CTScout

Named-entity attribution from OV/EV Certificate Transparency

Map apex domains to the legal entities attributed in their OV/EV cert records. Search by company name to find their domains, or by domain to find the attributed organization. Data is built from public CT logs — passive, non-intrusive, updated weekly.

For account-to-domain enrichment, subsidiary discovery, and SAN-cohort analysis from LLM-driven workflows. DV-only infrastructure (Let's Encrypt, ZeroSSL, cloud-native shops) is out of scope by design. Not a cyber-risk-scoring tool — see LIMITATIONS.

How it works

A certstream pipeline ingests ~2.5M certificate events per week
OV/EV certificates carry the issuing organization's name
We extract apex domains, deduplicate, and aggregate by org
… org-domain pairs across … organizations, searchable via API

API

# Search by company name
curl -X POST https://ctscout.dev/scan \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_KEY" \
  -d '{"company_name": "Goldman Sachs"}'

# Search by domain
curl ... -d '{"seed_domain": ["gs.com"]}'

# Both (OR logic)
curl ... -d '{"company_name": "Goldman Sachs", "seed_domain": ["gs.com"]}'

# Batch — up to 10 queries per request, single auth + single quota debit of N
curl -X POST https://ctscout.dev/scan/batch \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_KEY" \
  -d '{
    "queries": [
      {"company_name": "Goldman Sachs", "strict_match_org_only": true},
      {"company_name": "Morgan Stanley", "strict_match_org_only": true},
      {"seed_domain": ["gs.com"]}
    ]
  }'
# Response: { "results": [ {"query": {...}, "domains": [...], ...}, ... ],
#             "remaining_quota": 9527 }

Batch semantics: one auth check, one quota debit equal to len(queries), per-query parallel execution (up to 10 in flight). The whole batch returns 400 (no partial debit) if any query fails validation or if len > 10. The 10-query cap is set by the free-plan Worker subrequest limit; pass strict_match_org_only: true on every query in the batch — non-strict queries can each trigger semantic-fallback subrequests that push a 10-query batch past the cap. The batch tool is not yet exposed via MCP; track ctscout-mcp#19 for the eventual MCP wrapper.

For AI agents (MCP)

Use ctscout from Claude Code, Claude Desktop, Cursor, or any client that speaks the Model Context Protocol. Two tools: ctscout_search_company and ctscout_lookup_domain.

Hosted endpoint — zero install. Add the following to your MCP client config (~/Library/Application Support/Claude/claude_desktop_config.json on Mac, %APPDATA%\Claude\claude_desktop_config.json on Windows, ~/.cursor/mcp.json for Cursor):

{
  "mcpServers": {
    "ctscout": {
      "type": "http",
      "url": "https://ctscout.dev/mcp",
      "headers": { "X-API-Key": "YOUR_KEY" }
    }
  }
}

If your client expects the legacy SSE transport (older Cursor builds, some self-hosted clients), swap the url to https://ctscout.dev/sse — same tools, same auth, different transport.

Or self-host with the published Node binary (stdio transport):

{
  "mcpServers": {
    "ctscout": {
      "command": "npx",
      "args": ["-y", "ctscout-mcp-server"],
      "env": { "CTSCOUT_API_KEY": "YOUR_KEY" }
    }
  }
}

Then ask Claude: "Use ctscout to find domains attributed to Cloudflare."

Source: github.com/minghsuy/ctscout-mcp (MIT). For Claude Code CLI configs and full setup, see the README.

Tiers

	Free	Pro
Queries	10 / day	Unlimited
Results	Top 5	Top 25
History window	Last 90 days	Up to 12 months
Data	Weekly snapshot	Weekly snapshot
Price	$0	Concierge — email for access

Pro is currently manual: send a note describing your use case, get a key and an invoice. Self-service commerce will land when usage data justifies the build.

Get a free API key

No email. No account.

Save this key — it cannot be retrieved again.