If you're working with an AI assistant in 2026, you don't want to switch tabs for every question. That's exactly what Anthropic's Model Context Protocol (MCP) is for — an open standard that lets Claude and compatible clients query your data directly, without the data ever flowing into an LLM training pipeline.
SiteGuardian is MCP-enabled as of today. Endpoint:
https://siteguardian.io/mcp
Five tools are live, one of them usable without an account. Existing paid customers get four additional tools with Bearer auth.
What you can do
Three patterns we've seen most often in the last few weeks.
1. Domain quick-check in chat
"Run a security scan on example.com and tell me the top three issues."
Claude calls scan_domain, gets back an A–F grade plus top findings, and replies with a permalink to the full report. Anonymous, 10 calls per hour per IP. Cached for 2 hours.
2. Drift investigation in one sentence
"What changed on example.com in the past week?"
get_drift_events returns TLS changes, new headers, newly appearing third-party scripts — chronologically with severity. The thing you'd otherwise jump between three dashboards for.
3. Copy-paste fixes without the detour
"Give me the nginx snippet to fix the missing HSTS header on example.com."
get_fix_recommendations returns the config lines with your domain interpolated, plus the verify command to confirm the fix landed. No Stack Overflow roulette.
Install in 30 seconds
Cursor. Edit ~/.cursor/mcp.json:
{
"mcpServers": {
"siteguardian": {
"url": "https://siteguardian.io/mcp"
}
}
}
Claude Code. In the terminal:
claude mcp add --transport http siteguardian https://siteguardian.io/mcp
Claude Desktop, Windsurf, VS Code Copilot — same URL, three more snippets at siteguardian.io/docs/mcp.
For the four authenticated tools, generate a Bearer key in Settings → API & Integrations and add it to your config as Authorization: Bearer sg_live_....
The five tools
| Tool | Auth | Purpose |
|---|---|---|
scan_domain |
anonymous | One-off scan, grade + top 3 issues + permalink |
list_monitored_domains |
Bearer | Your monitored domains with current grades |
get_domain_status |
Bearer | Active issues for a domain |
get_drift_events |
Bearer | Posture changes (TLS, headers, JS hosts, cookies) |
get_fix_recommendations |
Bearer + Paid | Config snippets + verify commands |
Read-only. No destructive actions. Rate limits per IP (anonymous) and per key (authenticated).
Why EU-hosted matters
MCP traffic at many providers ends up in US cloud regions, often with logging that flows into training pipelines. Not here:
- Hosting: Hetzner, Germany. No US sub-processor.
- No LLM in the pipeline. All tool responses are generated deterministically from your account's data. No inference on our side.
- No training. Your queries and tool arguments are logged for abuse prevention and billing — not for model training. Neither by us nor by any third party.
Relevant for NIS2 and DORA obligations: the MCP adapter is part of the existing audit trail (SHA-256 hash chain); every tool call is traceable.
What's next
In the coming weeks:
- OAuth 2.1 instead of Bearer headers (per MCP spec)
resourcesandpromptsin addition totools(e.g. a pre-built "explain my last drift event" prompt)- Listing in the official Anthropic MCP Registry and the community directories (mcp.so, Smithery, awesome-mcp-servers)
If you're using the server today, you keep the same endpoint — auth mechanisms roll out in parallel, not as replacements.
Get started
- Try the anonymous scan: curl example at siteguardian.io/docs/mcp#try — no account needed.
- Create an account: Start a free scan → buy a Report or subscribe to Monitor → generate an API key.
- Bug or feature request: contact or open a GitHub issue.
MCP is new, the spec is moving monthly. We'd love feedback on what works and what doesn't.