use brandtrust_get_lookalike_details to retrieve metadata about logo/text detection locations. The domain parameter should be the full domain name (e.g., suspicious-domain.com).
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
brandtrust_list_logos
Section titled “brandtrust_list_logos”Lists all logos configured in your Brand Trust account. Returns logo metadata including ID, name, brand class, MIME type, and training status. Use this to see which logos are being monitored for detection on lookalike domains.
Parameters: None required.
brandtrust_get_logo
Section titled “brandtrust_get_logo”Retrieves the logo image file for a specific logo UUID. Use brandtrust_list_logos to get available logo UUIDs and brand names. The logo_uuid should be the UUID from list_logos, and brand should be the brand class name.
| Parameter | Type | Required | Notes |
|---|---|---|---|
logo_uuid | string | Yes | — |
brand | string | Yes | — |
brandtrust_add_logo
Section titled “brandtrust_add_logo”Validates a logo image, checks for duplicates and image quality, then uploads the valid logo image to Brand Trust for monitoring. Logo images must be JPEG, PNG, BMP, or SVG format, less than 1MB, with minimum 128px width and height. Include all logo variants (wordmark, logomark, composite). The brand parameter specifies which brand class to add the logo to. The logo_base64 parameter should be the base64-encoded image content.
| Parameter | Type | Required | Notes |
|---|---|---|---|
logo_base64 | string | Yes | — |
brand | string | Yes | — |
filename | string | No | — |
brandtrust_add_lookalike_as_domain
Section titled “brandtrust_add_lookalike_as_domain”Add a lookalike domain and its related subdomains to your monitored domains. Takes a lookalike domain, finds its apex and all related lookalikes, then adds them as monitored domains. The apex is added to domains and all related lookalikes are added to subdomains.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
brandtrust_list_faces
Section titled “brandtrust_list_faces”Lists all face images configured in your Brand Trust account for person detection in lookalike content. Returns face records with metadata including IDs, person IDs, and totals.
Parameters: None required.
brandtrust_list_person_faces
Section titled “brandtrust_list_person_faces”Lists all face images for a specific person in your Brand Trust account. Use brandtrust_list_faces to get available person IDs. Returns all face records associated with the given person.
| Parameter | Type | Required | Notes |
|---|---|---|---|
person_id | string | Yes | — |
brandtrust_get_face_image
Section titled “brandtrust_get_face_image”Retrieves the face image file for a specific person and face ID. Use brandtrust_list_faces or brandtrust_list_person_faces to get available person and face IDs.
| Parameter | Type | Required | Notes |
|---|---|---|---|
person_id | string | Yes | — |
face_id | string | Yes | — |
brandtrust_upload_face
Section titled “brandtrust_upload_face”Validates and uploads a face image to Brand Trust for person detection in lookalike content. Supported formats: PNG, JPG, JPEG, BMP. The face_base64 parameter should be the base64-encoded image content. The person_id groups faces belonging to the same person. Returns the API response (for example, a face UUID) if provided, otherwise a generic success message.
| Parameter | Type | Required | Notes |
|---|---|---|---|
person_id | string | Yes | — |
face_base64 | string | Yes | — |
filename | string | No | — |
brandtrust_delete_face
Section titled “brandtrust_delete_face”Deletes a specific face image from Brand Trust. Use brandtrust_list_faces or brandtrust_list_person_faces to get available person and face IDs.
| Parameter | Type | Required | Notes |
|---|---|---|---|
person_id | string | Yes | — |
face_id | string | Yes | — |
brandtrust_list_detectable_keywords
Section titled “brandtrust_list_detectable_keywords”Lists all detectable keywords configured in your Brand Trust account. These keywords are used to detect lookalike content containing specific text. Returns keyword strings and total count.
Parameters: None required.
brandtrust_set_detectable_keywords
Section titled “brandtrust_set_detectable_keywords”Replaces all detectable keywords in your Brand Trust account with the provided list. These keywords are used to detect lookalike content containing specific text. This operation overwrites all existing keywords.
| Parameter | Type | Required | Notes |
|---|---|---|---|
keywords | string[] | Yes | — |
Certificates tools
Section titled “Certificates tools”certificates_list
Section titled “certificates_list”Lists certificates in your account with flexible filtering. Use filter=‘expiring’ (default) to see certificates sorted by expiration date (soonest first) for renewal planning and monitoring upcoming expirations. Use filter=‘all’ for complete certificate inventory audits regardless of expiration status. Limited to 25 by default; increase the limit parameter to retrieve more certificates.
| Parameter | Type | Required | Notes |
|---|---|---|---|
filter | string | No | expiring, all |
limit | number | No | — |
certificates_list_hosts
Section titled “certificates_list_hosts”Lists all hosts (domains and subdomains) currently monitored for certificate discovery and tracking. These are the base domains from which certificate discovery originates.
