com.zeltser/website-search
Official53 toolsImprove security writing, score it against rubrics, plan IR, CTI, vuln, and product strategy.
Score security writing against rubrics and plan incident response, threat intelligence, and vulnerabilities.
Captured live from the server via tools/list.
search_zeltser
Search Lenny Zeltser's Website by keywords. Security articles on malware analysis, incident response, and security leadership. Searches across titles, abstracts, full content, and topics.
Parameters (2)
- querystringrequired
Search terms to find relevant content
- limitnumber
Maximum number of results to return (default: 10, max: 25)
get_article
Get the full content of a specific article from Lenny Zeltser's Website by URL path. Security articles on malware analysis, incident response, and security leadership. Returns title, date, topics, summary, and full body text.
Parameters (1)
- urlstringrequired
Article URL path (e.g., '/about', '/article-slug')
get_index_info
Get statistics about the Lenny Zeltser's Website search index including total pages indexed, last update time, and available tools.
No parameters.
get_capabilities
List all capabilities and tools available from the Lenny Zeltser's Website MCP server, including search tools and any specialized features like IR report writing assistance.
No parameters.
get_security_writing_guidelines
Get Lenny Zeltser's expert writing guidelines for security reports and assessments. Provides guidance on tone, structure, clarity, executive summaries, and avoiding common writing mistakes. Includes rating-sheet items (the four lens sheets: structure, look, words, tone) as concrete reference points for grounded feedback. Works for any security document. This server never requests your documents and instructs your AI to keep them local—guidelines flow to your AI for local analysis. Note: For incident response reports specifically, use the ir_* tools which provide deeper section-by-section review criteria.
Parameters (2)
- focusarray
Which aspects of writing to focus on. 'tone': voice, do/avoid examples. 'structure': paragraphs, report qualities, formatting. 'clarity': sentences, jargon alternatives. 'executive_summary': exec summary best practices. 'critique': writing as critique not criticism. 'analytical': evidence attribution, confidence language, comparative language, gap acknowledgment. 'all' or omit for everything.
- include_examplesboolean
Include before/after examples. Default: true. Set to false for smaller response.
ir_get_template
Get Lenny Zeltser's structured incident response template. Covers all critical IR sections with field-by-field guidance. Pass kind: "report" (default — full incident-response report) or "brief" (one-page executive brief, IR 1.5.0+). This server never requests your incident notes and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
Parameters (1)
- kindstring
Which artifact to return: 'report' (full incident-response report — default for backward compatibility) or 'brief' (one-page executive brief).
ir_get_guidelines
Get Lenny Zeltser's expert writing guidelines for incident response reports. Topics: tone, words, structure, executive_summary, voice, articles, summary, brief (one-page brief section guidance, IR 1.5.0+), frameworks (regulatory + maturity frameworks), handoffs (cross-server routing). When the topic maps to a lens (tone, words, structure), the response includes a rating-sheet checklist appendix as concrete reference points for grounded feedback. This server never requests your incident notes and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
Parameters (1)
- topicstring
Specific topic: tone (collaborative framing), words (clarity, jargon), structure (paragraphs, headings), executive_summary (exec summary rules), voice (style guidelines), articles (related reading), summary (quick reference), brief (one-page brief section guidance), frameworks (NIST SP 800-61r3, GDPR, CCPA/CPRA, HIPAA, NCSL state laws + sibling frames), handoffs (when to route to other MCP servers). Omit for full guidelines.
ir_load_context
Load Lenny Zeltser's IR report writing context for local analysis. Returns expert guidelines for field completeness, incident identification, notification triggers, and writing quality. Includes rating-sheet items (lens taxonomy plus the IR-specific Information sheet) as concrete reference points for grounded feedback. This server never requests your incident notes and instructs your AI to keep them local. Use detail_level to control response size: "minimal" (~2k tokens), "standard" (~5k tokens), or "comprehensive" (~11k tokens).
Parameters (4)
- detail_levelstring
Level of detail to return. 'minimal': core field guidance only (~2k tokens). 'standard': field guidance + writing analysis + notifications (~5k tokens, default). 'comprehensive': everything including examples and all incident types (~11k tokens).
- topicsarray
Specific topics to load. Overrides detail_level for fine-grained control. Options: completeness (field guidance), incidents (type identification), notifications (regulatory triggers), writing (style analysis), actions (urgency categorization), stakeholders (party identification), sections (review criteria).
