MCP
The k9 MCP server brings Reachable Risk to your AI coding agent. It scores your CVE and dependency backlog by what is actually reachable in your code and actively exploited in the wild (KEV + EPSS), and returns a Fix Today / Schedule / Defer verdict with the evidence behind each call. Your agent supplies the reachability read; k9 supplies KEV + EPSS and the verdict.
It runs as a remote MCP server. Your agent connects over HTTP and you sign in with your k9 account on first connect. There is no API key or token to copy.
- Endpoint:
https://mcp.k9security.io/mcp(Streamable HTTP) - Authentication: OAuth (browser sign-in on first connect; no API key)
- Tools:
lookup_kev,lookup_epss,score_risk, plus therisk_scoring_rubricprompt
Guides
- Configure the k9 MCP Server — connect Claude, Claude Code, Opencode, and other MCP-capable agents.
Last update:
July 3, 2026