What it does

Falcon-mcp is an MCP server that integrates CrowdStrike Falcon capabilities into AI agent workflows. It provides modular access to security operations including threat detection analysis, intelligence research, host and endpoint management, firewall administration, vulnerability assessment, and Real Time Response (RTR) for endpoint triage. Agents interact with 16+ modules spanning cloud security, identity protection, SIEM querying, and more.

Who it's for

Security operations teams automating incident response, threat analysts building agentic investigation workflows, and platform engineers integrating Falcon into security orchestration systems.

Common use cases

• Analyze detections to understand attack activity and malware behavior
• Research threat actors, IOCs, and threat intelligence reports
• Query endpoint inventory and discover unmanaged assets
• Execute read-only forensic commands on endpoints via Real Time Response
• Query security events in Next-Gen SIEM using CQL
• Assess vulnerabilities in Kubernetes clusters and serverless functions
• Manage firewall rules and custom behavioral detection rules

Setup pitfalls

• Requires CrowdStrike Falcon API credentials (FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, FALCON_BASE_URL); each module requires specific API scopes
• Public preview status—features and module availability may change before 1.0 release
• Writes to local filesystem for state and configuration; verify directory permissions before deploying
• No passing CI; module and integration testing is the caller's responsibility