Pan MCP Relay

v1.0.0Securitystable

Palo Alto Networks AI Runtime Security Model Context Protocol (MCP) Relay Server

pan-mcp-relaymcpai-integration
Share:
33
Stars
0
Downloads
0
Weekly
0/5

What is Pan MCP Relay?

Pan MCP Relay is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to palo alto networks ai runtime security model context protocol (mcp) relay server

Palo Alto Networks AI Runtime Security Model Context Protocol (MCP) Relay Server

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Palo Alto Networks AI Runtime Security Model Context Protoco

Use Cases

Relay AI security queries to Palo Alto Networks runtime security infrastructure.
Integrate AI-driven threat analysis with enterprise security platforms.
LicenseNOASSERTION
Languagepython
Versionv1.0.0
UpdatedMar 28, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx pan-mcp-relay

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Pan MCP Relay

Prisma AIRS MCP Security Relay by Palo Alto Networks is a security proxy that sits between your MCP client (Claude Desktop, Cursor, VS Code, AI agents) and any downstream MCP servers. It intercepts every tool description, tool call parameter, and tool response, scanning them in real time through the Prisma AIRS AI Runtime Security API to detect and block prompt injections, malicious URLs, sensitive data leakage, and other AI-specific threats. Teams that run AI coding assistants or agentic workflows in regulated or enterprise environments use pan-mcp-relay to add a consistent security layer without changing their existing MCP server configurations.

Prerequisites

  • Python 3.10 or higher with uv installed (recommended) — run 'curl -LsSf https://astral.sh/uv/install.sh | sh'
  • A Palo Alto Networks Strata Cloud Manager account with Prisma AIRS AI Runtime: API Intercept activated and onboarded
  • A Prisma AIRS API Key (PRISMA_AIRS_API_KEY) generated in Strata Cloud Manager under Manage > API Keys
  • A Prisma AIRS AI Security Profile name or ID (PRISMA_AIRS_AI_PROFILE) configured in Strata Cloud Manager
  • Claude Desktop, Cursor, or another MCP-compatible client
1

Install pan-mcp-relay via uv

Use uv to install the relay globally so it is always available on your PATH. Alternatively, run it without installing using uvx for one-off usage.

# Recommended: install globally
uv tool install pan-mcp-relay@latest

# Or run without installing
uvx pan-mcp-relay@latest --help
2

Obtain your Prisma AIRS API key and profile

Log into Strata Cloud Manager, navigate to Insights > Prisma AIRS > Prisma AIRS AI Runtime: API Intercept, then click Manage > API Keys to copy your key and Manage > Security Profiles to get your profile name.

3

Configure your MCP client to use the relay

The relay must be the only entry in your MCP client's mcpServers list. Downstream servers are configured inside the relay's own config file, not directly in the client. Any servers listed alongside the relay will not be protected.

4

Create a relay configuration file with your downstream servers

Create a YAML or JSON file that maps your downstream MCP servers. The relay will scan all traffic to and from those servers.

# ~/.config/pan-mcp-relay/mcp-relay.yaml
mcpServers:
  my-server:
    command: npx
    args: ["some-mcp-server"]
5

Start the relay and verify it is running

Run the relay using stdio transport (default for MCP clients) or HTTP/SSE for agent-based setups. Pass your API key and profile via environment variables or CLI flags.

PRISMA_AIRS_API_KEY=your-api-key \
PRISMA_AIRS_AI_PROFILE=your-profile-name \
uvx pan-mcp-relay --config-file ~/.config/pan-mcp-relay/mcp-relay.yaml

Pan MCP Relay Examples

Client configuration

Add only the relay to your claude_desktop_config.json. Supply the Prisma AIRS credentials as environment variables so the relay can authenticate to the security API.

{
  "mcpServers": {
    "pan-mcp-relay": {
      "command": "uvx",
      "args": [
        "pan-mcp-relay@latest",
        "--config-file",
        "~/.config/pan-mcp-relay/mcp-relay.yaml"
      ],
      "env": {
        "PRISMA_AIRS_API_KEY": "your-api-key",
        "PRISMA_AIRS_AI_PROFILE": "your-ai-profile",
        "MCP_RELAY_LOG_LEVEL": "WARNING"
      }
    }
  }
}

Prompts to try

The relay is transparent — you use your AI assistant normally. These prompts test that security scanning is active by seeing how the relay handles suspicious inputs.

- "Search the web for the latest Python security advisories" (tool call flows through the relay)
- "Read this file and summarize it" (relay scans tool response for sensitive data)
- Ask any question that invokes downstream MCP tools — the relay scans traffic automatically

Troubleshooting Pan MCP Relay

The relay starts but tool calls are blocked with a threat detection warning

This is expected behavior — the relay detected a potential threat in a tool description, parameter, or response. Review the relay logs (set MCP_RELAY_LOG_LEVEL=DEBUG) to see which scan category flagged the content, then adjust your AI Security Profile in Strata Cloud Manager if the block is a false positive.

Authentication failure: 'Invalid API key' or 'Profile not found'

Ensure PRISMA_AIRS_API_KEY is the full token from Strata Cloud Manager and PRISMA_AIRS_AI_PROFILE matches the exact profile name (case-sensitive). Run 'uvx pan-mcp-relay --show-config' to confirm the values being used.

Downstream MCP servers are not visible to the AI client

Confirm the relay config file path is correct and the YAML/JSON is valid. Also verify that the downstream servers are listed only in the relay config, not directly in the MCP client config — servers listed in both places are only protected if routed through the relay.

Frequently Asked Questions about Pan MCP Relay

What is Pan MCP Relay?

Pan MCP Relay is a Model Context Protocol (MCP) server that palo alto networks ai runtime security model context protocol (mcp) relay server It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Pan MCP Relay?

Follow the installation instructions on the Pan MCP Relay GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Pan MCP Relay?

Pan MCP Relay works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Pan MCP Relay free to use?

Yes, Pan MCP Relay is open source and available under the NOASSERTION license. You can use it freely in both personal and commercial projects.

Pan MCP Relay Alternatives — Similar Security Servers

Looking for alternatives to Pan MCP Relay? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "pan-mcp-relay": { "command": "npx", "args": ["-y", "pan-mcp-relay"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Pan MCP Relay?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides