Open Source · Apache 2.0

RUN IT LOCALLY OR HOSTED

The Security Detections MCP server gives your AI assistant direct access to 8,000+ detection rules, 172 threat actors, and procedure-level coverage analysis. Works with Claude Code, VS Code, Cursor, and any MCP-compatible client.

Get Hosted Token Clone Repository npm Package

New · Public Beta

HOSTED MCP — ZERO SETUP

Skip the local install. Create an account, generate a token, paste one URL into your MCP client, and start querying. Always in sync with the latest detection content.

SIGN IN & GENERATE TOKEN

Sign in with email or GitHub, then visit /account/tokens. Click Generate, name your token (e.g., "Claude Desktop — laptop"), and copy it — it's shown exactly once.

FREE TIER

200 calls/day · all read-only tools · all 8,000+ detections

INSTALL IN ONE CLICK

Click the button for your client. Replace sdmcp_YOUR_TOKEN_HERE with the token you just generated (or paste it when the client prompts).

Claude Code (CLI one-liner)

Terminalbash

claude mcp add --transport http security-detections https://detect.michaelhaag.org/api/mcp/mcp --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"

Claude Desktop (via mcp-remote proxy)

Claude Desktop doesn't speak remote HTTP natively yet — use mcp-remote to bridge stdio to HTTP.

~/Library/Application Support/Claude/claude_desktop_config.jsonjson

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://detect.michaelhaag.org/api/mcp/mcp",
        "--header",
        "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
      ]
    }
  }
}

OpenAI Codex (CLI)

Terminalbash

export SDMCP_TOKEN="sdmcp_YOUR_TOKEN_HERE" && codex mcp add security-detections --url https://detect.michaelhaag.org/api/mcp/mcp --bearer-token-env-var SDMCP_TOKEN

Persist SDMCP_TOKEN in your shell profile so Codex can read it in future sessions.

Or edit ~/.codex/config.toml:

~/.codex/config.tomltoml

[mcp_servers.security-detections]
url = "https://detect.michaelhaag.org/api/mcp/mcp"
bearer_token_env_var = "SDMCP_TOKEN"

Verify with curl

Terminalbash

curl -X POST https://detect.michaelhaag.org/api/mcp/mcp -H "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE" -H "Accept: application/json, text/event-stream" -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

ASK YOUR AI

Try these prompts in the client you just configured:

"What's our coverage against APT29?"

"Identify gaps for ransomware and suggest missing detections"

"Generate a Navigator layer for our Sigma coverage"

~25 tools are exposed on the hosted endpoint: search, list by MITRE technique/tactic/CVE/process, coverage summary, gap analysis, actor profiles, Navigator layer export. Stateful tools (knowledge graph, dynamic tables, custom templates) are local-only for now.

QUICK START — LOCAL

Full 81-tool experience with your own detection repos. Up and running in under 10 minutes.

PREREQUISITES

Node.js 20+, npm 9+, and git. That's it.

Terminal

node --version   # v20+
npm --version    # 9+
git --version    # any recent

DOWNLOAD DETECTION CONTENT

Clone the detection repos you want to index. Start with Sigma if you're unsure — it's the most portable.

Terminalbash

mkdir -p detections && cd detections

# Sigma rules (~3,000+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/SigmaHQ/sigma.git
cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..

# Splunk ESCU (~2,000+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/splunk/security_content.git
cd security_content && git sparse-checkout set detections stories && cd ..

# Elastic (~1,500+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/elastic/detection-rules.git
cd detection-rules && git sparse-checkout set rules && cd ..

# KQL hunting queries (~400+)
git clone --depth 1 \
  https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp

# Sublime Security (~900+)
git clone --depth 1 --filter=blob:none --sparse \
  https://github.com/sublime-security/sublime-rules.git
cd sublime-rules && git sparse-checkout set detection-rules && cd ..

# CrowdStrike CQL Hub (~139+)
git clone --depth 1 \
  https://github.com/ByteRay-Labs/Query-Hub.git cql-hub

# MITRE ATT&CK STIX data (172 actors, 691 techniques, 784 software)
git clone --depth 1 \
  https://github.com/mitre-attack/attack-stix-data.git

cd ..

CONFIGURE YOUR CLIENT

Pick your IDE and add the MCP config. Replace paths with your actual locations.

Claude Code

Terminalbash

claude mcp add security-detections \
  -e SIGMA_PATHS="/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting" \
  -e SPLUNK_PATHS="/path/to/security_content/detections" \
  -e ELASTIC_PATHS="/path/to/detection-rules/rules" \
  -e KQL_PATHS="/path/to/kql-bertjanp" \
  -e SUBLIME_PATHS="/path/to/sublime-rules/detection-rules" \
  -e CQL_HUB_PATHS="/path/to/cql-hub/queries" \
  -e STORY_PATHS="/path/to/security_content/stories" \
  -e ATTACK_STIX_PATH="/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json" \
  -- npx -y security-detections-mcp

Cursor IDE

~/.cursor/mcp.jsonjson

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detection-rules/rules",
        "KQL_PATHS": "/path/to/kql-bertjanp",
        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
        "CQL_HUB_PATHS": "/path/to/cql-hub/queries",
        "STORY_PATHS": "/path/to/security_content/stories",
        "ATTACK_STIX_PATH": "/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json"
      }
    }
  }
}

VS Code

~/.vscode/mcp.jsonjson

{
  "servers": {
    "security-detections": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": {
        "SIGMA_PATHS": "/path/to/sigma/rules,/path/to/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detection-rules/rules",
        "KQL_PATHS": "/path/to/kql-bertjanp",
        "SUBLIME_PATHS": "/path/to/sublime-rules/detection-rules",
        "CQL_HUB_PATHS": "/path/to/cql-hub/queries",
        "STORY_PATHS": "/path/to/security_content/stories",
        "ATTACK_STIX_PATH": "/path/to/attack-stix-data/enterprise-attack/enterprise-attack.json"
      }
    }
  }
}

ASK YOUR FIRST QUESTION

Open your AI client and try one of these prompts:

"What's our coverage against APT29?"

"Show me all detections for T1059.001 PowerShell"

"Compare Sigma vs Splunk coverage for credential access"

"What procedures does T1003.001 LSASS Memory cover?"

81 TOOLS

The MCP server exposes these capabilities to your AI assistant.

SEARCH & BROWSE

▶

search_detections

Full-text search across all 8,000+ detection rules

▶

list_by_mitre

Get all detections for a MITRE technique ID

▶

get_detection

Full detection rule with query, metadata, and references

▶

list_sources

Browse detections by source (Sigma, Splunk, Elastic...)

▶

list_by_severity

Filter by critical, high, medium, low

COVERAGE ANALYSIS

▶

coverage_by_tactic

Heatmap of detection coverage across all 14 tactics

▶

coverage_gaps

Find uncovered MITRE techniques — prioritized by risk

▶

compare_sources

Cross-source coverage comparison for a topic or technique

▶

analyze_procedure_coverage

Procedure-level breakdown: which behaviors are actually detected

▶

generate_navigator_layer

Export ATT&CK Navigator JSON layers

THREAT ACTORS

▶

analyze_actor_coverage

Coverage % against a specific APT group

▶

list_actors

Browse all 172 MITRE ATT&CK threat actors

▶

compare_actor_coverage

Side-by-side comparison of multiple actors

▶

get_actor_profile

Full dossier: description, aliases, techniques, software

INTELLIGENCE

▶

analyze_threat_report

Extract TTPs from a threat report, map to ATT&CK

▶

search_by_cve

Find detections targeting specific CVEs

▶

search_by_process

Find detections monitoring a specific process name

▶

compare_procedure_coverage

Cross-source matrix of procedure coverage

+ 60 more tools for Sigma, Splunk, Elastic, KQL, Sublime, and CrowdStrike CQL specific operations

MCP vs WEB APP

LOCAL MCP

✓ 81 tools — full power, no restrictions
✓ Works in Claude Code, Cursor, VS Code
✓ Your data stays local — nothing leaves your machine
✓ Unlimited queries, no rate limits
✓ Use any AI model your client supports
✓ Write custom rules and index immediately
— Requires local setup (~10 min)
— Need to manually update detection repos

WEB APP

✓ Zero setup — just open your browser
✓ Always up-to-date — nightly sync
✓ AI chat with structured data-driven responses
✓ Visual coverage dashboards and heatmaps
✓ Share with team members — no install required
✓ Threat report URL analysis
— Free tier: basic AI models, 20 chats/day
— Full tool set via AI chat, not direct calls

Use both. The MCP server is the power tool. The web app is for quick lookups, sharing, and when you don't have your IDE open.