REMnux

v0.1.41Securitystable

Enables AI assistants to execute malware analysis tools on a REMnux system via Docker, SSH, or local connections. It provides automated file-type analysis, structured tool discovery, and security guardrails for streamlined malware investigation.

mcpmodel-context-protocolremnuxmalware-analysisreverse-engineering
Share:
82
Stars
0
Downloads
0
Weekly
0/5

What is REMnux?

REMnux is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to enables ai assistants to execute malware analysis tools on a remnux system via docker, ssh, or local connections. it provides automated file-type analysis, structured tool discovery, and security guar...

Enables AI assistants to execute malware analysis tools on a REMnux system via Docker, SSH, or local connections. It provides automated file-type analysis, structured tool discovery, and security guardrails for streamlined malware investigation.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Enables AI assistants to execute malware analysis tools on a

Use Cases

Execute malware analysis tools on REMnux via Docker or SSH.
Automate reverse engineering and threat analysis.
Perform structured tool discovery for security investigations.
REMnux

Maintainer

LicenseGPL 3.0
Languagetypescript
Versionv0.1.41
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

NPM

npx -y @remnux/mcp-server

Manual Installation

npx -y @remnux/mcp-server

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use REMnux

The REMnux MCP Server bridges AI assistants like Claude to the REMnux malware analysis Linux distribution, exposing 14 specialized tools for file analysis, IOC extraction, reverse engineering, and threat investigation. It supports three connection modes — local stdio, Docker container, and SSH to a remote VM — making it flexible for both air-gapped sandbox environments and cloud-hosted REMnux instances. Security analysts and incident responders can ask Claude to analyze suspicious files, run specific REMnux tools like capa or floss, and produce structured investigation reports without leaving their AI interface.

Prerequisites

  • Node.js 18 or later on the machine running the MCP server
  • REMnux environment available via one of: local installation, Docker (remnux/remnux-distro:noble image), or SSH-accessible VM
  • Docker Desktop (for Docker mode) or SSH client and credentials (for SSH mode)
  • An MCP-compatible AI client: Claude Desktop, Claude Code, or similar
  • No API keys required — authentication is only needed for HTTP transport mode
1

Pull the REMnux Docker container

For the recommended Docker mode, pull the official REMnux image. This gives you an isolated malware analysis environment with hundreds of pre-installed tools.

docker pull remnux/remnux-distro:noble
docker run -d --name remnux remnux/remnux-distro:noble
2

Add the MCP server to Claude Code

Use the Claude Code CLI to register the REMnux MCP server in Docker mode. The server will execute commands inside the running remnux container.

claude mcp add remnux -- npx @remnux/mcp-server --mode=docker --container=remnux
3

Enable sandboxing for safer file uploads

Use the --sandbox and --ingest-root flags to restrict file access to a specific samples directory on your host machine, reducing risk of exposing sensitive files.

claude mcp add remnux -- npx @remnux/mcp-server --mode=docker \
  --container=remnux --sandbox --ingest-root="$HOME/remnux-samples"
4

Configure for SSH mode (remote REMnux VM)

If REMnux is running on a remote VM, use SSH mode instead of Docker. Provide the VM's IP address and your SSH username.

claude mcp add remnux -- npx @remnux/mcp-server --mode=ssh \
  --host=YOUR_VM_IP --user=remnux
5

Verify the connection and available tools

Ask Claude to list the available REMnux tools to confirm the MCP server is connected and the container is reachable.

REMnux Examples

Client configuration

Add the REMnux MCP server to claude_desktop_config.json for Docker mode with sandboxing enabled.

{
  "mcpServers": {
    "remnux": {
      "command": "npx",
      "args": [
        "@remnux/mcp-server",
        "--mode=docker",
        "--container=remnux",
        "--sandbox",
        "--ingest-root=/home/user/remnux-samples"
      ]
    }
  }
}

Prompts to try

Example analyst prompts that leverage the 14 REMnux tools exposed by the MCP server.

- "Analyze the file sample.exe in my REMnux sandbox and identify what type of malware it is."
- "Run capa on sample.exe with verbose output and summarize the detected capabilities."
- "Extract all indicators of compromise from this analysis output: [paste output]"
- "What REMnux tools would you recommend for analyzing a suspicious PDF?"
- "Upload suspicious.zip to REMnux, extract it, and list the contents."

Troubleshooting REMnux

Error: container 'remnux' not found

The Docker container must be running before the MCP server starts. Run `docker start remnux` or `docker run -d --name remnux remnux/remnux-distro:noble` to start it. Verify with `docker ps | grep remnux`.

SSH mode fails with 'Permission denied' or connection timeout

Ensure your SSH key is added to the REMnux VM's authorized_keys for the specified user. Test the connection manually with `ssh remnux@YOUR_VM_IP` before using the MCP server. If using a non-standard port, add --ssh-port to the command.

Tool output is truncated for large analysis results

The server enforces a 40KB output limit per tool call by default. For tools that produce large output (like capa -vv), ask Claude to run the tool with less verbose flags first, or use get_report_template to structure a multi-step investigation.

Frequently Asked Questions about REMnux

What is REMnux?

REMnux is a Model Context Protocol (MCP) server that enables ai assistants to execute malware analysis tools on a remnux system via docker, ssh, or local connections. it provides automated file-type analysis, structured tool discovery, and security guardrails for streamlined malware investigation. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install REMnux?

Install via npm with the command: npx -y @remnux/mcp-server. Then add the server configuration to your AI client's JSON config file (e.g., claude_desktop_config.json or .cursor/mcp.json).

Which AI clients work with REMnux?

REMnux works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is REMnux free to use?

Yes, REMnux is open source and available under the GPL 3.0 license. You can use it freely in both personal and commercial projects.

REMnux Alternatives — Similar Security Servers

Looking for alternatives to REMnux? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "remnux-mcp-server": { "command": "npx", "args": ["-y", "@remnux/mcp-server"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use REMnux?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides