Buyer problem
Teams still bounce between report pages, passive-DNS tabs, chat notes, and escalation documents. The first ten to fifteen minutes of every investigation are often spent rebuilding context that another analyst already had.
Start with the first workflow that is easiest to buy and install, then expand into the next agent loops. Each use case below maps the current Syndu MCP offer to a buyer problem, the existing tool surface, and the operational value that falls out of it.
This is the easiest first workflow to buy, install, and expand. An analyst or agent resolves the risky identifier, explains the surrounding evidence, and saves the conclusion in one governed loop.
Teams still bounce between report pages, passive-DNS tabs, chat notes, and escalation documents. The first ten to fifteen minutes of every investigation are often spent rebuilding context that another analyst already had.
Syndu MCP keeps the whole investigation inside one client loop: resolve the subject, fetch the report snapshot, explain the risk, branch into related entities, and store the conclusion back into workspace memory.
Use Syndu MCP when the same subnet, org, or service keeps returning and you want the next analyst, shift, or automation to start from the last real outcome instead of from zero.
Recurring activity often gets re-triaged because the prior conclusion lives in a stale ticket comment, a private note, or a chat session that the next analyst never sees.
Workspace memory is private by default and shared across every MCP credential in the account. Agents can look up prior outcome events, append fresh observations, and preserve the next handoff object as a typed result.
Turn explained risk into reusable detection or escalation material while the evidence is still fresh, instead of forcing analysts to rewrite the same logic later.
Even when teams understand why an entity looks risky, the insight often dies as prose in chat and never becomes a detection draft, playbook fragment, or reusable note.
The current toolset already lets agents explain dimensional risk and turn that evidence into a structured next step. The memory layer keeps those drafts and notes attached to the relevant subjects for later reuse.
The writeable subject model is broader than the public report graph, so teams can investigate email, session, device, account, and transaction identifiers alongside the network context.
Fraud and abuse reviews rarely stop at an IP. Teams need to connect accounts, sessions, devices, email addresses, and transaction references without losing the network evidence that gave them the lead.
Syndu MCP accepts a broader identifier family in its memory layer, so agents can store and query workspace-safe outcomes for account, device, session, and transaction subjects while still using the outside-in graph as the investigation backbone.
Use the broader documentation surface when you need the commercial story, the Risk API contract, governance rules, or the install guidance around the hosted MCP server.
This is the public documentation hub for Syndu's shared cyber evidence and operating-memory platform: the evidence graph, the Risk API, the MCP server, and the governance layer that ties them together.
Syndu exposes a dimensional risk surface across network entities and geography: ip address, subnet, ISP, ASN, organization, city, region, and country. That same dimensional graph also powers the Risk API and MCP tools.
Syndu is an external context layer for monitoring, hygiene review, agent workflows, and decision support. It complements SoC and SIEM processes rather than replacing them.
The platform supports three access surfaces at scale: direct report access for large-scale browser or agent consumption, the Risk API for application-native scoring, and the MCP server for collaborative agent workflows.
Syndu is one platform with three access surfaces: direct access for report-shell consumption, API access for application-side scoring, and MCP access for agent collaboration. They sit under the same workspace, quota, and subscription control plane, but differ in delivery contract.
Score risky IPs in real time, report lightweight business feedback, and push structured identifier outcomes back into workspace memory from the same authenticated API surface. Syndu keeps the contract simple: `score` is the metered read path, while `rate` and `report` are authenticated writeback endpoints that do not consume score quota.
Registration unlocks the workspace control plane, plan selection, credential provisioning, and the subscription flow across web, API, and MCP access.