Velociraptor
Repo to hold mcp server for velociraptor
What is Velociraptor?
Velociraptor is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to repo to hold mcp server for velociraptor
Repo to hold mcp server for velociraptor
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- Repo to hold mcp server for velociraptor
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx velociraptorConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Velociraptor
The Velociraptor MCP Server bridges Velociraptor — the open-source digital forensics and incident response (DFIR) platform — with large language models, enabling natural language queries and intelligent analysis of forensic data. It exposes eight purpose-built tools for authenticating to a Velociraptor instance, querying clients, listing and collecting artifacts, running VQL (Velociraptor Query Language) queries, and retrieving collection results. Security analysts use it to investigate incidents faster by asking questions in plain English instead of writing raw VQL.
Prerequisites
- Python 3.11 or higher
- A running Velociraptor server instance with API access enabled
- A Velociraptor API configuration file (api.config.yaml) generated from your server's admin interface
- An MCP-compatible client such as Claude Desktop or VS Code
- Network connectivity from the machine running the MCP server to the Velociraptor server
Create a Python virtual environment
Isolate the installation to avoid dependency conflicts with other Python projects.
python -m venv .venv
source .venv/bin/activate
# On Windows: .venv\Scripts\activateInstall the Velociraptor MCP server
Install directly from the GitHub repository using pip.
pip install git+https://github.com/socfortress/velociraptor-mcp-server.gitGenerate your Velociraptor API config file
From your Velociraptor server's admin interface, generate an api.config.yaml file. This file contains the gRPC endpoint, TLS certificates, and credentials the MCP server uses to authenticate.
# On the Velociraptor server, run:
velociraptor --config /etc/velociraptor/server.config.yaml config api_client \
--name mcp-client --role reader api.config.yamlCreate a .env configuration file
Create a .env file in your working directory with the path to your api.config.yaml and any optional settings.
# .env
VELOCIRAPTOR_API_KEY=/path/to/api.config.yaml
VELOCIRAPTOR_SSL_VERIFY=false
VELOCIRAPTOR_TIMEOUT=30
MCP_SERVER_HOST=127.0.0.1
MCP_SERVER_PORT=8000
LOG_LEVEL=INFOStart the MCP server
Run the server using the CLI command. It will start listening on 127.0.0.1:8000 by default.
velociraptor-mcp-server
# Or with custom options:
velociraptor-mcp-server --host 0.0.0.0 --port 8080 --log-level DEBUGConfigure your MCP client
Add the server to your Claude Desktop or other MCP client configuration, pointing to the running HTTP server.
{
"mcpServers": {
"velociraptor": {
"url": "http://127.0.0.1:8000/mcp"
}
}
}Velociraptor Examples
Client configuration (Claude Desktop)
Connect Claude Desktop to a locally running Velociraptor MCP server. Adjust the URL if you changed the host or port.
{
"mcpServers": {
"velociraptor": {
"url": "http://127.0.0.1:8000/mcp"
}
}
}Prompts to try
Use natural language to interact with your Velociraptor DFIR platform through Claude.
- "List all Windows clients currently connected to Velociraptor."
- "Get detailed information about the client with hostname workstation-01."
- "Run a VQL query to find all active network connections on client C.1234567890."
- "Collect the Windows.System.Users artifact from client C.1234567890 and show me the results."
- "List all available Linux artifacts related to network activity."
- "What artifacts can I collect to investigate a potential ransomware infection on a Windows host?"Troubleshooting Velociraptor
Authentication fails with gRPC connection errors
Verify the path in VELOCIRAPTOR_API_KEY points to a valid api.config.yaml file. If your server uses a self-signed certificate, set VELOCIRAPTOR_SSL_VERIFY=false in your .env file. Check that the Velociraptor server's gRPC port (usually 8001) is accessible from the machine running the MCP server.
CollectArtifactTool returns no results or times out
Artifact collection is asynchronous — the tool returns a flow_id, and you must use GetCollectionResultsTool with that flow_id to retrieve results. Increase max_retries and retry_delay if the client is slow or offline. Check flow status directly in the Velociraptor GUI to confirm the collection completed.
Specific tools are not available or need to be disabled
Use the VELOCIRAPTOR_DISABLED_TOOLS environment variable with a comma-separated list of tool names to disable. Example: VELOCIRAPTOR_DISABLED_TOOLS=CollectArtifactTool,RunVQLQueryTool. This restricts which operations Claude can perform.
Frequently Asked Questions about Velociraptor
What is Velociraptor?
Velociraptor is a Model Context Protocol (MCP) server that repo to hold mcp server for velociraptor It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Velociraptor?
Follow the installation instructions on the Velociraptor GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Velociraptor?
Velociraptor works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Velociraptor free to use?
Yes, Velociraptor is open source and available under the AGPL-3.0 license. You can use it freely in both personal and commercial projects.
Velociraptor Alternatives — Similar Security Servers
Looking for alternatives to Velociraptor? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Velociraptor in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Velociraptor?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.