AI-supported EASM: Eliminate shadow IT with the LocateRisk MCP interface
AI-supported EASM The identification of unknown infrastructure is a core task in External Attack Surface Management (EASM). LocateRisk provides a specialized interface for this based on the Model Context Protocol (MCP) ready. LocateRisk is currently the only provider to enable direct machine-to-machine communication, which makes complex discovery paths of IT systems immediately analyzable for artificial intelligence. Seamlessly connect your own AI models - MCP makes LocateRisk part of your infrastructure With the LocateRisk MCP interface bind your Own AI model (e.g. internal ChatGPT, Claude or local open source models) directly to our system. You don't have to program any complex interfaces - your AI „understands“ our data natively through the MCP. This means you retain full control over your analysis logic and use your familiar environment for automated security reports.
LocateRisk provides up-to-date data on your IT attack surface, and the MCP interface makes it directly usable - for automated assessment and protection in seconds.
The following case study shows how this technology helps to uncover hidden systems (Shadow IT).
Case Study: Uncovering shadow IT with discovery paths
Initial situation
The IP address 49.12.87.60 appears in a recent security report. The IT manager cannot assign this host to any known department. He needs to clarify: How was this server discovered? Does it actually belong to the organization? Who bears operational responsibility?
Solution with the LocateRisk MCP interface
The IT specialist uses the MCP connection to examine the entire external attack surface via its familiar AI interface. The advantage: the return values of the interface are so compact that the AI can process the entire context of the network connections without any loss of data.
Step 1: Infrastructure overview
First, the scope of the infrastructure is queried via the interface. The current scan provides the following metrics:
Subdomains: 44
IP addresses: 24
Network node: 183
Network connections: 415
The discovered subdomains include, among others: app.locaterisk.com, preview.locaterisk.com, n8n.locaterisk.com, zulip.locaterisk.com, snake.locaterisk.com, konzern.locaterisk.com, desk.locaterisk.com, cal.locaterisk.com, backend.locaterisk.com, testing.locaterisk.com, ct.locaterisk.com and app-staging.locaterisk.com.
Step 2: Tracing the discovery path
To clarify the origin of the unknown IP, the IT manager issues a direct command to his AI:
„How was 49.12.87.60 discovered?“
The MCP interface provides two unique discovery paths:
Path 1: Via the reverse DNS entry of the provider (static.60.87.12.49.clients.your-server.de).
Path 2: Via the subdomain preview.locaterisk.com, which points directly to this IP via a DNS entry.
This proves it: The host belongs to the organization, as its own subdomain actively points to this address.
Step 3: Network context for suspicious services
The IT specialist would now like to know what is behind other unknown subdomains:
„Show the network graph for zulip.locaterisk.com.“
The analysis shows: locaterisk.com is linked to zulip.locaterisk.com via the CRT_MEMBER (SSL certificate) and SUBDOMAIN (DNS enumeration) findings. The host operates an instance of the open source chat app „Zulip“.
Result: Clarity about identified systems in seconds
By transparently displaying the detection paths, the IT manager can clean up the entire attack surface:
Identify shadow IT: Services such as n8n, Zulip and Snake were recognized as exposed services.
Find staging environments: Three systems (testing, preview, app staging) should not be public
Clarify responsibilities: Each host has a traceable path from the root domain.
Clean up scope: Hosts that do not belong can be removed directly from the scan.
Findings
The evaluation of the 44 subdomains provides the following recommendations for action:
Production systems (5 found): These include app, www and backend. No change is required here.
Internal services (4 found): These include n8n, zulip, cal and desk. Action: Check access protection.
Staging/test (3 found): This includes testing, preview and app staging. Action: Restrict public access.
Other systems (3 found): These include snake, konzern and ct. Action: Identify the person responsible.
Time saving Without the MCP interface, log files, DNS entries and SSL certificates would have to be synchronized manually in order to reconstruct these paths. This process usually takes several hours. The LocateRisk MCP interface provides the answer in less than 10 seconds before.
Compliance and digital sovereignty The seamless traceability of the infrastructure is a basic prerequisite for the NIS-2 conformity and the IT baseline protection. LocateRisk operates its analysis platform in certified data centers in Germany and the EU. This guarantees that sensitive information about your attack surface is processed in compliance with the GDPR and remains protected from access by the US Cloud Act.
A major advantage of the MCP interface is the Sovereignty in the choice of model. Companies can connect their own AI infrastructure - such as locally hosted instances of Llama 3 or private instances of ChatGPT - directly. Since data processing at LocateRisk takes place in certified data centers in Germany and the EU the entire chain remains GDPR-compliant and protected from the US Cloud Act.
With access to the complete history of over 60 scans, an AI can use MCP to make a precise Delta analysis perform. It immediately identifies deviations in the target status, such as new open ports, changed SSL ciphers or unknown subdomains. Instead of sifting through hundreds of findings, the analyst receives a prioritized report on the specific change and its risk impact.
Since LocateRisk provides the MCP interface as a technical enabler and the control over the selected AI model lies with the customer, this setup supports a Transparent and responsible use of AI. The transmitted data payloads are of a purely technical nature. This facilitates compliance with European AI regulations, as no black box decisions are enforced and the analysis logic remains within the user's sphere of control.
The interface allows technical scan results to be compared directly with the 639 available questionnaire templates (e.g. for TISAX or ISO 27001). An AI can immediately compare the technical facts with the suppliers' self-declarations. This shortens the process from selective checks to continuous monitoring of the cyber supply chain (CSCRM) and saves weeks of correspondence time.
Request your personal Live-Demo now
Identify and reduce your cyber risks through a comparable and understandable overview of your IT security. Let our experts advise you and find out how LocateRisk can help you solve your cyber risks.
Want to find out more, book a demo or simply exchange ideas? We look forward to hearing from you!
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.
English 
Deutsch 
Français