CrowdStrike Falcon MCP Server

178authSTDIOregistry active

Summary

Connects Claude directly to CrowdStrike Falcon's security platform through their REST APIs. You get 15+ modules covering detections, incidents, threat intel, real-time response, vulnerability management, and more. Perfect for automating security workflows where you need Claude to pull detection data, hunt for threats, analyze incidents, or execute response actions. Requires CrowdStrike API credentials with appropriate scopes per module. Currently in public preview, so expect some changes, but it's already functional for building AI-powered security operations and threat analysis workflows.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Vibe Prospecting MCP

Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.

Try For Free →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Vibe Prospecting MCP

Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.

Try For Free →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

falcon-mcp

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Documentation

Full docs are available at developer.crowdstrike.com/falcon-mcp.

Modules

Module	Description
Core	Basic connectivity and system information
Case Management	Case lifecycle management, evidence attachment, tagging, and templates
Cloud Security	Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules
Correlation Rules	Search, create, update, and manage NG-SIEM correlation rules
Custom IOA	Create and manage Custom IOA behavioral detection rules and rule groups
Data Protection	Search Data Protection classifications, policies, and content patterns
Detections	Find and analyze detections to understand malicious activity
Discover	Search application inventory and discover unmanaged assets
Exclusions	Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions
Firewall Management	Search and manage firewall rules and rule groups
Host Groups	Search, create, update, and delete host groups; manage group membership
Hosts	Manage and query host/device information
Identity Protection	Entity investigation and identity protection analysis
Intel	Research threat actors, IOCs, and intelligence reports
IOC	Search, create, and remove custom indicators of compromise
NGSIEM	Execute CQL queries against Next-Gen SIEM
Policies	Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence
Quarantine	Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files
Real Time Response	Audit, summarize, and run read-only RTR triage workflows
Scheduled Reports	Manage scheduled reports and download report files
Sensor Usage	Access and analyze sensor usage data
Serverless	Search for vulnerabilities in serverless functions
Shield	SaaS security posture, checks, alerts, and app inventory
Spotlight	Manage and analyze vulnerability data and security assessments

See the Module Overview for required API scopes, available tools, and FQL resources.

Quick Start

Install

Using uv (recommended)

uv tool install falcon-mcp

Using pip

pip install falcon-mcp

Configure

Set the required environment variables (or use a .env file — see the Configuration Guide):

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

Run

falcon-mcp

See the Getting Started guide for full installation and configuration details.

Editor Integration

Using `uvx` (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,hosts,intel"
      ]
    }
  }
}

Docker

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

See the Usage guide for all command line options, module configuration, and library usage.

Container Usage

# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

See the Docker Deployment guide for building locally, custom ports, and advanced configurations.

Dynamic Mode

Running many modules at once inflates the context window every AI client must hold. Dynamic mode replaces the full tool surface with three tools — falcon_list_enabled_modules to see which modules are loaded, falcon_search_tools to discover the right tool on demand, and falcon_execute_tool to run it — so agents only load the schemas they actually need.

falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true

See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.

Deployment Options

Contributing

# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras

# Run tests
uv run pytest

[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.

Developer Documentation

Documentation Guide: Architecture and maintenance guide for the documentation
Module Development Guide: Instructions for implementing new modules
Resource Development Guide: Instructions for implementing resources
End-to-End Testing Guide: Guide for running and understanding E2E tests
Integration Testing Guide: Guide for running integration tests with real API calls

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

This is a community-driven, open source project. While it is not an official CrowdStrike product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.

For more information, please see our SUPPORT file.

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Vibe Prospecting MCP

Connect Claude to +800M contacts, +150M companies. Find & Enrich leads in chat.

