Velociraptor
VelociraptorMCP is a Model Context Protocol bridge for exposing LLMs to MCP clients.
What is Velociraptor?
Velociraptor is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to velociraptormcp is a model context protocol bridge for exposing llms to mcp clients.
VelociraptorMCP is a Model Context Protocol bridge for exposing LLMs to MCP clients.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- VelociraptorMCP is a Model Context Protocol bridge for expos
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx mcp-velociraptorConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Velociraptor
mcp-velociraptor is a Python-based MCP bridge that connects AI assistants like Claude to Velociraptor, the open-source endpoint monitoring and digital forensics platform. It exposes tools for executing Velociraptor Query Language (VQL) artifacts, running forensic triage collections on Windows endpoints, and dynamically discovering available artifacts — making it possible to conduct incident response investigations through natural language prompts instead of manual Velociraptor CLI commands. Security analysts use it to query network connections, identify suspicious processes, and collect forensic evidence across managed endpoints.
Prerequisites
- A running Velociraptor server with API access enabled
- A Velociraptor API credentials file (`api_client.yaml`) generated with administrator and API roles
- Python 3.9 or later installed
- An MCP client such as Claude Desktop
- The `VELOCIRAPTOR_API_CONFIG` environment variable set to the path of your `api_client.yaml`
Generate a Velociraptor API configuration file
On your Velociraptor server, generate an API client config with administrator and API roles. Place the resulting `api_client.yaml` in a secure, accessible location.
velociraptor --config /etc/velociraptor/server.config.yaml config api_client --name mcp-client --role administrator,api api_client.yamlClone the mcp-velociraptor repository
Clone the repository and place your `api_client.yaml` in the root of the cloned directory for the test script to find it.
git clone https://github.com/mgreen27/mcp-velociraptor.git
cd mcp-velociraptor
cp /path/to/api_client.yaml .Install Python dependencies
Install the required Python packages for the MCP bridge.
pip install -r requirements.txtVerify connectivity with the test script
Run the included test script with the API config path set to confirm the bridge can reach your Velociraptor server.
VELOCIRAPTOR_API_CONFIG=./api_client.yaml python test_connection.pyConfigure your MCP client
Add the bridge to your `claude_desktop_config.json`, pointing to the Python executable and setting the required `VELOCIRAPTOR_API_CONFIG` environment variable.
Velociraptor Examples
Client configuration
Add this to `claude_desktop_config.json` to connect Claude Desktop to your Velociraptor server via the MCP bridge.
{
"mcpServers": {
"mcp-velociraptor": {
"command": "python",
"args": ["/path/to/mcp-velociraptor/server.py"],
"env": {
"VELOCIRAPTOR_API_CONFIG": "/path/to/api_client.yaml",
"VELOCIRAPTOR_ORG_ID": "",
"VELOCIRAPTOR_DEBUG_VQL": "0"
}
}
}
}Prompts to try
Use these prompts to conduct forensic investigation and incident response via Claude.
- "Show me all active network connections on endpoint DESKTOP-ABC123 and flag any suspicious processes."
- "Which Velociraptor artifacts target the Windows USN journal?"
- "Run a forensic triage collection on LAPTOP-XYZ and summarize the results."
- "List all scheduled tasks on the compromised machine and identify anything unusual."
- "Collect browser history artifacts from the endpoint for the past 48 hours."Troubleshooting Velociraptor
Connection refused or gRPC error when starting the bridge
Verify your Velociraptor server is running and the API port is reachable from the machine running the bridge. Check `api_client.yaml` contains the correct server address and port, and that the certificate is valid.
Artifact collection returns no results or empty data
Ensure the target endpoint is online and communicating with the Velociraptor server. For multi-tenant deployments, set `VELOCIRAPTOR_ORG_ID` to the correct organization ID. Enable VQL debug logging with `VELOCIRAPTOR_DEBUG_VQL=1` to inspect the raw queries being sent.
Permission denied errors when running artifacts
Confirm the API client was created with both `administrator` and `api` roles. Regenerate the `api_client.yaml` if the roles were not set correctly at creation time.
Frequently Asked Questions about Velociraptor
What is Velociraptor?
Velociraptor is a Model Context Protocol (MCP) server that velociraptormcp is a model context protocol bridge for exposing llms to mcp clients. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Velociraptor?
Follow the installation instructions on the Velociraptor GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Velociraptor?
Velociraptor works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Velociraptor free to use?
Yes, Velociraptor is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Velociraptor Alternatives — Similar Security Servers
Looking for alternatives to Velociraptor? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Velociraptor in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Velociraptor?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.