- incident_typestring
Load guidance for a specific incident type only (saves tokens). Omit to load all types when 'incidents' topic is included.
- include_examplesboolean
Include good/poor examples in field guidance. Default: false. Set to true for learning/training.
ir_review_report
Get Lenny Zeltser's expert criteria for reviewing an existing IR report. Returns focused guidance for constructive critique — what to check in each section, writing quality issues to identify, and how to frame feedback collaboratively. Includes rating-sheet items (lens taxonomy plus the IR-specific Information sheet) as concrete reference points for grounded feedback. This server never requests your report and instructs your AI to keep it local.
Parameters (2)
- sectionsarray
Specific sections to get review criteria for. Omit or use 'all' for complete review criteria.
- focusarray
What aspects to focus on. 'completeness': is everything covered? 'clarity': jargon, passive voice, vague terms. 'tone': collaborative framing. 'structure': sentence/paragraph organization.
product_get_template
Get Lenny Zeltser's fill-in-the-blank template for planning a security product strategy. Includes strategic questions organized by section with evidence columns. This server never requests your product plans and instructs your AI to keep them local—guidelines flow to your AI for local analysis. The template is Copyright (c) 2026 Lenny Zeltser; any content you create using it is entirely yours.
No parameters.
product_get_guidelines
Get Lenny Zeltser's expert strategic guidelines for a specific product strategy topic. Topics: market (segmentation), capabilities (AI, agents, MVP, positioning), sales (GTM, channels, distribution, POCs), pricing (models, retention), delivery (deployment, APIs), trust (compliance, security program), platform (ecosystem positioning), team (expertise, gaps), competitive (differentiation, moats), defensibility (AI-era defensibility rubric scoring a product across seven dimensions), smb (SMB market dynamics), endpoint (endpoint viability), ai_security (AI security vertical), role (product manager responsibilities), category_creation (new category strategy), comparative (multi-company analysis), evidence_tiering (evidence classification framework). This server never requests your product plans and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
Parameters (1)
- topicstring
Specific topic to get guidelines for. Omit or use 'all' for a complete overview.
product_load_context
Load Lenny Zeltser's product strategy context for local analysis. Returns expert strategic frameworks, principles, and guidance for evaluating or creating security product plans. Includes rating-sheet items (the lens taxonomy: structure, words, tone) as concrete reference points for grounded feedback on the plan's writing. This server never requests your plans and instructs your AI to keep them local. Use detail_level to control response size: "minimal" (~2k tokens), "standard" (~5k tokens), "compact" (~3-4k tokens, all sections but stripped), or "comprehensive" (~12k tokens). Use market_segment: "smb" for SMB-specific guidance. Use product_focus: "endpoint" for endpoint security viability assessment. Set include_template: true to include the fill-in-the-blank template in the response.
Parameters (9)
- detail_levelstring
Level of detail to return. "minimal": market + capabilities only (~2k tokens). "standard": core strategy sections (~5k tokens, default). "compact": all sections with stripped subsections (~3-4k tokens, good for batch analysis). "comprehensive": everything + examples (~12k tokens).
- topicsarray
Specific topics to include. Overrides detail_level for fine-grained control.
- company_contextstring
Filter guidance to startup or large company perspective. Stage values (pre_seed, seed, series_a, series_b, growth, late_stage) imply startup context with stage-specific emphasis.
- market_segmentstring
Include SMB-specific guidance (distribution, buying triggers, readiness).
- product_focusstring
Include vertical-specific guidance. 'endpoint': platform entrapment, defensibility. 'ai_security': AI threat landscape, buyer personas, regulatory alignment.
- include_examplesboolean
Include examples in framework sections. Default: false.
- include_templateboolean
Include the fill-in-the-blank strategy template at the end of the context response. Default: false. Saves a separate product_get_template call.
- analysis_modestring
'internal': planning your own product (default). 'external': evaluating another company from outside. External mode reframes questions and adjusts evidence standards.
- evaluation_perspectivestring
Emphasize framework sections relevant to a specific perspective. Composes with analysis_mode.
product_review_plan
Get Lenny Zeltser's expert criteria for reviewing an existing product strategy plan. Returns focused guidance for constructive critique—what to check in each section, strategic coherence issues, and how to frame feedback collaboratively. Includes rating-sheet items (the lens taxonomy: structure, words, tone) as concrete reference points for grounded feedback on the plan's writing. This server never requests your plan and instructs your AI to keep it local. Use market_segment: "smb" to include SMB-specific review criteria. Use product_focus: "endpoint" to include endpoint viability assessment.
