Back to Browse
Using
Free
Server data from the Official MCP Registry
Connects AI agents with CrowdStrike Falcon for security analysis and automation.
About
Connects AI agents with CrowdStrike Falcon for security analysis and automation.
Security Report
5.2
Moderate5.2Moderate RiskThe falcon-mcp server is a legitimate CrowdStrike-maintained MCP integration with well-structured authentication via OAuth2 API credentials. The codebase demonstrates good security practices with proper input sanitization, error handling, and no hardcoded secrets. However, there are several code quality concerns including incomplete error handling, broad exception catches, and potential information disclosure through verbose logging that prevent a higher score. Supply chain analysis found 2 known vulnerabilities in dependencies (0 critical, 1 high severity). Package verification found 1 issue.
4 files analyzed · 9 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Permissions Required
This plugin requests these system permissions. Most are normal for its category.
What You'll Need
Set these up before or after installing:
CrowdStrike API client IDRequired
Environment variable: FALCON_CLIENT_ID
CrowdStrike API client secretRequired
Environment variable: FALCON_CLIENT_SECRET
CrowdStrike API region URL
Environment variable: FALCON_BASE_URL
Child CID for Flight Control (MSSP) support
Environment variable: FALCON_MEMBER_CID
Comma-separated list of modules to enable
Environment variable: FALCON_MCP_MODULES
Transport protocol to use
Environment variable: FALCON_MCP_TRANSPORT
Enable debug logging
Environment variable: FALCON_MCP_DEBUG
Host to bind to for HTTP transports
Environment variable: FALCON_MCP_HOST
Port to listen on for HTTP transports
Environment variable: FALCON_MCP_PORT
Additional information to include in the User-Agent comment section
Environment variable: FALCON_MCP_USER_AGENT_COMMENT
Enable stateless HTTP mode for scalable deployments
Environment variable: FALCON_MCP_STATELESS_HTTP
API key for HTTP transport authentication (x-api-key header)Required
Environment variable: FALCON_MCP_API_KEY
How to Install
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-crowdstrike-falcon-mcp": {
"env": {
"FALCON_BASE_URL": "your-falcon-base-url-here",
"FALCON_MCP_HOST": "your-falcon-mcp-host-here",
"FALCON_MCP_PORT": "your-falcon-mcp-port-here",
"FALCON_CLIENT_ID": "your-falcon-client-id-here",
"FALCON_MCP_DEBUG": "your-falcon-mcp-debug-here",
"FALCON_MEMBER_CID": "your-falcon-member-cid-here",
"FALCON_MCP_API_KEY": "your-falcon-mcp-api-key-here",
"FALCON_MCP_MODULES": "your-falcon-mcp-modules-here",
"FALCON_CLIENT_SECRET": "your-falcon-client-secret-here",
"FALCON_MCP_TRANSPORT": "your-falcon-mcp-transport-here",
"FALCON_MCP_STATELESS_HTTP": "your-falcon-mcp-stateless-http-here",
"FALCON_MCP_USER_AGENT_COMMENT": "your-falcon-mcp-user-agent-comment-here"
},
"args": [
"falcon-mcp"
],
"command": "uvx"
}
}
}Documentation
View on GitHubFrom the project's GitHub README.
falcon-mcp
falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.
[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
Documentation
Full docs are available at developer.crowdstrike.com/falcon-mcp.
Modules
| Module | Description |
|---|---|
| Core | Basic connectivity and system information |
| Case Management | Case lifecycle management, evidence attachment, tagging, and templates |
| Cloud Security | Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules |
| Correlation Rules | Search, create, update, and manage NG-SIEM correlation rules |
| Custom IOA | Create and manage Custom IOA behavioral detection rules and rule groups |
| Data Protection | Search Data Protection classifications, policies, and content patterns |
| Detections | Find and analyze detections to understand malicious activity |
| Discover | Search application inventory and discover unmanaged assets |
| Exclusions | Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions |
| Firewall Management | Search and manage firewall rules and rule groups |
| Host Groups | Search, create, update, and delete host groups; manage group membership |
| Hosts | Manage and query host/device information |
| Identity Protection | Entity investigation and identity protection analysis |
| Intel | Research threat actors, IOCs, and intelligence reports |
| IOC | Search, create, and remove custom indicators of compromise |
| NGSIEM | Execute CQL queries against Next-Gen SIEM |
| Policies | Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence |
| Quarantine | Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files |
| Real Time Response | Audit, summarize, and run read-only RTR triage workflows |
| Scheduled Reports | Manage scheduled reports and download report files |
| Sensor Usage | Access and analyze sensor usage data |
| Serverless | Search for vulnerabilities in serverless functions |
| Shield | SaaS security posture, checks, alerts, and app inventory |
| Spotlight | Manage and analyze vulnerability data and security assessments |
See the Module Overview for required API scopes, available tools, and FQL resources.
Quick Start
Install
Using uv (recommended)
uv tool install falcon-mcp
Using pip
pip install falcon-mcp
Configure
Set the required environment variables (or use a .env file — see the Configuration Guide):
export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"
Run
falcon-mcp
See the Getting Started guide for full installation and configuration details.
Editor Integration
Using uvx (recommended)
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp"
]
}
}
}
With Module Selection
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp",
"--modules",
"detections,hosts,intel"
]
}
}
}
Docker
{
"mcpServers": {
"falcon-mcp-docker": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--env-file",
"/full/path/to/.env",
"quay.io/crowdstrike/falcon-mcp:latest"
]
}
}
}
See the Usage guide for all command line options, module configuration, and library usage.
Container Usage
# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest
# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest
# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0
See the Docker Deployment guide for building locally, custom ports, and advanced configurations.
Dynamic Mode
Running many modules at once inflates the context window every AI client must hold. Dynamic mode
replaces the full tool surface with three tools — falcon_list_enabled_modules to see which
modules are loaded, falcon_search_tools to discover the right tool on demand, and
falcon_execute_tool to run it — so agents only load the schemas they actually need.
falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true
See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.
Deployment Options
Contributing
# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras
# Run tests
uv run pytest
[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.
Developer Documentation
- Documentation Guide: Architecture and maintenance guide for the documentation
- Module Development Guide: Instructions for implementing new modules
- Resource Development Guide: Instructions for implementing resources
- End-to-End Testing Guide: Guide for running and understanding E2E tests
- Integration Testing Guide: Guide for running integration tests with real API calls
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
This is a community-driven, open source project. While it is not an official CrowdStrike product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.
For more information, please see our SUPPORT file.
Reviews
No reviews yet
Be the first to review this server!
More Developer Tools MCP Servers
Fetch
Freeby Modelcontextprotocol · Developer Tools
Web content fetching and conversion for efficient LLM usage
80.0K
Stars
4
Installs
5.3
Security
No ratings yet
Local
Git
Freeby Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
80.0K
Stars
6
Installs
6.5
Security
No ratings yet
Local
Toleno
Freeby Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
137
Stars
521
Installs
8.0
Security
4.8
Local