Home
The Falcon MCP connects AI assistants to the CrowdStrike Falcon platform through the Model Context Protocol.
This gives tools like Claude Desktop, VS Code, Gemini CLI, and custom agents direct access to your Falcon environment - enabling AI-powered threat investigation, detection triage, and security operations.
| Title | Description |
|---|---|
| Investigate Threats | Search detections by severity, time range, hostname, or MITRE ATT&CK technique. |
| Analyze Incidents | Retrieve incident details, correlate behaviors, and assess CrowdScores. |
| Query Your Fleet | Find hosts by platform, sensor version, network segment, or containment status. |
| Hunt Vulnerabilities | Pull Spotlight CVE data with ExPRT ratings and remediation priorities. |
| Research Adversaries | Look up threat actors, indicators, and intelligence reports. |
| Monitor Cloud Posture | Search CSPM assets, container images, and Kubernetes workloads. |
| Assess Identity Risk | Investigate entities, analyze timelines, and map relationships. |
| Execute CQL Queries | Run searches against CrowdStrike Next-Gen SIEM. |
| Manage IOCs | Search, create, and remove custom indicators of compromise. |
| Audit Firewall Rules | Search and manage Falcon firewall rule groups. |
Install and run in under 5 minutes:
uv tool install falcon-mcpOr run without installing:
uvx falcon-mcpConnect to Claude Desktop, VS Code, or any MCP-compatible client:
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": ["--env-file", "/path/to/.env", "falcon-mcp"]
}
}
}You'll need a .env file with your CrowdStrike API credentials:
FALCON_CLIENT_ID=your-client-id
FALCON_CLIENT_SECRET=your-client-secret
FALCON_BASE_URL=https://api.crowdstrike.com- Local - run as a CLI tool via stdio, SSE, or streamable HTTP
-
Docker - pre-built image at
quay.io/crowdstrike/falcon-mcp - AWS Bedrock AgentCore - available on the AWS Marketplace
- Google Cloud - deploy to Cloud Run or Vertex AI Agent Engine