Parameters (5)
- sectionsarray
Specific sections to get review criteria for. Omit or use 'all' for complete review criteria.
- focusarray
What aspects to focus on. 'completeness': is everything covered? 'strategy': are decisions coherent? 'feasibility': can this team execute?
- market_segmentstring
Include SMB-specific review criteria.
- product_focusstring
Include vertical-specific review criteria. 'endpoint': endpoint viability. 'ai_security': AI security market assessment.
- review_typestring
'internal': reviewing your own plan (default). 'external-analysis': reviewing an analysis of another company. Adjusts criteria to focus on evidence tiering, source attribution, and marketing language.
product_compare_context
Load Lenny Zeltser's comparative analysis framework for evaluating multiple security companies side by side. Returns structured scoring rubric, evaluation dimensions, evidence tiering guidance, and comparison-type-specific instructions. Requires comparative analysis content. This server never requests your product plans and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
Parameters (3)
- comparison_typestringrequired
Type of comparison. 'competition': direct/adjacent competitors. 'market_segment': companies in same segment. 'portfolio': cohort evaluation.
- company_countintegerrequired
Number of companies being compared (2-10).
- include_scoring_rubricboolean
Include the structured 1-5 scoring rubric. Default: true.
rating_get_sheet
Get Lenny Zeltser's cybersecurity-writing rating sheet(s) so your AI can apply the rubric. Returns the structured rubric (groups, items, scoring bands) WITHOUT computing a score. Use `rating_score_writing` if you also want a numeric score, gap analysis, or rubric-anchored feedback. This server never requests your draft and instructs your AI to keep it local—rating sheets and scoring instructions flow to your AI.
Parameters (1)
- sheetstring
Which sheet to return. 'structure' / 'look' / 'words' / 'tone' apply to any document. 'info-ir' / 'info-assessment' / 'info-threat' are document-type-specific. 'all' returns the full bundle (default).
rating_score_writing
Get Lenny Zeltser's scoring playbook so your AI can score a draft locally against a cybersecurity-writing rating sheet. THIS IS THE ONLY TOOL THAT PRODUCES NUMERIC SCORES — the writing-coach tools (`get_security_writing_guidelines`, `ir_*`, `product_*`) never score. Returns the rubric plus step-by-step instructions for applying it. This server never requests your draft and instructs your AI to keep it local—rating sheets and scoring instructions flow to your AI.
Parameters (3)
- sheetstringrequired
Which sheet to apply. The 7 canonical IDs name a specific rubric. 'auto' picks among the three Information sheets (info-ir / info-assessment / info-threat) based on the document type the user describes; for lens sheets (structure / look / words / tone), pass the sheet ID directly.
- modestring
score: per-item pass/fail + total + band classification (default). gaps: enumerate items the draft does NOT satisfy (best fit for Information sheets). feedback: per-item pass/fail + total + band, then constructive critique in the writing-coach voice.
- detail_levelstring
minimal: scoring playbook only. standard: rubric + scoring playbook (default). comprehensive: rubric + scoring playbook + cross-references to writing guidelines + related articles.
rating_load_context
Load Lenny Zeltser's complete cybersecurity-writing rating toolkit: all 7 sheets, scoring policy, scoring playbook, and cross-references to the writing guidelines. This server never requests your draft and instructs your AI to keep it local—rating sheets and scoring instructions flow to your AI.
Parameters (1)
- detail_levelstring
minimal: sheet metadata + scoring playbook only (~2k tokens). standard: full sheets + scoring playbook + cross-references (~6k tokens, default). comprehensive: everything including related articles and errata (~9k tokens).
aidefense_load_context
Load Lenny Zeltser's AI Defense Matrix context: the 8-asset x 6-NIST-CSF-2.0-function matrix, nine cross-walked frameworks (NIST IR 8596, CSA AICM, ISO 42001, Google SAIF, SANS Critical AI Security Guidelines, MITRE ATLAS, OWASP AI Exchange, OWASP LLM Top 10, OWASP Agentic Top 10), and the evaluation + cross-mapping playbooks. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (2)
- purposestring
evaluate_program: practitioner playbook for assessing an AI security program. cross_map_product: vendor playbook for mapping product capabilities to matrix cells. general: both playbooks (default).
