Automating the MCP Servers Discovery with Claude Sonnet 4

By the Knostic Research Team

Security research often involves sifting through digital noise to find needles in a haystack. Manually searching Shodan for hundreds of query variations and then validating each potential target would have taken months. It's a soul-crushing exercise in repetition that's prone to human error. To tackle this, we experimented with how less programming-savvy attackers might approach the problem, and did a little vibe coding.

For this research, our dance partner was the Claude Sonnet 4 model. We chose it specifically for its strong reasoning and coding abilities, its large context window (which allows it to remember the entire conversation and the state of the code), and its knack for understanding complex, multi-part instructions. But, we didn't just bark orders at it. We had a conversation.

The development of our mcp_scanner.py script began with a detailed, high-level prompt that established our intent: 

"I need a sophisticated, asynchronous Python script to discover MCP servers using the 'shodan' and 'asyncio' libraries. It should be structured as a class, MCPServerScanner. The class needs to take a Shodan API key and a list of over 100 query strings. Its primary method will iterate through these queries, making concurrent API calls to Shodan, and collect all unique IP:Port results into a single list, ensuring there are no duplicates. It also needs robust error handling for common Shodan API failures, network timeouts, and rate limits, with a built-in retry mechanism with exponential backoff. The final output should be a clean list of potential targets."

Claude instantly provided the scaffolding—the class structure, the asynchronous function definitions, the basic loops, and the API call logic. From there, it was a partnership of refinement. The conversation went something like this:

• Human: "This is great. Now, let's add a function to save the final results to a timestamped CSV file. The columns should be IP, Port, and the Shodan filter that found it."
• Claude: (Generates the CSV writing function.)
• Human: "Good, but let's make it more robust. Wrap the file I/O in a try...except block to handle potential write errors. Also, let's add logging using Python's logging module to track which filters are being run and how many results each one yields."
• Claude: (Refactors the code to include error handling and detailed logging.)
• Human: "Let's think about organization. The list of 100+ Shodan filters is getting unwieldy. Let's move it into a separate configuration file, maybe a simple text file, that the script reads on startup."
• Claude: (Generates the code to read filters from an external file.)

This synergy was transformative. But, unlike true vibe coding, this was never a blind "copy-paste." A human from the Knostic team was always in the loop. Every single line of code generated by the AI was reviewed for logical correctness, potential security vulnerabilities (like command injection or improper handling of external data), and adherence to Python best practices. While AI accelerated the process, human expertise provided critical oversight, architectural direction, and final quality assurance to ensure a working tool.

This approach allowed us to build two sophisticated, purpose-built tools—mcp_scanner.py for discovery and mcp_func_checker.py for verification—in a fraction of the time it would have taken with traditional development methods. It turned a multi-month project into a short run experiment, allowing us to spend less time on tedious coding and more time on the high-level analysis that truly matters. 

New to our MCP series? Catch up first: start with the basics in What is a “Model Context Protocol” Server in GenAI, learn to locate live instances in How to Find an MCP Server with Shodan, dig into data flow in How MCP Servers Communicate, and lock them down in 4 Best Strategies to Secure Model Context Protocol.