Skip to main content
Glama
CrowdStrike

CrowdStrike Falcon MCP Server

Official
by CrowdStrike

CrowdStrike Logo (Light) CrowdStrike Logo (Dark)

falcon-mcp

PyPI version PyPI - Python Version License: MIT MCP Registry GitHub MCP Gemini CLI Extension

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.

IMPORTANT

🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Documentation

Full docs are available at developer.crowdstrike.com/falcon-mcp.

Related MCP server: ComplianceCow MCP Server

Modules

Module

Description

Core

Basic connectivity and system information

Case Management

Case lifecycle management, evidence attachment, tagging, and templates

Cloud Security

Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, suppression rules, cloud risks, and cloud groups

Correlation Rules

Search, create, update, and manage NG-SIEM correlation rules

Custom IOA

Create and manage Custom IOA behavioral detection rules and rule groups

Data Protection

Search Data Protection classifications, policies, and content patterns

Detections

Find and analyze detections to understand malicious activity

Discover

Search application inventory and discover unmanaged assets

Exclusions

Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions

Firewall Management

Search and manage firewall rules and rule groups

Host Groups

Search, create, update, and delete host groups; manage group membership

Hosts

Manage and query host/device information

Identity Protection

Entity investigation and identity protection analysis

Intel

Research threat actors, IOCs, and intelligence reports

IOC

Search, create, and remove custom indicators of compromise

NGSIEM

Execute CQL queries against Next-Gen SIEM

Policies

Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence

Quarantine

Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files

Real Time Response

Audit, summarize, and run read-only RTR triage workflows

Recon

Search Falcon Intelligence Recon notifications (recon alerts), monitoring rules, and exposed-data records for dark web, leaked credentials, and typosquatting

Scheduled Reports

Manage scheduled reports and download report files

Sensor Usage

Access and analyze sensor usage data

Serverless

Search for vulnerabilities in serverless functions

Shield

SaaS security posture, checks, alerts, and app inventory

Spotlight

Manage and analyze vulnerability data and security assessments

See the Module Overview for required API scopes, available tools, and FQL resources.

Quick Start

Install

uv tool install falcon-mcp

Using pip

pip install falcon-mcp

Configure

Set the required environment variables (or use a .env file — see the Configuration Guide):

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

Run

falcon-mcp

See the Getting Started guide for full installation and configuration details.

Editor Integration

Using uvx (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,hosts,intel"
      ]
    }
  }
}

Docker

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

See the Usage guide for all command line options, module configuration, and library usage.

Container Usage

# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

See the Docker Deployment guide for building locally, custom ports, and advanced configurations.

Dynamic Mode

Running many modules at once inflates the context window every AI client must hold. Dynamic mode replaces the full tool surface with three tools — falcon_list_enabled_modules to see which modules are loaded, falcon_search_tools to discover the right tool on demand, and falcon_execute_tool to run it — so agents only load the schemas they actually need.

falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true

See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.

Deployment Options

Contributing

# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras

# Run tests
uv run pytest
IMPORTANT

This project usesConventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.

Developer Documentation

Registries

falcon-mcp is published to public MCP catalogs for discovery and one-click setup in compatible clients:

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

This is a community-driven, open source project. While it is not an official CrowdStrike product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.

For more information, please see our SUPPORT file.

A
license - permissive license
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
4wRelease cycle
14Releases (12mo)
Commit activity
Issues opened vs closed

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/CrowdStrike/falcon-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server