- detail_levelstring
minimal: matrix summary counts only, no playbooks or framework rows. standard: full matrix, framework alignments, and the selected playbook(s) (default). comprehensive: everything including related articles.
aidefense_get_matrix
Get the structured AI Defense Matrix: 8 AI-specific asset rows x 6 NIST CSF 2.0 function columns. Each cell describes a control category for defending that asset class. Supports optional filtering by asset or function. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (3)
- formatstring
structured: typed JSON of assets, functions, and cells (default). markdown: human-readable rendering grouped by asset.
- assetstring
Optional: filter to one asset class (e.g., 'ai-model', 'training-data'). Returns the 6 cells for that row.
- functionstring
Optional: filter to one NIST CSF function ('govern', 'identify', 'protect', 'detect', 'respond', 'recover'). Returns the 8 cells for that column.
aidefense_get_framework_alignment
Get AI Defense Matrix cross-mappings to nine external frameworks: NIST IR 8596, CSA AI Controls Matrix, ISO 42001, Google SAIF, SANS Critical AI Security Guidelines, MITRE ATLAS, OWASP AI Exchange, OWASP LLM Top 10, OWASP Agentic Security Top 10. Each row maps an AI asset class to how that framework applies. Each returned framework also carries a 'concepts' array of the structured IDs (MITRE ATLAS techniques, OWASP risks, ISO clauses) the matrix references for it. Supports a 'buyer' archetype shortcut to scope to the frameworks a particular buyer will care about. Use to translate between framework vocabularies. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (2)
- frameworkstring
Optional: scope to one framework slug (e.g., 'mitre-atlas', 'owasp-llm-top10'). Omit to get all nine. Wins over 'buyer' if both are passed.
- buyerstring
Optional: scope to a buyer archetype's framework subset. federal: NIST IR 8596 + ISO 42001. ai-governance: ISO 42001 + CSA AICM. app-security: OWASP LLM Top 10 + OWASP AI Exchange. threat-modeler: MITRE ATLAS + OWASP Agentic Top 10. enterprise: all 9 (same as omitting both parameters).
aidefense_evaluate_program
Get the AI Defense Matrix evaluation playbook for assessing an AI security program: per-cell prompts, gap-inventory template, and a workflow that walks each asset class first and rolls findings up to the Govern column. Supports mode='gate' for binary deployment-gate decisions (returns the deployment-gate workflow plus gate-tier prompts only) and consumerPattern for scoping to consumed-vs-built AI deployments. The AI applies these prompts against your program documentation locally, and no program details leave your client. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (6)
- assetstring
Optional: focus the prompts on one asset class.
- assetsarray
Optional: focus the prompts on multiple asset classes (e.g., for a deployment that touches orchestration + runtime data + agent identities). Takes precedence over `asset` if both are set.
- functionstring
Optional: focus the prompts on one NIST CSF function.
- modestring
assessment (default): full program assessment — all maturity tiers. gate: binary deployment-gate decision — returns the deploymentGateWorkflow plus only gate-tier prompts (drops 90-day and mature prompts).
- consumer_patternstring
consumed: organization consumes a third-party model (GPT-4 via API) — drops AI-Workload Platforms, Training Data, AI-Generated Code rows, and AI Model identify/protect/detect/respond/recover (keeps ai-model.govern). built: organization hosts/trains its own model — all rows in scope. hybrid (default behavior when omitted): all rows in scope.
- frameworkstring
Optional: scope cellPrompts to those whose 'sources' field cites the named framework. Accepts a bare slug ('iso-42001') for any prompt citing that framework, or a 'framework:concept-id' form ('mitre-atlas:AML.T0051') to match an exact technique. Composes with mode, consumer_pattern, asset, and assets.
aidefense_cross_map
Get the AI Defense Matrix cross-mapping playbook for mapping product capabilities to matrix cells: coverage taxonomy (primary, secondary, partial, aspirational), differentiation guidance, disambiguation block, worked examples, and out-of-scope examples. The response always includes an inScopeCheck. Products that USE AI to solve a non-AI security problem (deepfake detection, AI-for-fraud, AI features added to existing SIEM, SOAR, or EDR tools) belong in the Cyber Defense Matrix at https://cyberdefensematrix.com. Pairs naturally with product_load_context(productFocus: 'ai_security') for follow-on positioning and GTM work. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (4)
- frameworkstring
Optional: include only one external framework's cross-mapping (e.g., 'owasp-llm-top10') alongside the playbook.
