Security advisory methodologies — maturity models, budget frameworks, benchmarks, tool taxonomy, staffing models, vendor evaluation. Part of the Ansvar MCP Network.
Security Advisory MCP
Structured advisory content for security program planning: maturity assessment, budget frameworks, industry benchmarks, tool selection, staffing models, vendor evaluation, insurance guidance, and certification paths.
Quick Start
Remote (HTTP)
Add to your MCP client configuration:
{
"mcpServers": {
"security-advisory": {
"url": "https://security-advisory-mcp.vercel.app/mcp"
}
}
}
Local (stdio)
{
"mcpServers": {
"security-advisory": {
"command": "npx",
"args": ["@ansvar/security-advisory-mcp"]
}
}
}
Docker
docker build -t security-advisory-mcp .
docker run -p 3000:3000 security-advisory-mcp
What's Included
| Category | Items | Sources | |----------|-------|---------| | Maturity models | 6 models (NIST CSF 2.0, C2M2, CMMI, BSIMM, SSE-CMM, ISO 27001) | NIST, DOE, ISACA, Synopsys, ISO | | Budget frameworks | 7 templates (by org size + compliance programs + ROI) | Gartner, IANS, industry surveys | | Industry benchmarks | Spending, team size, MTTD/MTTC, breach costs, tool adoption | IBM/Ponemon, SANS, ISC2 | | Tool taxonomy | 10 categories with evaluation criteria and cost ranges | Analyst reports, vendor documentation | | Staffing models | 4 org sizes + SOC tier structure with roles and salaries | SANS, ISC2, IANS workforce studies | | Insurance guidance | Coverage types, application prep, claims process, policy eval | NAIC, Marsh, Aon, Coalition | | Vendor evaluation | RFP template, scoring matrix, POC framework, contract checklist | NIST 800-161, ISO 27036 | | Certification paths | 5 career tracks with 20+ certifications | ISC2, ISACA, CompTIA, GIAC, OffSec |
What's NOT Included
- Specific vendor product names or reviews (vendor-neutral by design)
- Real-time pricing (cost ranges are directional estimates)
- Regional salary data outside the US (planned for v1.1)
- Regulatory compliance content (covered by other Ansvar MCPs)
Available Tools
| Tool | Description |
|------|-------------|
| search_maturity_models | Search 6 maturity models by keyword or framework name |
| get_maturity_level | Get detailed tier information for a specific model |
| get_scoring_rubric | Get assessment scoring methodology for a model |
| search_benchmarks | Search industry benchmark data (spending, team size, breach cost) |
| get_budget_template | Get budget templates by org size or compliance framework |
| get_tool_category | Get tool category details (criteria, costs, build-vs-buy) |
| search_tool_criteria | Search tool evaluation criteria across all categories |
| get_staffing_model | Get staffing models by org size with roles and salaries |
| get_insurance_guidance | Get cyber insurance guidance by topic |
| get_tco_model | Get total cost of ownership model with ROI calculation |
| search_certifications | Search certification paths by career track |
| get_vendor_evaluation | Get vendor evaluation frameworks (RFP, scoring, POC, contract) |
| get_outsourcing_framework | Get build-vs-outsource decision framework |
| list_sources | List all data sources with provenance |
| about | Server metadata, stats, and network info |
| check_data_freshness | Per-source freshness report |
See TOOLS.md for full documentation with parameters, examples, and limitations.
Data Sources & Freshness
| Source | Authority | Refresh | |--------|-----------|---------| | NIST CSF 2.0 | NIST | On framework update | | C2M2 v2.1 | US Department of Energy | On framework update | | CMMI v2.0 | ISACA / CMMI Institute | On framework update | | BSIMM14 | Synopsys | Annual | | SSE-CMM / ISO 21827 | ISSEA / ISO | On standard update | | Industry benchmarks | IBM/Ponemon, Gartner, SANS, ISC2 | Annual | | Tool taxonomy | Ansvar Systems (curated) | Quarterly | | Staffing, insurance, vendor, certifications | Ansvar Systems (curated) | Annual |
Check freshness programmatically with check_data_freshness.
Disclaimer
This is NOT professional advice. This tool provides structured reference data sourced from authoritative publications. It is for informational and research purposes only. Always verify critical data against authoritative sources before making security, compliance, procurement, or hiring decisions. See DISCLAIMER.md.
Ansvar MCP Network
This server is part of the Ansvar MCP Network -- 157+ MCP servers providing structured access to global legislation, compliance frameworks, and cybersecurity standards.
| Category | Servers | Coverage | |----------|---------|----------| | Law jurisdictions | 108 | 119 countries, 668K+ laws | | EU regulations | 1 | 61 regulations, 4,054 articles | | Security frameworks | 1 | 262 frameworks, 1,451 controls | | Domain-specific | ~50 | CVE, STRIDE, sanctions, OWASP, and more |
Development
Setup
npm install
npm install --save-dev yaml # Required for build:db
npm run build:db # Build SQLite database from YAML content
npm run build # Compile TypeScript
Run locally
npm run dev # HTTP server on port 3000
npm start # Production HTTP server
Branch strategy
feature-branch -> PR to dev -> verify on dev -> PR to main -> deploy
License
Apache 2.0 -- see LICENSE.
Data sources carry their own licenses -- see sources.yml for details. NIST and DOE content is public domain (US government works). BSIMM framework overview is publicly available. Curated content by Ansvar Systems is Apache 2.0.
Built by Ansvar Systems -- part of the Ansvar MCP Network providing structured access to global legislation, compliance frameworks, and cybersecurity standards.