Security Detections

v3.2.2Securitystable

MCP to help Defenders Detection Engineer Harder and Smarter

detection-engineeringmcpsecuritydetectionssigma
Share:
439
Stars
0
Downloads
0
Weekly
0/5

What is Security Detections?

Security Detections is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp to help defenders detection engineer harder and smarter

MCP to help Defenders Detection Engineer Harder and Smarter

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • MCP to help Defenders Detection Engineer Harder and Smarter

Use Cases

Support detection engineers with Sigma rules and SIEM analytics.
Streamline detection engineering with AI-powered rule optimization.
MHaggis

Maintainer

LicenseMIT
Languagetypescript
Versionv3.2.2
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

NPM

npx -y security-detections-mcp

Manual Installation

npx -y security-detections-mcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Security Detections

Security Detections MCP is a detection engineering assistant that gives AI models access to a curated library of over 8,200 security detection rules spanning Sigma, Splunk ESCU, Elastic, KQL/Kusto, Sublime Security, and CrowdStrike CQL formats. It integrates MITRE ATT&CK knowledge — including 172 threat actors, 784 software entries, and 4,362 relationships — so defenders can query coverage gaps, map detections to techniques, and run threat emulation exercises directly from their AI client. Teams use it to accelerate detection-engineering sprints, assess ransomware readiness, and generate executive-level security briefings without switching tools.

Prerequisites

  • Node.js 18 or later (for the local npx-based deployment)
  • An MCP-compatible client such as Claude Desktop, Claude Code, or Cursor
  • Local detection rule repositories (Sigma, Splunk, Elastic, KQL, etc.) if running local mode with custom paths
  • A hosted-tier API token (sdmcp_…) if using the cloud endpoint at detect.michaelhaag.org
1

Choose a deployment mode

Security Detections MCP offers two modes. The local NPX mode indexes your own rule repositories via environment variables and exposes 81 tools with full read/write capability. The hosted HTTP mode connects to a pre-indexed cloud library (200 calls/day free, read-only) using a bearer token — ideal for getting started quickly without managing rule files.

2

Install the local server via npx

For local mode, add the server to your MCP client using the npx command. No global install is required; npx downloads and caches the package automatically.

claude mcp add security-detections -- npx -y security-detections-mcp
3

Point the server at your detection repositories

Set environment variables to the directories holding your rule files. Each variable accepts a colon-separated list of absolute paths. SIGMA_PATHS, SPLUNK_PATHS, ELASTIC_PATHS, KQL_PATHS, SUBLIME_PATHS, and CQL_HUB_PATHS control which formats are indexed. ATTACK_STIX_PATH should point to enterprise-attack.json if you want offline MITRE data.

export SIGMA_PATHS="/data/sigma-rules:/data/custom-sigma"
export SPLUNK_PATHS="/data/splunk-escu"
export ELASTIC_PATHS="/data/elastic-rules"
export KQL_PATHS="/data/kql-hunting"
export ATTACK_STIX_PATH="/data/mitre/enterprise-attack.json"
4

Configure Claude Desktop (local mode)

Add the server block to your claude_desktop_config.json file. Pass the environment variables inside the env key so the server can locate your rule directories at startup.

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/data/sigma-rules",
        "SPLUNK_PATHS": "/data/splunk-escu",
        "ELASTIC_PATHS": "/data/elastic-rules",
        "KQL_PATHS": "/data/kql-hunting",
        "ATTACK_STIX_PATH": "/data/mitre/enterprise-attack.json"
      }
    }
  }
}
5

Configure the hosted HTTP endpoint (optional)

If you prefer the pre-indexed cloud library, use the HTTP transport instead and supply your API bearer token. You can obtain a free token from the project's hosted endpoint.

claude mcp add --transport http security-detections \
  https://detect.michaelhaag.org/api/mcp/mcp \
  --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
6

Trigger a re-index after adding new rules

Once the server is running, ask the AI to re-index your detection directories whenever you add new rule files. The server will scan the configured paths and update its in-memory index.

Security Detections Examples

Client configuration

Minimal claude_desktop_config.json for the local npx mode with Sigma and KQL paths configured.

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/home/analyst/sigma-rules",
        "KQL_PATHS": "/home/analyst/kql-queries"
      }
    }
  }
}

Prompts to try

Detection engineering and threat analysis prompts that use the server's built-in expert workflows.

- "Run a ransomware-readiness-assessment against our current detection coverage"
- "What MITRE ATT&CK techniques related to credential dumping do we have Sigma rules for?"
- "Run an apt-threat-emulation for APT29 and show me gaps in our Elastic rules"
- "Show me all KQL hunting queries that cover T1059 Command and Scripting Interpreter"
- "Generate an executive-security-briefing summarising our top five coverage gaps"

Troubleshooting Security Detections

Server starts but no detections are found

Verify that the SIGMA_PATHS / SPLUNK_PATHS / ELASTIC_PATHS / KQL_PATHS environment variables are set to absolute paths that exist and contain valid rule files. The server will silently skip directories that are empty or inaccessible.

Hosted endpoint returns 401 Unauthorized

Check that your bearer token starts with 'sdmcp_' and is passed exactly as shown. Tokens are case-sensitive. If the token has expired, request a new one from the hosted platform.

MITRE ATT&CK lookups return no results

The ATTACK_STIX_PATH must point to a valid enterprise-attack.json file downloaded from the MITRE CTI repository (https://github.com/mitre/cti). Ensure the file is readable and the path is absolute.

Frequently Asked Questions about Security Detections

What is Security Detections?

Security Detections is a Model Context Protocol (MCP) server that mcp to help defenders detection engineer harder and smarter It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Security Detections?

Install via npm with the command: npx -y security-detections-mcp. Then add the server configuration to your AI client's JSON config file (e.g., claude_desktop_config.json or .cursor/mcp.json).

Which AI clients work with Security Detections?

Security Detections works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Security Detections free to use?

Yes, Security Detections is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Security Detections Alternatives — Similar Security Servers

Looking for alternatives to Security Detections? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "security-detections-mcp": { "command": "npx", "args": ["-y", "security-detections-mcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Security Detections?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides