Open Source · Apache 2.0

RUN IT LOCALLY

The Security Detections MCP server gives your AI assistant direct access to 8,000+ detection rules, 172 threat actors, and procedure-level coverage analysis. Works with Claude Code, VS Code, Cursor, and any MCP-compatible client.

Clone Repositorynpm Package

QUICK START

Up and running in under 10 minutes. No account required.

1

PREREQUISITES

Node.js 20+, npm 9+, and git. That's it.

Terminal
node --version   # v20+
npm --version    # 9+
git --version    # any recent
2

DOWNLOAD DETECTION CONTENT

Clone the detection repos you want to index. Start with Sigma if you're unsure — it's the most portable.

Terminalbash
mkdir -p detections && cd detections

# Sigma rules (~3,000+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/SigmaHQ/sigma.git
cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..

# Splunk ESCU (~2,000+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/splunk/security_content.git
cd security_content && git sparse-checkout set detections stories && cd ..

# Elastic (~1,500+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/elastic/detection-rules.git
cd detection-rules && git sparse-checkout set rules && cd ..

# KQL hunting queries (~400+)
git clone --depth 1 \
  https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp

# Sublime Security (~900+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/sublime-security/sublime-rules.git
cd sublime-rules && git sparse-checkout set detection-rules && cd ..

# CrowdStrike CQL Hub (~139+)
git clone --depth 1 \
  https://github.com/ByteRay-Labs/Query-Hub.git cql-hub

# MITRE ATT&CK STIX data (172 actors, 691 techniques, 784 software)
git clone --depth 1 \
  https://github.com/mitre-attack/attack-stix-data.git

cd ..
3

CONFIGURE YOUR CLIENT

Pick your IDE and add the MCP config. Replace paths with your actual locations.

Claude Code
Terminalbash
claude mcp add security-detections \
  -e SIGMA_PATHS="/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting" \
  -e SPLUNK_PATHS="/path/to/security_content/detections" \
  -e ELASTIC_PATHS="/path/to/detection-rules/rules" \
  -e KQL_PATHS="/path/to/kql-bertjanp" \
  -e SUBLIME_PATHS="/path/to/sublime-rules/detection-rules" \
  -e CQL_HUB_PATHS="/path/to/cql-hub/queries" \
  -e STORY_PATHS="/path/to/security_content/stories" \
  -e ATTACK_STIX_PATH="/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json" \
  -- npx -y security-detections-mcp
Cursor IDE
~/.cursor/mcp.jsonjson
{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detection-rules/rules",
        "KQL_PATHS": "/path/to/kql-bertjanp",
        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
        "CQL_HUB_PATHS": "/path/to/cql-hub/queries",
        "STORY_PATHS": "/path/to/security_content/stories",
        "ATTACK_STIX_PATH": "/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json"
      }
    }
  }
}
VS Code
~/.vscode/mcp.jsonjson
{
  "servers": {
    "security-detections": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detection-rules/rules",
        "KQL_PATHS": "/path/to/kql-bertjanp",
        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
        "CQL_HUB_PATHS": "/path/to/cql-hub/queries",
        "STORY_PATHS": "/path/to/security_content/stories",
        "ATTACK_STIX_PATH": "/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json"
      }
    }
  }
}
4

ASK YOUR FIRST QUESTION

Open your AI client and try one of these prompts:

"What's our coverage against APT29?"
"Show me all detections for T1059.001 PowerShell"
"Compare Sigma vs Splunk coverage for credential access"
"What procedures does T1003.001 LSASS Memory cover?"

81 TOOLS

The MCP server exposes these capabilities to your AI assistant.

SEARCH & BROWSE

search_detections
Full-text search across all 8,000+ detection rules
list_by_mitre
Get all detections for a MITRE technique ID
get_detection
Full detection rule with query, metadata, and references
list_sources
Browse detections by source (Sigma, Splunk, Elastic...)
list_by_severity
Filter by critical, high, medium, low

COVERAGE ANALYSIS

coverage_by_tactic
Heatmap of detection coverage across all 14 tactics
coverage_gaps
Find uncovered MITRE techniques — prioritized by risk
compare_sources
Cross-source coverage comparison for a topic or technique
analyze_procedure_coverage
Procedure-level breakdown: which behaviors are actually detected
generate_navigator_layer
Export ATT&CK Navigator JSON layers

THREAT ACTORS

analyze_actor_coverage
Coverage % against a specific APT group
list_actors
Browse all 172 MITRE ATT&CK threat actors
compare_actor_coverage
Side-by-side comparison of multiple actors
get_actor_profile
Full dossier: description, aliases, techniques, software

INTELLIGENCE

analyze_threat_report
Extract TTPs from a threat report, map to ATT&CK
search_by_cve
Find detections targeting specific CVEs
search_by_process
Find detections monitoring a specific process name
compare_procedure_coverage
Cross-source matrix of procedure coverage

+ 60 more tools for Sigma, Splunk, Elastic, KQL, Sublime, and CrowdStrike CQL specific operations

MCP vs WEB APP

LOCAL MCP

  • 81 tools — full power, no restrictions
  • Works in Claude Code, Cursor, VS Code
  • Your data stays local — nothing leaves your machine
  • Unlimited queries, no rate limits
  • Use any AI model your client supports
  • Write custom rules and index immediately
  • Requires local setup (~10 min)
  • Need to manually update detection repos

WEB APP

  • Zero setup — just open your browser
  • Always up-to-date — nightly sync
  • AI chat with structured data-driven responses
  • Visual coverage dashboards and heatmaps
  • Share with team members — no install required
  • Threat report URL analysis
  • Free tier: basic AI models, 20 chats/day
  • Full tool set via AI chat, not direct calls

Use both. The MCP server is the power tool. The web app is for quick lookups, sharing, and when you don't have your IDE open.