The RAD Security MCP Server provides AI-powered security insights and management for Kubernetes and cloud environments.
Core Capabilities:
Container Security: List and search containers with filtering, analyze process trees and runtime behavior, get runtime baselines, and perform LLM-powered analysis of container behavior
Kubernetes Management: List clusters and resources (pods, deployments, services, etc.), inspect resource manifests, and detect misconfigurations with policy listings
Identity & Access Management: List identities (service accounts, users, groups) across clusters, get identity details, and audit pod shell access logs
Cloud Security: Inventory cloud resources across AWS, GCP, Azure, and Linode with compliance monitoring and filtering by type, account, and status
Image Security: List container images, retrieve SBOMs, analyze vulnerabilities filtered by severity, and identify top vulnerable images
Network Security: Monitor HTTP requests with PII detection, track network connections between workloads, and analyze connection patterns
Threat Detection: List and analyze threat vectors with filtering by namespace, cluster, resource, severity, type, and status
Security Findings Management: List findings (misconfigurations, threats, runtime alerts, audit anomalies) and update their status (open, closed, ignored)
CVE Database: Search CVEs by vendor/product, view detailed CVE information, list vendors and products, and access the latest 30 CVEs with CAPEC, CWE, and CPE expansions
Inbox Management: List inbox items with flexible filtering, get item details, and mark items as false positives with reasons
Customization: Filter toolkits using INCLUDE_TOOLKITS or EXCLUDE_TOOLKITS environment variables across 15 toolkit categories, with multiple deployment options (npm, Docker with Streamable HTTP or SSE).
Note: Authentication with RAD_SECURITY credentials is required for most operations, except CVE database access and misconfiguration policy listing.
Enables runtime security analysis of containers, including process behavior monitoring, baselines, and container inventory management.
Provides security insights for Kubernetes environments, including cluster inventory, container details, Kubernetes resource monitoring, and identifying security vulnerabilities in Kubernetes objects.
Required runtime environment for the MCP server, with version 20.x or higher needed for operation.
Used for package installation and management of the MCP server.
Provides audit capabilities to track and monitor shell access to pods.
RAD Security MCP Server
A Model Context Protocol (MCP) server for RAD Security, providing AI-powered security insights for Kubernetes and cloud environments.
Installation
Related MCP server: awsome_kali_MCPServers
Usage
Prerequisites
Node.js 20.x or higher
Environment Variables
The following environment variables are required to use the MCP server with Rad Security:
Optional environment variables:
Optional: Filter Toolkits
You can control which toolkits are exposed by the MCP server using these environment variables:
INCLUDE_TOOLKITS: Comma-separated list of toolkits to include (only these will be enabled)EXCLUDE_TOOLKITS: Comma-separated list of toolkits to exclude (all except these will be enabled)
Available toolkits:
containers- Container inventory operationsclusters- Kubernetes cluster operationsidentities- Identity management operationsaudit- Audit log operationscloud_inventory- Cloud resource inventoryimages- Container image operationskubeobject- Kubernetes resource operationsmisconfigs- Misconfiguration detectionruntime- Runtime analysis operationsruntime_network- Network traffic analysisthreats- Threat vector operationsfindings- Security findings operationscves- CVE database operationsinbox- Inbox item operationsworkflows- Workflow execution operationsknowledge_base- Knowledge base search operationsradql- Query interface for rad data platform
Examples:
Note: If INCLUDE_TOOLKITS is set, EXCLUDE_TOOLKITS is ignored.
Operations Without Authentication
You can also use few operations without authentication:
List CVEs
Get details of a specific CVE
Get latest 30 CVEs
List Kubernetes resource misconfiguration policies
In cursor IDE
It's quite problematic to set ENV variables in cursor IDE.
So, you can use the following start.sh script to start the server.
Please set the ENV variables in the start.sh script first!
In Claude Desktop
You can use the following config to start the server in Claude Desktop.
To filter toolkits, add INCLUDE_TOOLKITS or EXCLUDE_TOOLKITS to the env:
As a Docker Container - with Streamable HTTP
With toolkit filters:
As a Docker Container - with SSE (deprecated)
Note: The SSE transport is now deprecated in favor of Streamable HTTP. It's still supported for backward compatibility, but it's recommended to use Streamable HTTP instead.
Features
Account Inventory
List clusters and their details*
Containers Inventory
List containers and their details*
Security Findings
List and analyze security findings*
Runtime Security
Get process trees of running containers*
Get runtime baselines of running containers*
Analyze process behavior of running containers*
Network Security
Monitor HTTP requests*
Track network connections*
Analyze network patterns*
Identity and Access
List identities*
Get identity details*
Audit
List who shelled into a pod*
Cloud Security
List and monitor cloud resources*
Get resource details and compliance status*
Images
Get SBOMs*
List images and their vulnerabilities*
Get top vulnerable images*
Kubernetes Objects
Get details of a specific Kubernetes resource*
List Kubernetes resources*
List Kubernetes resource misconfiguration policies*
Threat Vector
List threat vectors*
Get details of a specific threat vector*
CVEs
List CVEs
Get details of a specific CVE
Get latest 30 CVEs
RadQL (Advanced Querying)
List available data types for querying (containers, findings, kubernetes_resources, etc.)*
Get schema/metadata for specific data types*
List possible values for filter fields*
Execute RadQL queries with filtering, searching, and aggregations*
Build queries programmatically from structured conditions*
Execute multiple queries in parallel*
* - requires authentication and account in Rad Security.
Development
License
MIT License - see the LICENSE file for details