- whitespaceboolean
Optional: when true, surface a `whitespace.sparseCells` block scoped to vendor-empty cells where a product can plausibly succeed (vendorDensity <= 1 AND coverageType in {tooling, hybrid}). Process-shaped sparse cells are excluded by default because their emptiness does not indicate market opportunity.
- include_process_shapedboolean
Optional: when true with whitespace, include process-shaped sparse cells in the result. Use when you want to see all empty cells regardless of whether a product is the right answer there.
- include_framework_alignmentboolean
Optional: when false, the framework alignment block (~half the response) is omitted in favor of a short note pointing to aidefense_get_framework_alignment. Use when the caller will fetch alignment separately and wants a slim cross_map response. Default: true.
aidefense_locate_concept
Reverse-lookup a single concept ID (MITRE ATLAS technique like 'AML.T0051', OWASP LLM Top 10 risk like 'LLM01', OWASP Agentic Top 10 issue like 'ASI03', or ISO 42001 Annex A clause like 'A.6') across the AI Defense Matrix. Returns which framework the concept belongs to, the asset rows whose alignment cites it, the cells whose evaluation cellPrompts cite it, and those prompts themselves. Useful when a vendor's product is defined by a specific technique ('we defend AML.T0051') and they need to find which matrix cells to claim. Recognizes only concepts with structured IDs; for prose-only frameworks (NIST IR 8596, CSA AICM, Google SAIF, OWASP AI Exchange) use aidefense_get_framework_alignment instead. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.
Parameters (1)
- conceptstringrequired
A single concept ID. Recognized patterns: 'AML.T<4 digits>(.<3 digits>)?' (MITRE ATLAS), 'LLM<2 digits>' (OWASP LLM Top 10), 'ASI<2 digits>' (OWASP Agentic Top 10), 'A.<digits>' (ISO 42001 Annex A clauses). Case-insensitive.
ir_get_brief_template
Get Lenny Zeltser's IR one-page executive brief template. Standalone variant of `ir_get_template` for callers that only want the brief without the long-form report. This server never requests your incident notes and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
No parameters.
ir_get_cross_server_routes
Get Lenny Zeltser's IR cross-server handoff routes — when this MCP server can't fulfill a request, which other MCP servers (or fallback workflows) to consult. Surfaces a compact subset of `ir_load_context`. This server never requests your incident notes and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
No parameters.
ir_get_frameworks
Get Lenny Zeltser's IR frameworks (primary frameworks the brief structurally derives from) plus optional sibling frames (adjacent frameworks that aren't the structural backbone). Pass `include_siblings: false` to skip sibling blocks. This server never requests your incident notes and instructs your AI to keep them local—guidelines flow to your AI for local analysis.
Parameters (1)
- include_siblingsboolean
Include the siblingFrames block (adjacent frameworks with whyOmitted notes) and the siblingArtifacts block (related templates) in the response. Default: true.
cti_get_template
Get Lenny Zeltser's cyber threat intel template. The long report covers Executive Summary, Actor Snapshot, Methodology, Activity Overview, Representative Adversary Techniques, Indicators of Compromise, Defensive Implications, Attribution Analysis, Anticipated Activity, optional Strategic Analysis and Competing Hypotheses, plus About this Report. The one-page brief covers Bottom Line, Quick Facts, Are We in Scope?, Defensive Actions, What We Don't Know, More Information. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
Parameters (1)
- templatestring
Which artifact to return: 'report' (12-section long report, default) or 'brief' (one-page executive brief).
cti_get_guidelines
Get Lenny Zeltser's expert CTI writing guidelines. Topics include tone, words, structure, executive_summary, voice, articles, summary, brief (one-page brief section guidance), handoffs (cross-server routing), methodology (the three subsections), fields (per-field guidance), and CTI-specific topics: attribution (full Six Signals prose), confidence (ICD-203 ladder), pyramid_of_pain, six_signals (signals table only), and anti_patterns. The general writing topics (tone/words/structure/executive_summary) now defer to `get_security_writing_guidelines` for the canonical Five Elements rules; CTI-specific content lives in the other topics. Pair the 'fields' topic with field_id for single-field guidance. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
Parameters (2)
- topicstring
Which topic to surface. Defaults to a 'summary' overview when omitted.
