Security Detections
MCP to help Defenders Detection Engineer Harder and Smarter
What is Security Detections?
Security Detections is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp to help defenders detection engineer harder and smarter
MCP to help Defenders Detection Engineer Harder and Smarter
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- MCP to help Defenders Detection Engineer Harder and Smarter
Use Cases
Maintainer
Works with
Installation
NPM
npx -y security-detections-mcpManual Installation
npx -y security-detections-mcpConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Security Detections
Security Detections MCP is a detection engineering assistant that gives AI models access to a curated library of over 8,200 security detection rules spanning Sigma, Splunk ESCU, Elastic, KQL/Kusto, Sublime Security, and CrowdStrike CQL formats. It integrates MITRE ATT&CK knowledge — including 172 threat actors, 784 software entries, and 4,362 relationships — so defenders can query coverage gaps, map detections to techniques, and run threat emulation exercises directly from their AI client. Teams use it to accelerate detection-engineering sprints, assess ransomware readiness, and generate executive-level security briefings without switching tools.
Prerequisites
- Node.js 18 or later (for the local npx-based deployment)
- An MCP-compatible client such as Claude Desktop, Claude Code, or Cursor
- Local detection rule repositories (Sigma, Splunk, Elastic, KQL, etc.) if running local mode with custom paths
- A hosted-tier API token (sdmcp_…) if using the cloud endpoint at detect.michaelhaag.org
Choose a deployment mode
Security Detections MCP offers two modes. The local NPX mode indexes your own rule repositories via environment variables and exposes 81 tools with full read/write capability. The hosted HTTP mode connects to a pre-indexed cloud library (200 calls/day free, read-only) using a bearer token — ideal for getting started quickly without managing rule files.
Install the local server via npx
For local mode, add the server to your MCP client using the npx command. No global install is required; npx downloads and caches the package automatically.
claude mcp add security-detections -- npx -y security-detections-mcpPoint the server at your detection repositories
Set environment variables to the directories holding your rule files. Each variable accepts a colon-separated list of absolute paths. SIGMA_PATHS, SPLUNK_PATHS, ELASTIC_PATHS, KQL_PATHS, SUBLIME_PATHS, and CQL_HUB_PATHS control which formats are indexed. ATTACK_STIX_PATH should point to enterprise-attack.json if you want offline MITRE data.
export SIGMA_PATHS="/data/sigma-rules:/data/custom-sigma"
export SPLUNK_PATHS="/data/splunk-escu"
export ELASTIC_PATHS="/data/elastic-rules"
export KQL_PATHS="/data/kql-hunting"
export ATTACK_STIX_PATH="/data/mitre/enterprise-attack.json"Configure Claude Desktop (local mode)
Add the server block to your claude_desktop_config.json file. Pass the environment variables inside the env key so the server can locate your rule directories at startup.
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/data/sigma-rules",
"SPLUNK_PATHS": "/data/splunk-escu",
"ELASTIC_PATHS": "/data/elastic-rules",
"KQL_PATHS": "/data/kql-hunting",
"ATTACK_STIX_PATH": "/data/mitre/enterprise-attack.json"
}
}
}
}Configure the hosted HTTP endpoint (optional)
If you prefer the pre-indexed cloud library, use the HTTP transport instead and supply your API bearer token. You can obtain a free token from the project's hosted endpoint.
claude mcp add --transport http security-detections \
https://detect.michaelhaag.org/api/mcp/mcp \
--header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"Trigger a re-index after adding new rules
Once the server is running, ask the AI to re-index your detection directories whenever you add new rule files. The server will scan the configured paths and update its in-memory index.
Security Detections Examples
Client configuration
Minimal claude_desktop_config.json for the local npx mode with Sigma and KQL paths configured.
{
"mcpServers": {
"security-detections": {
"command": "npx",
"args": ["-y", "security-detections-mcp"],
"env": {
"SIGMA_PATHS": "/home/analyst/sigma-rules",
"KQL_PATHS": "/home/analyst/kql-queries"
}
}
}
}Prompts to try
Detection engineering and threat analysis prompts that use the server's built-in expert workflows.
- "Run a ransomware-readiness-assessment against our current detection coverage"
- "What MITRE ATT&CK techniques related to credential dumping do we have Sigma rules for?"
- "Run an apt-threat-emulation for APT29 and show me gaps in our Elastic rules"
- "Show me all KQL hunting queries that cover T1059 Command and Scripting Interpreter"
- "Generate an executive-security-briefing summarising our top five coverage gaps"Troubleshooting Security Detections
Server starts but no detections are found
Verify that the SIGMA_PATHS / SPLUNK_PATHS / ELASTIC_PATHS / KQL_PATHS environment variables are set to absolute paths that exist and contain valid rule files. The server will silently skip directories that are empty or inaccessible.
Hosted endpoint returns 401 Unauthorized
Check that your bearer token starts with 'sdmcp_' and is passed exactly as shown. Tokens are case-sensitive. If the token has expired, request a new one from the hosted platform.
MITRE ATT&CK lookups return no results
The ATTACK_STIX_PATH must point to a valid enterprise-attack.json file downloaded from the MITRE CTI repository (https://github.com/mitre/cti). Ensure the file is readable and the path is absolute.
Frequently Asked Questions about Security Detections
What is Security Detections?
Security Detections is a Model Context Protocol (MCP) server that mcp to help defenders detection engineer harder and smarter It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Security Detections?
Install via npm with the command: npx -y security-detections-mcp. Then add the server configuration to your AI client's JSON config file (e.g., claude_desktop_config.json or .cursor/mcp.json).
Which AI clients work with Security Detections?
Security Detections works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Security Detections free to use?
Yes, Security Detections is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Security Detections Alternatives — Similar Security Servers
Looking for alternatives to Security Detections? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Security Detections in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Security Detections?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.