Skip to main content
Glama
BeardedInfoSec

Picus Security MCP Server

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
PICUS_API_BASENoAPI base URL (default: https://api.picussecurity.com/v1)https://api.picussecurity.com/v1
PICUS_REFRESH_TOKENYesPicus REST API refresh token (required)
PICUS_REQUEST_TIMEOUTNoPer-request timeout in seconds (default: 30)30
PICUS_ENABLE_WRITE_TOOLSNoSet to 'true' to enable write tools (default: false)false
PICUS_TOKEN_LEEWAY_SECONDSNoRefresh access token this many seconds before expiry (default: 120)120

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
picus_list_simulationsA

List simulations with overview data and latest prevention/detection scores.

Paginated via limit (default 25, max 50) and offset. Filters:

  • status: any of RUNNING, STOPPED, COMPLETED, SCHEDULED, "NOT STARTED", "WAITING FOR THE FIRST RUN", FAILED (substring/exact match per API).

  • simulation_name / agent_name / template_name: substring match.

  • agent_id / template_id: exact id match.

  • prevention_result_/detection_result_ gte/lte: score bounds (0-100).

Response includes a pages object with total_count. Scores are 0-100; updated_at is epoch milliseconds.

picus_get_simulationA

Get full detail for one simulation, including its run list.

The simulation_run array lists runs with their string ids; use a run id with picus_get_run_result to fetch that run's prevention/detection results. Timestamps are epoch milliseconds.

picus_get_run_resultA

Get prevention + detection results for a specific simulation run.

Returns security scores plus threat counts (blocked/not_blocked/ not_tested) and attacker-objective counts. Note the API spells two fields achived_count / unachived_count (sic) — they are returned verbatim. The results block is populated only once the run is completed or stopped; detection_analysis appears only when has_detection_analysis is true. Timestamps are epoch milliseconds.

picus_get_latest_run_resultA

Get prevention + detection results for a simulation's most recent run.

Same shape as picus_get_run_result. Convenient when you don't have a specific run id.

picus_get_run_threatsA

List a run's results broken down by threat -> objective -> action.

Each threat and action carries a prevention status (e.g. blocked / unblocked / achieved) and detection analysis (log_result / alert_result per integration). Paginated via limit (default 10, max 50) and offset; response includes a pages object with total_count.

picus_get_action_alertsA

List alerts raised by a SIEM/EDR integration for one action (latest run).

Path is scoped to the latest run. Returns alerts with name, source, log_type, and time (epoch milliseconds). Paginated via limit (default 100, max 1000) and offset. node_id disambiguates an action used multiple times within a threat; if omitted, the first node is used. Alerts only appear when the simulation is enriched with an integration that has alert analysis enabled.

picus_get_run_frameworksB

Get a run's results mapped to MITRE ATT&CK and Unified Kill Chain.

Returns the framework-mapped prevention/detection view for the given run. (The exact response schema is not published in the Picus static docs; the raw API payload is returned as-is.)

picus_get_latest_run_frameworksB

Get the latest run's MITRE ATT&CK / Unified Kill Chain framework mapping.

Same as picus_get_run_frameworks but for the most recent run. Raw API payload is returned as-is.

picus_search_threatsA

Search the Picus Threat Library with rich filters.

Filters (all optional): severities (Low/Medium/High), attack_category_ids, attack_module_ids, release_date_gte/lte (epoch), is_predefined, affected_products, affected_os (Windows/Linux/macOS), unified_kill_chains, threat_actors, mitre_attack (tactics), attacker_objectives. Paginated via limit/offset; response includes a pages object with total_count.

Array filters are sent comma-separated. Each threat includes framework mappings and its objective/action flows.

picus_get_threatA

Get full detail for a single threat from the Threat Library.

Includes description, severity, affected OS/products, applicable agent types, threat actors, framework mappings (MITRE ATT&CK / Unified Kill Chain), and the objective -> action flows.

picus_get_threat_actionA

Get full detail for a single action from the Threat Library.

Includes affected platforms, attack category/module, framework mappings (frameworks.mitre / frameworks.ukc), module-based process details, and keyword queries. created_at/updated_at/release_date are epoch milliseconds.

picus_list_threat_actionsA

List Threat Library actions with light metadata (id, name, updated_at).

NOTE: this endpoint is served under /v2. Paginated via limit (default 100, max 100) and offset; filter by updated_at_gte/lte (epoch). Response includes a pages object with total_count.

picus_list_threat_actorsA

List all threat actors in the Threat Library (id, name, aka aliases).

picus_list_templatesA

List threat templates (dynamic and static).

Filters: category_name (e.g. "My Templates", "Emerging Threats", "Suggested by Picus Labs") and content_type ("dynamic" for rule-based or "static" for threat-list-based). Paginated via limit/offset. Each template reports threat_count, agent_types, and content_updated_at (epoch ms).

picus_get_templateA

Get full detail for one threat template.

Static templates return their threats list; dynamic templates also return a rules array describing the filter criteria. content_updated_at is 0 for static templates and epoch ms for dynamic ones.

picus_list_agentsA

List all Picus simulation agents (peers).

Returns each agent's id, name, status (alive/dead), type, version, platform, and created_at (epoch milliseconds). Use an agent id with picus_get_agent for full detail, or when creating a simulation.

picus_get_agentA

Get detailed configuration for one simulation agent by id.

Includes IP/NAT IP, whether an update is needed, and the attack modules enabled for the agent. created_at is epoch milliseconds.

picus_list_integrationsA

List SIEM/EDR integrations with health status.

Each integration reports id, name, type (SIEM/EDR), health_status (healthy flag plus an error object when unhealthy), and the connected integration agent. Timestamps are epoch milliseconds.

picus_list_integration_agentsA

List integration agents (the collectors that connect Picus to SIEM/EDR).

Reports id, name, status (Alive/Dead), whether installed, and whether the agent token has expired. Timestamps are epoch milliseconds.

picus_list_mitigation_devicesA

List vendor-based mitigation devices (device_id, device_name).

Served under /v2. Use a device_id with picus_get_mitigation_device_stats or picus_get_device_signatures.

picus_get_mitigation_device_statsA

Get effectiveness stats for one mitigation device.

Returns blocked_count, not_blocked_count, total_count, and an effectiveness score. Served under /v2.

picus_get_device_signaturesA

Get vendor prevention signature suggestions for a device and actions.

action_ids is REQUIRED (max 10 ids). Returns signatures with signature_id, name, vendor_severity, product_platform/version, etc. — the vendor signatures that mitigate the given actions on this device.

picus_list_not_blocked_actionsA

List not-blocked actions with generic mitigation suggestions.

Returns each not-blocked action with its associated signature_names and signature_descriptions (generic, non-device-specific recommendations). Filters: threat_or_action_name (substring), threat_ids, threat_severities, attack_modules, assessment_id_list, is_all_assessments, run_id. Paginated via limit/offset; response includes a pagination object with total_count.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/BeardedInfoSec/picus-security-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server