Parameters: None required.
certificates_add_hosts
Section titled “certificates_add_hosts”Adds new hosts (domains or subdomains) to monitor for SSL/TLS certificates. The system will automatically discover and track certificates associated with these hosts. Hosts must be valid domain names. Pass multiple hosts as a list to add them in a single operation.
| Parameter | Type | Required | Notes |
|---|---|---|---|
hosts | string[] | Yes | — |
certificates_exclude_hosts
Section titled “certificates_exclude_hosts”Prevents specific hosts from being automatically added during certificate discovery. Exclusions only affect newly discovered hosts; existing monitored hosts are not removed. Useful for filtering out third-party or irrelevant subdomains. Pass multiple hosts as a list to exclude them in a single operation.
| Parameter | Type | Required | Notes |
|---|---|---|---|
hosts | string[] | Yes | — |
certificates_list_discoveries
Section titled “certificates_list_discoveries”Lists certificates automatically discovered through the certificate discovery process, including certificates found on related subdomains and associated infrastructure. Useful for understanding your certificate inventory beyond manually added hosts.
Parameters: None required.
certificates_list_endpoints
Section titled “certificates_list_endpoints”Lists SSL/TLS endpoints (IP:port combinations) where certificates are deployed, limited to 25 by default. Increase the limit parameter to retrieve more endpoints. Shows where your certificates are actually being used.
| Parameter | Type | Required | Notes |
|---|---|---|---|
limit | number | No | — |
certificates_stats
Section titled “certificates_stats”Retrieves comprehensive certificate statistics and analytics for your account. Returns detailed counts including: certificate status (active_or_non_expired, active), ownership (own, third_party), expiration status (active_expired, own_expired, third_party_expired), and time-based expiration categories based on days until expiration: ‘critical’ (days 30-34, next 4 days requiring immediate attention), ‘overdue’ (days 34-44, 14-day window for overdue renewals), ‘due’ (days 44-90, 60-day window for upcoming renewals). Also includes service-level breakdowns by protocol type (service_http, service_smtp, service_others), scanned_domains (total monitored domains/subdomains being scanned for discovery), and ca_count (number of distinct certificate authorities represented in your certificate inventory). Useful for certificate inventory overview, compliance reporting, and identifying certificates requiring immediate renewal action.
Parameters: None required.
certificates_list_issues
Section titled “certificates_list_issues”Lists security and configuration issues detected across your monitored hosts by Hardenize. Each issue includes a title, severity, affected subject (domain or IP), root cause, and category. By default returns TLS and PKI category issues covering certificate problems (expiration, weak keys, chain issues, protocol misconfigurations). Use the categories parameter to include other categories such as DNS, Email, Web, or Network. Supports filtering by status, severity (info, low, medium, high, critical, urgent), group, and hostname. Limited to 25 results by default; increase the limit parameter to retrieve more. Use offset for pagination, starting at 0 by default. Results are sorted by severity (ascending) and then by status (ascending). Use certificates_get_issue with a specific issue_id from the results to retrieve full evidence and remediation details.
| Parameter | Type | Required | Notes |
|---|---|---|---|
categories | string | No | — |
status | string | No | — |
severity | string | No | — |
group | string | No | — |
hostname | string | No | — |
limit | number | No | — |
offset | number | No | — |
certificates_get_issue
Section titled “certificates_get_issue”Retrieves full details for a specific Hardenize security issue by its issue_id (obtained from certificates_list_issues results). Returns comprehensive information including: the affected subject (domain/IP), root cause analysis (cause domain/IP), severity level, category, detailed remediation guidance, and supporting evidence. Use this to understand how to fix a specific issue such as an expiring certificate, weak TLS configuration, or chain problem.
| Parameter | Type | Required | Notes |
|---|---|---|---|
issue_id | string | Yes | — |
certificates_list_identities
Section titled “certificates_list_identities”Lists Hardenize identities linked to the Certificates account. Supports pagination via limit and offset, and returns both identities and totalCount.
| Parameter | Type | Required | Notes |
|---|---|---|---|
limit | number | No | — |
offset | number | No | — |
certificates_enable_identity
Section titled “certificates_enable_identity”Enables a Hardenize identity linked to the Certificates account.
| Parameter | Type | Required | Notes |
|---|---|---|---|
identity_id | number | Yes | — |
certificates_disable_identity
Section titled “certificates_disable_identity”Disables a Hardenize identity linked to the Certificates account.
| Parameter | Type | Required | Notes |
|---|---|---|---|
identity_id | number | Yes | — |
certificates_complete_onboarding_setup
Section titled “certificates_complete_onboarding_setup”Completes the initial onboarding setup for a Certificates account. Creates a Hardenize organization, configures host defaults, and sets the owner and notification email to the provided address. After successful completion, all other Certificates API endpoints become available, including bulk host creation.
| Parameter | Type | Required | Notes |
|---|---|---|---|
email | string | Yes | — |
certificates_link_hardenize_organization
Section titled “certificates_link_hardenize_organization”Links a Certificates product instance with a Hardenize organization for bi-directional integration. This establishes a two-way connection: (1) Certificates can access Hardenize assessment data, and (2) Hardenize can display certificate details in its UI. Prerequisites: Hardenize organization must exist with the specified label.