Try For Free →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Configuration

FALCON_CLIENT_ID*secret

CrowdStrike API client ID

FALCON_CLIENT_SECRET*secret

CrowdStrike API client secret

FALCON_BASE_URLdefault: https://api.crowdstrike.com

CrowdStrike API region URL

FALCON_MEMBER_CID

Child CID for Flight Control (MSSP) support

FALCON_MCP_MODULES

Comma-separated list of modules to enable

FALCON_MCP_TRANSPORTdefault: stdio

Transport protocol to use

FALCON_MCP_DEBUGdefault: false

Enable debug logging

FALCON_MCP_HOSTdefault: 127.0.0.1

Host to bind to for HTTP transports

FALCON_MCP_PORTdefault: 8000

Port to listen on for HTTP transports

FALCON_MCP_USER_AGENT_COMMENT

Additional information to include in the User-Agent comment section

FALCON_MCP_STATELESS_HTTPdefault: false

Enable stateless HTTP mode for scalable deployments

FALCON_MCP_API_KEYsecret

API key for HTTP transport authentication (x-api-key header)

falcon-mcp

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Documentation

Full docs are available at developer.crowdstrike.com/falcon-mcp.

Modules

Module	Description
Core	Basic connectivity and system information
Case Management	Case lifecycle management, evidence attachment, tagging, and templates
Cloud Security	Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules
Correlation Rules	Search, create, update, and manage NG-SIEM correlation rules
Custom IOA	Create and manage Custom IOA behavioral detection rules and rule groups
Data Protection	Search Data Protection classifications, policies, and content patterns
Detections	Find and analyze detections to understand malicious activity
Discover	Search application inventory and discover unmanaged assets
Exclusions	Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions
Firewall Management	Search and manage firewall rules and rule groups
Host Groups	Search, create, update, and delete host groups; manage group membership
Hosts	Manage and query host/device information
Identity Protection	Entity investigation and identity protection analysis
Intel	Research threat actors, IOCs, and intelligence reports
IOC	Search, create, and remove custom indicators of compromise
NGSIEM	Execute CQL queries against Next-Gen SIEM
Policies	Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence
Quarantine	Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files
Real Time Response	Audit, summarize, and run read-only RTR triage workflows
Scheduled Reports	Manage scheduled reports and download report files
Sensor Usage	Access and analyze sensor usage data
Serverless	Search for vulnerabilities in serverless functions
Shield	SaaS security posture, checks, alerts, and app inventory
Spotlight	Manage and analyze vulnerability data and security assessments

See the Module Overview for required API scopes, available tools, and FQL resources.

Quick Start

Install

Using uv (recommended)

uv tool install falcon-mcp

Using pip

pip install falcon-mcp

Configure

Set the required environment variables (or use a .env file — see the Configuration Guide):

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

Run

falcon-mcp

See the Getting Started guide for full installation and configuration details.

Editor Integration

Using `uvx` (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,hosts,intel"
      ]
    }
  }
}

Docker

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

See the Usage guide for all command line options, module configuration, and library usage.

Container Usage

# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

See the Docker Deployment guide for building locally, custom ports, and advanced configurations.

Dynamic Mode

falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true

See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.

Deployment Options

Contributing

# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras

# Run tests
uv run pytest

[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.

Developer Documentation

Documentation Guide: Architecture and maintenance guide for the documentation
Module Development Guide: Instructions for implementing new modules
Resource Development Guide: Instructions for implementing resources
End-to-End Testing Guide: Guide for running and understanding E2E tests
Integration Testing Guide: Guide for running integration tests with real API calls

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

For more information, please see our SUPPORT file.

CrowdStrike Falcon MCP Server

falcon-mcp

Documentation

Modules

Quick Start

Install

Using uv (recommended)

Using pip

Configure

Run

Editor Integration

Using uvx (recommended)

With Module Selection

Docker

Container Usage

Dynamic Mode

Deployment Options

Contributing

Developer Documentation

License

Support

Configuration

CrowdStrike Falcon MCP Server

falcon-mcp

Documentation

Modules

Quick Start

Install

Using uv (recommended)

Using pip

Configure

Run

Editor Integration

Using uvx (recommended)

With Module Selection

Docker

Container Usage

Dynamic Mode

Deployment Options

Contributing

Developer Documentation

License

Support

Configuration

Related Automation & Workflows MCP Servers

Related Automation & Workflows MCP Servers

Using `uvx` (recommended)

Using `uvx` (recommended)