Tenable Identity Exposure MCP Server
ContributedMCP server exposing the Tenable Identity Exposure (TIE) API as tools for LLM clients.
Compatible Clients
Integrations
Tools (15)
- tie_catalog
List available resources (flat + nested) — call this first.
- tie_request
Raw HTTP call to any endpoint (method, path, params, body).
- tie_resource_action
Generic CRUD (list/get/create/update/delete) on flat resources.
- tie_recent_activity
Unified IoE+IoA timeline for the last N hours in one call.
- tie_profiles
List security profiles (IoE/IoA data is profile-scoped).
- tie_scores
Per-directory security scores for a profile.
- tie_topology
AD topology (domains, forests, trusts) for a profile.
- tie_attacks
IoA attack instances (requires resource_type + resource_value).
- tie_alerts
Alerts for a profile.
- tie_deviances
IoE deviant AD objects for a checker within a time window.
- tie_deviances_by_checker
Full IoE deviances for a checker (no date filter).
- tie_deviances_by_directory
Full IoE deviances for a directory (no date filter).
- tie_search_events
Search AD security events in a date range.
- tie_search_ad_objects
Search AD objects (users/computers/groups/OUs).
- tie_whoami
Current user identity, roles, and permissions.
Tags
An MCP server exposing the Tenable Identity Exposure (TIE, formerly Tenable.ad) REST API as tools for LLM clients. Built on FastMCP from the official mcp SDK and verified end-to-end against a live TIE SaaS instance.
This is not an officially supported Tenable project. Validate responses against the Tenable console before acting on them.
What it does
Turns the Tenable Identity Exposure API into 15 LLM-callable tools spanning both Indicators of Exposure (IoE) and Indicators of Attack (IoA). Highlights:
- Unified activity timeline —
tie_recent_activitymerges IoE deviances and IoA attacks for the last N hours in a single call. - Security posture — list security profiles, per-directory security scores, and AD topology (domains, forests, trusts).
- Deviance investigation — pull IoE deviances by time window, checker, or directory, with rendered descriptions and slimmed payloads to conserve token budget.
- AD search — query AD objects (users, computers, groups, OUs) and security events over a date range.
- Escape hatches —
tie_catalogfor resource discovery,tie_requestfor raw calls to any endpoint, andtie_resource_actionfor generic CRUD.
How it works
The server wraps the TIE REST API and authenticates with the X-API-Key header (TIE_URL / TIE_API_KEY via environment or CLI flags). It runs over stdio for Claude Desktop / Claude Code, or as an SSE/HTTP network service. Time-aware tools accept a relative hours=N window or explicit UTC date_start/date_end. IoE/IoA data is profile-scoped, so tools take an explicit profile_id. By default, deviance and object results are slimmed (descriptions rendered from templates, oversized attribute values dropped); pass verbose=true for the full raw payload.