- field_idstring
Only meaningful with topic='fields'. When supplied, returns guidance for the named field id. When omitted under topic='fields', returns a directory of available field ids.
cti_load_context
Load Lenny Zeltser's CTI writing context for local analysis. Returns a JSON payload with section guidance, completeness criteria, framework grounding (12 frameworks), the six attribution signals, ICD-203 confidence levels and ladder, and the Pyramid of Pain. The 'profile' parameter ANNOTATES sections (internal/public applicability label) rather than filtering — every section is returned so cross-profile comparisons are possible. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
Parameters (5)
- detail_levelstring
Response size: minimal (~2-3k tokens), standard (~5-7k), comprehensive (~12k+).
- topicsarray
Narrow the response to specific topics; 'all' includes everything.
- profilestring
Annotate sections by their applicability to this profile (internal or public). Sections are NOT filtered — annotated only.
- templatestring
Foreground 'report' or 'brief' sections; both lists stay in the payload.
- include_examplesboolean
Include exampleGood/examplePoor in fieldGuidance entries.
cti_review_report
Get Lenny Zeltser's expert criteria for reviewing an existing CTI report or brief. Surfaces per-theme review criteria (framework, confidence, attribution, defense, distribution, etc.), cross-cutting criteria, the six anti-patterns to watch for, and focus-driven writing analysis. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
Parameters (2)
- sectionsarray
Narrow to specific report sections; 'all' includes every section.
- focusarray
Focus areas: completeness, clarity, tone, structure, attribution, confidence, or all.
cti_get_brief_template
Get Lenny Zeltser's CTI one-page executive brief template. Standalone variant of `cti_get_template` for callers that only want the brief without the long-form report. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
No parameters.
cti_get_cross_server_routes
Get Lenny Zeltser's CTI cross-server handoff routes — when this MCP server can't fulfill a request, which other MCP servers (or fallback workflows) to consult. Surfaces a compact subset of `cti_load_context`. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
No parameters.
cti_get_frameworks
Get Lenny Zeltser's CTI frameworks (primary frameworks the brief structurally derives from) plus optional sibling frames (adjacent frameworks that aren't the structural backbone). Pass `include_siblings: false` to skip sibling blocks. This server never requests your campaign or threat-intel notes and instructs your AI to keep them local—templates and guidelines flow to your AI for local analysis.
Parameters (1)
- include_siblingsboolean
Include the siblingFrames block (adjacent frameworks with whyOmitted notes) and the siblingArtifacts block (related templates) in the response. Default: true.
malware_get_template
Get Lenny Zeltser's malware analysis report template. The report covers Executive Summary, Sample Snapshot, Malware Family Identification, Component Inventory, Runtime Requirements, Sources, Capabilities, Indicators of Compromise, Analysis Details, What We Don't Know, optional Infection Vector, optional Detection Engineering, About this Report, Appendix: Analysis Environment, and optional Appendix: Analysis Scripts. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
No parameters.
malware_get_guidelines
Get Lenny Zeltser's expert malware analysis report writing guidelines. Topics include capabilities, confidence, pyramid_of_pain, anti_patterns, methodology, fields, handoffs, frameworks, plus tone, words, structure, and executive_summary topics that defer to `get_security_writing_guidelines` for canonical Five Elements guidance. Pair the 'fields' topic with field_id for single-field guidance. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
Parameters (2)
- topicstring
Which topic to surface. Defaults to a 'summary' overview when omitted.
- field_idstring
Only meaningful with topic='fields'. When supplied, returns guidance for the named field id. When omitted under topic='fields', returns a directory of available field ids.
malware_load_context
Load Lenny Zeltser's malware analysis report writing context for local analysis. Returns a JSON payload with section guidance, the MBC capability model, ICD-203 confidence scoped to the family call, Pyramid-of-Pain IOC tiering, and a briefPolicy explaining why there is no companion brief. The 'profile' parameter ANNOTATES sections (organizationalReport/researcherNarrative applicability label) rather than filtering — every section is returned so cross-profile comparisons are possible. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
Parameters (4)
- detail_levelstring
Response size: minimal, standard, or comprehensive.
- topicsarray
Narrow the response to specific topics; 'all' includes everything.
- profilestring
Annotate sections by their applicability to this profile. Sections are NOT filtered — annotated only.
