falcon-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@falcon-mcpshow recent high severity detections"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.

falcon-mcp
falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.
🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
Documentation
Full docs are available at developer.crowdstrike.com/falcon-mcp.
Related MCP server: falcon-mcp
Modules
Module | Description |
Core | Basic connectivity and system information |
Case lifecycle management, evidence attachment, tagging, and templates | |
Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, suppression rules, cloud risks, and cloud groups | |
Search, create, update, and manage NG-SIEM correlation rules | |
Create and manage Custom IOA behavioral detection rules and rule groups | |
Search Data Protection classifications, policies, and content patterns | |
Find and analyze detections to understand malicious activity | |
Search application inventory and discover unmanaged assets | |
Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions | |
Search and manage firewall rules and rule groups | |
Search, create, update, and delete host groups; manage group membership | |
Manage and query host/device information | |
Entity investigation and identity protection analysis | |
Research threat actors, IOCs, and intelligence reports | |
Search, create, and remove custom indicators of compromise | |
Execute CQL queries against Next-Gen SIEM | |
Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence | |
Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files | |
Audit, summarize, and run read-only RTR triage workflows | |
Search Falcon Intelligence Recon notifications (recon alerts), monitoring rules, and exposed-data records for dark web, leaked credentials, and typosquatting | |
Manage scheduled reports and download report files | |
Access and analyze sensor usage data | |
Search for vulnerabilities in serverless functions | |
SaaS security posture, checks, alerts, and app inventory | |
Manage and analyze vulnerability data and security assessments |
See the Module Overview for required API scopes, available tools, and FQL resources.
Quick Start
Install
Using uv (recommended)
uv tool install falcon-mcpUsing pip
pip install falcon-mcpConfigure
Set the required environment variables (or use a .env file — see the Configuration Guide):
export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"Run
falcon-mcpSee the Getting Started guide for full installation and configuration details.
Editor Integration
Using uvx (recommended)
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp"
]
}
}
}With Module Selection
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp",
"--modules",
"detections,hosts,intel"
]
}
}
}Docker
{
"mcpServers": {
"falcon-mcp-docker": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--env-file",
"/full/path/to/.env",
"quay.io/crowdstrike/falcon-mcp:latest"
]
}
}
}See the Usage guide for all command line options, module configuration, and library usage.
Container Usage
# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest
# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest
# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0See the Docker Deployment guide for building locally, custom ports, and advanced configurations.
Dynamic Mode
Running many modules at once inflates the context window every AI client must hold. Dynamic mode
replaces the full tool surface with three tools — falcon_list_enabled_modules to see which
modules are loaded, falcon_search_tools to discover the right tool on demand, and
falcon_execute_tool to run it — so agents only load the schemas they actually need.
falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=trueSee the Dynamic Mode guide for the full discover → execute workflow and trade-offs.
Deployment Options
Contributing
# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras
# Run tests
uv run pytestThis project usesConventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.
Developer Documentation
Documentation Guide: Architecture and maintenance guide for the documentation
Module Development Guide: Instructions for implementing new modules
Resource Development Guide: Instructions for implementing resources
Integration Testing Guide: Guide for running integration tests with real API calls
Registries
falcon-mcp is published to public MCP catalogs for discovery and one-click setup in compatible clients:
License
This project is licensed under the MIT License - see the LICENSE file for details.
Support
This is a community-driven, open source project. While it is not an official CrowdStrike product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.
For more information, please see our SUPPORT file.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/carlosmmatos/falcon-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server