| Parameter | Type | Required | Notes |
|---|---|---|---|
hardenize_org_label | string | Yes | — |
OnDMARC tools
Section titled “OnDMARC tools”ondmarc_list_sources
Section titled “ondmarc_list_sources”Lists all sources (IP addresses, domains, and mail servers) sending email on behalf of the specified domain, based on DMARC aggregate reports from the last 7 days. Use optional start and end parameters (format: YYYY/MM/DD) to analyze a different time period. Useful for identifying authorized and unauthorized email sources.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
start | string | No | — |
end | string | No | — |
ondmarc_compliance_report
Section titled “ondmarc_compliance_report”Retrieves aggregated DMARC validation reports for the specified domain covering the last 7 days. Shows pass/fail rates for SPF and DKIM authentication, message volumes, sending sources, geographic distribution, and reasons for any authentication overrides. Use optional start and end parameters (format: YYYY/MM/DD) to analyze a different time period.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
start | string | No | — |
end | string | No | — |
ondmarc_dns_guardian_get_issues
Section titled “ondmarc_dns_guardian_get_issues”Retrieves DNS security issues detected by DNS Guardian monitoring. Returns details about dangling DNS records, nameserver problems, SPF subdomain takeover risks, and other DNS vulnerabilities across your monitored domains. Use this to identify and remediate DNS-based security risks.
Parameters: None required.
ondmarc_list_domains
Section titled “ondmarc_list_domains”Retrieves all domains managed by the OnDMARC account. Returns comprehensive domain information including domain names, DMARC policy configuration (policy status, validation issues, warnings), associated tags, notes, and Dynamic SPF activation status (hasDynamicSpf). Use this to get an overview of all monitored domains, check their DMARC compliance status, identify domains with configuration issues, or manage domain organization through tags.
Parameters: None required.
ondmarc_add_domain
Section titled “ondmarc_add_domain”Adds a new domain to the OnDMARC instance for monitoring and DMARC compliance tracking. Optionally auto-identify and classify sources that are recognized in the domain’s existing SPF record.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
auto_identify_sources | boolean | No | — |
ondmarc_get_tags
Section titled “ondmarc_get_tags”Retrieves a list of all tags created for this OnDMARC account. Returns tag objects with their IDs, titles, descriptions, and colors.
Parameters: None required.
ondmarc_add_domain_tags
Section titled “ondmarc_add_domain_tags”Adds tags to a domain in the OnDMARC instance. Tags help organize and categorize domains for better management and filtering. Provide tag titles as a list of strings.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
tags | string[] | Yes | — |
ondmarc_remove_domain_tags
Section titled “ondmarc_remove_domain_tags”Removes tags from a domain in the OnDMARC instance. Provide tag titles as a list of strings. The tool will automatically look up the corresponding tag IDs.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
tags | string[] | Yes | — |
ondmarc_activate_dynamic_services
Section titled “ondmarc_activate_dynamic_services”Activates OnDMARC’s Dynamic Services (Dynamic SPF) for the specified domain. Dynamic Services helps you stay within SPF lookup limits by consolidating multiple SPF includes into a single dynamic record that OnDMARC manages. This simplifies SPF record management and prevents SPF validation failures due to exceeding the 10 DNS lookup limit.
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
ondmarc_update_dynamic_dmarc
Section titled “ondmarc_update_dynamic_dmarc”Updates the Dynamic Services DMARC record settings for the specified domain. Only the DMARC tags provided in dmarc_settings are changed; others keep their original values. The domain must have Dynamic Services activated. Valid DMARC tags: rua (aggregate report address), ruf (forensic report address), p (policy: none/quarantine/reject), pct (percentage: 0-100), adkim (DKIM alignment: r/s), aspf (SPF alignment: r/s), fo (failure reporting options: 0/1/d/s), rf (report format: afrf), ri (report interval in seconds), sp (subdomain policy: none/quarantine/reject).
| Parameter | Type | Required | Notes |
|---|---|---|---|
domain | string | Yes | — |
dmarc_settings | object | Yes | — |
Pulse tools
Section titled “Pulse tools”pulse_get_enabled_services
Section titled “pulse_get_enabled_services”Retrieves comprehensive subscription settings and service configurations for the Pulse instance. Returns detailed information including Radar service features (main service, chat, and inbox enablement status), EventHub integrations availability, audit logs configuration, usage limits (maximum Radar users allowed), and subscription metadata (trial status, region, admin privileges). Use this to verify which Pulse services are enabled, check feature availability before performing operations, understand usage quotas, and troubleshoot service access issues.
Parameters: None required.
pulse_list_integrations
Section titled “pulse_list_integrations”Lists all EventHub integrations configured in the Pulse instance. Returns an array of integration objects, each containing the integration name, ID, type, services, and categories.
Parameters: None required.