- include_examplesboolean
Include exampleGood/examplePoor in fieldGuidance entries.
malware_review_report
Get Lenny Zeltser's expert criteria for reviewing an existing malware analysis report. Surfaces per-theme review criteria for identification, capabilities, indicators, evidence, ecosystem, detection, reproducibility, and distribution; cross-cutting criteria; anti-patterns; and focus-driven writing analysis. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
Parameters (2)
- sectionsarray
Narrow to specific report sections; 'all' includes every section.
- focusarray
Focus areas: completeness, clarity, tone, structure, capabilities, confidence, anti_patterns, or all.
malware_get_cross_server_routes
Get Lenny Zeltser's Malware cross-server handoff routes — when this MCP server can't fulfill a request, which other MCP servers (or fallback workflows) to consult. Surfaces a compact subset of `malware_load_context`. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
No parameters.
malware_get_frameworks
Get Lenny Zeltser's Malware frameworks (primary frameworks the brief structurally derives from) plus optional sibling frames (adjacent frameworks that aren't the structural backbone). Pass `include_siblings: false` to skip sibling blocks. This server never requests your sample, analysis notes, or indicators and instructs your AI to keep them local—guidelines and the report template flow to your AI for local analysis.
Parameters (1)
- include_siblingsboolean
Include the siblingFrames block (adjacent frameworks with whyOmitted notes) and the siblingArtifacts block (related templates) in the response. Default: true.
vuln_get_template
Get Lenny Zeltser's one-page Vulnerability Advisory Brief template. Covers Bottom Line, Quick Facts, Are We Affected?, Defensive Actions (with What/Why/When/Who), What We Don't Know, and More Information. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
No parameters.
vuln_get_guidelines
Get Lenny Zeltser's expert vulnerability-brief writing guidelines. Topics include tone, words, structure, voice, articles, summary, fields (per-field guidance), handoffs (cross-server routing), and vuln-specific topics: significance (calibrated insecurity, no vendor passthrough — note this is the Vuln Brief's Significance row, distinct from CVSS/vendor severity scoring), actions (action-enabling What/Why/When/Who), gaps (calibrated uncertainty), sources (evidence synthesis), are_we_affected (scope discipline), and anti_patterns. Pair the 'fields' topic with field_id for single-field guidance. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
Parameters (2)
- topicstring
Which topic to surface. Defaults to a 'summary' overview when omitted.
- field_idstring
Only meaningful with topic='fields'. When supplied, returns guidance for the named field id. When omitted under topic='fields', returns a directory of available field ids.
vuln_load_context
Load Lenny Zeltser's Vulnerability Investigation Brief context for local analysis. Returns a JSON payload with brief section guidance, completeness criteria, significance discipline (renamed from 'severity' in 1.1.0 — the Vuln Brief's Significance row, distinct from CVSS or vendor severity scoring), evidence-source guidance, frameworks (CVSS / CVE / NVD / CISA KEV / Vendor Advisory), and ALWAYS embeds the mcpHandoffs array — six pointers that tell the AI when to reach for rating_score_writing, rating_get_sheet, get_security_writing_guidelines, cti_load_context, ir_load_context, or search_zeltser. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
Parameters (3)
- detail_levelstring
Response size: minimal, standard, or comprehensive.
- topicsarray
Narrow the response to specific topics; 'all' includes everything.
- include_examplesboolean
Include exampleGood/examplePoor in fieldGuidance entries.
vuln_review_brief
Get Lenny Zeltser's expert criteria for reviewing an existing Vulnerability Investigation Brief. Surfaces per-theme review criteria (significance, scope, actions, gaps, sources), cross-cutting criteria, anti-patterns, and inline mcpHandoffs pointers when the requested focus triggers scoring or writing-mechanics themes (e.g., focus=tone surfaces rating_score_writing). This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
Parameters (2)
- sectionsarray
Narrow to specific brief sections; 'all' includes every section.
- focusarray
Focus areas: completeness, clarity, tone, structure, significance, actions, sources, or all.
vuln_get_brief_template
Get Lenny Zeltser's Vuln one-page executive brief template. Standalone variant of `vuln_get_template` for callers that only want the brief without the long-form report. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
No parameters.
vuln_get_cross_server_routes
Get Lenny Zeltser's Vuln cross-server handoff routes — when this MCP server can't fulfill a request, which other MCP servers (or fallback workflows) to consult. Surfaces a compact subset of `vuln_load_context`. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
No parameters.
vuln_get_frameworks
Get Lenny Zeltser's Vuln frameworks (primary frameworks the brief structurally derives from) plus optional sibling frames (adjacent frameworks that aren't the structural backbone). Pass `include_siblings: false` to skip sibling blocks. This server never requests your vulnerability notes and instructs your AI to keep them local—the brief template and guidelines flow to your AI for local analysis.
Parameters (1)
- include_siblingsboolean
Include the siblingFrames block (adjacent frameworks with whyOmitted notes) and the siblingArtifacts block (related templates) in the response. Default: true.
assessment_get_template
Get Lenny Zeltser's security assessment template. The report is a reader-first findings report: Executive Summary, Assessment Scope, Findings Summary, Detailed Findings, Remediation Priorities, optional Attack Path Narrative and Detection and Response Observations, Methodology, Limitations and Disclaimer, Appendices, and About this Report. The one-page brief covers Bottom Line, Key Findings, Recommended Actions, and More Information. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
Parameters (1)
- kindstring
Which artifact to return: 'report' (full findings report, default) or 'brief' (one-page executive brief).
assessment_get_guidelines
Get Lenny Zeltser's expert security assessment report writing guidelines. Topics: severity (the risk-adjusted severity model — the spine), findings, remediation, methodology, scope, strengths, brief (one-page brief section guidance), executive_summary, analysis, anti_patterns, frameworks, handoffs, and summary. The general 'tone' topic defers to `get_security_writing_guidelines` for the canonical Five Elements rules. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
Parameters (1)
- topicstring
Which topic to surface. Defaults to a 'summary' overview when omitted.
assessment_load_context
Load Lenny Zeltser's security assessment report writing context for local analysis. Returns a JSON payload with the risk-adjusted severity model (the spine), reader-first section guidance, completeness criteria, frameworks (NIST SP 800-115/800-30, OWASP WSTG/Risk Rating, CVSS, MITRE ATT&CK, PTES, PCI DSS, CREST), and the mcpHandoffs array. The 'profile' parameter ANNOTATES sections (internal/external applicability) rather than filtering — every section is returned so cross-profile comparisons are possible. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
Parameters (5)
- detail_levelstring
Response size: minimal, standard, or comprehensive.
- topicsarray
Narrow the response to specific topics; 'all' includes everything.
- profilestring
Annotate sections by applicability to this profile (internal or external). Sections are NOT filtered — annotated only.
- templatestring
Foreground 'report' or 'brief' sections; both lists stay in the payload.
- include_examplesboolean
Include exampleGood/examplePoor in fieldGuidance entries.
assessment_review_report
Get Lenny Zeltser's expert criteria for reviewing an existing security assessment report or brief. Surfaces the 17 info-assessment review items across five groups (Key Takeaways, Assessment Scope, Prioritized Findings, Remediation Suggestions, Assessment Methodology), cross-cutting criteria, the risk-adjusted severity model, anti-patterns, and a pointer to rating_score_writing for a numeric score. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
Parameters (2)
- sectionsarray
Narrow to specific report sections; 'all' includes every section.
- focusarray
Focus areas: completeness, clarity, tone, structure, severity, remediation, strengths, anti_patterns, or all.
assessment_get_brief_template
Get Lenny Zeltser's Security Assessment one-page executive brief template. Standalone variant of `assessment_get_template` for callers that only want the brief without the long-form report. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
No parameters.
assessment_get_cross_server_routes
Get Lenny Zeltser's Security Assessment cross-server handoff routes — when this MCP server can't fulfill a request, which other MCP servers (or fallback workflows) to consult. Surfaces a compact subset of `assessment_load_context`. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
No parameters.
assessment_get_frameworks
Get Lenny Zeltser's Security Assessment frameworks (primary frameworks the brief structurally derives from) plus optional sibling frames (adjacent frameworks that aren't the structural backbone). Pass `include_siblings: false` to skip sibling blocks. This server never requests your assessment notes or report and instructs your AI to keep them local—the templates and guidelines flow to your AI for local analysis.
Parameters (1)
- include_siblingsboolean
Include the siblingFrames block (adjacent frameworks with whyOmitted notes) and the siblingArtifacts block (related templates) in the response. Default: true.
README not available yet.
Install
claude_desktop_config.json
{
"mcpServers": {
"website-search": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://website-mcp.zeltser.com/mcp"
]
}
}
}Desktop config is stdio-only; this bridges via mcp-remote. Native remote: Settings > Connectors.