threatlocker-mcp-server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@threatlocker-mcp-serverlist all computers in my organization"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ThreatLocker MCP Server
An MCP (Model Context Protocol) server for interacting with the ThreatLocker Portal API through Claude Desktop, Claude Code, or any MCP-compatible client.
About
This server exposes ThreatLocker Portal functionality as MCP tools, enabling AI assistants to query computers, applications, policies, audit logs, and more. It supports both local (stdio) and remote (HTTP/SSE) transports.
Current Status: Full read/write support for applications and policies. Set THREATLOCKER_READ_ONLY=true to enforce read-only mode.
Related MCP server: domotz-mcp
Disclaimer
USE AT YOUR OWN RISK
This software is provided "as is" without warranty of any kind. This is an unofficial, community-developed integration and is not affiliated with, endorsed by, or supported by ThreatLocker.
API keys are currently stored in plain text (in environment variables,
.envfiles, or MCP client config files). A more secure credential storage solution is planned for a future release.Always test in a non-production environment first
Review the source code before deploying
Monitor API usage and audit logs
The authors are not responsible for any damages, security incidents, or unintended actions resulting from use of this software
By using this software, you accept full responsibility for its use in your environment.
Protecting API Keys with ThreatLocker Storage Control
Since API keys are stored in plain text, you can use ThreatLocker's own Storage Control to restrict which applications can read the config files. This ensures that even if an unauthorized process runs on your machine, it cannot access the keys.
Files to protect:
File | Used By |
| MCP server (stdio mode) |
| Claude Desktop |
| Claude Code |
Recommended Storage Control policy:
In ThreatLocker Portal, navigate to Application Control > Storage Control
Create a Deny policy that blocks all applications from reading the config files listed above
Create Permit policies that allow only the specific applications that need access. Example:
node.exe/node— for the MCP server processClaude Desktop.exe/Claude Desktop— for Claude Desktopclaude— for Claude Code CLI
Apply the policies to the relevant computer group
This way, ThreatLocker prevents any other process from reading your API keys, even though they are stored in plain text.
Installation
Prerequisites
Node.js 24+ or Docker
ThreatLocker API key (generate in Portal)
Option 1: Docker (Recommended)
docker pull ghcr.io/bigfootbytes/threatlocker-mcp-server:latestOption 2: From Source
git clone https://github.com/BigfootBytes/threatlocker-mcp-server.git
cd threatlocker-mcp-server
npm install
npm run buildConfiguration
Claude Desktop / Claude Code
Add to your MCP config file:
Client | OS | Config Path |
Claude Desktop | macOS |
|
Claude Desktop | Windows |
|
Claude Desktop | Linux |
|
Claude Code | All | Project |
Docker configuration:
{
"mcpServers": {
"threatlocker": {
"command": "docker",
"args": ["run", "-i", "--rm", "ghcr.io/bigfootbytes/threatlocker-mcp-server:latest"],
"env": {
"THREATLOCKER_API_KEY": "your-api-key",
"THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi",
"THREATLOCKER_ORG_ID": "optional-managed-org-id"
}
}
}
}Node.js configuration:
{
"mcpServers": {
"threatlocker": {
"command": "node",
"args": ["/path/to/threatlocker-mcp-server/dist/index.js"],
"env": {
"THREATLOCKER_API_KEY": "your-api-key",
"THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi"
}
}
}
}Environment Variables
Variable | Required | Default | Description |
| Yes* | - | API key (stdio mode) |
| Yes* | - | Portal API URL |
| No | - | Managed organization ID |
| No |
| Transport mode: |
| No |
| HTTP server port |
| No |
| Logging: |
| No | - | CORS origins (comma-separated) |
| No | - | Set to |
*Required for stdio mode. HTTP mode uses per-request headers.
ThreatLocker API URLs
Environment | Base URL |
Production |
|
Beta |
|
Available Tools
CRUD Capabilities
Tool | Create | Read | Update | Delete | Description |
| - | :white_check_mark: | - | - | Query computers, check-ins, install info |
| - | :white_check_mark: | - | - | List groups, dropdowns |
| - | :white_check_mark: | - | - | Search apps, research details, files |
| - | :white_check_mark: | - | - | View policies by ID or application |
| - | :white_check_mark: | - | - | Unified audit logs, file history |
| - | :white_check_mark: | - | - | Pending approvals, permit details |
| - | :white_check_mark: | - | - | Child orgs, auth keys |
| - | :white_check_mark: | - | - | List and run reports |
| - | :white_check_mark: | - | - | Computer maintenance history |
| - | :white_check_mark: | - | - | Scheduled agent updates |
| - | :white_check_mark: | - | - | Portal audit logs, health center |
| - | :white_check_mark: | - | - | Network and policy tags |
| - | :white_check_mark: | - | - | Storage control policies |
| - | :white_check_mark: | - | - | Network access control policies |
| - | :white_check_mark: | - | - | Available ThreatLocker agent versions |
| - | :white_check_mark: | - | - | Currently online/connected devices |
Tool Details
Tool | Actions |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
HTTP Mode (Remote Server)
For remote deployments, run in HTTP mode:
docker run -d -p 8080:8080 -e TRANSPORT=http ghcr.io/bigfootbytes/threatlocker-mcp-server:latestEndpoints
Method | Endpoint | Auth | Description |
GET |
| No | Health check |
GET |
| No | List available tools |
GET |
| Yes | SSE stream (Claude Desktop) |
POST |
| Session | SSE client messages |
POST |
| Yes | Streamable HTTP MCP |
POST |
| Yes | Direct REST API |
Authentication Headers
Header | Required | Description |
| Yes | ThreatLocker API key |
| Yes | Portal API base URL |
| No | Managed organization ID |
Claude Remote Configuration
Streamable HTTP via mcp-remote (Claude Desktop):
Claude Desktop does not yet support Streamable HTTP natively. Use mcp-remote as a proxy:
{
"mcpServers": {
"threatlocker": {
"command": "npx",
"args": [
"mcp-remote",
"https://your-server.example.com/mcp",
"--header",
"Authorization:${THREATLOCKER_API_KEY}",
"--header",
"X-ThreatLocker-Base-URL:${THREATLOCKER_BASE_URL}"
],
"env": {
"THREATLOCKER_API_KEY": "your-api-key",
"THREATLOCKER_BASE_URL": "https://portalapi.g.threatlocker.com/portalapi"
}
}
}
}SSE (legacy):
{
"mcpServers": {
"threatlocker": {
"url": "https://your-server.example.com/sse",
"headers": {
"Authorization": "your-api-key",
"X-ThreatLocker-Base-URL": "https://portalapi.g.threatlocker.com/portalapi"
}
}
}
}Development
npm install # Install dependencies
npm run build # Compile TypeScript
npm test # Run tests
npm run dev # Watch modeLicense
GPL-3.0 - see LICENSE for details.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/BigfootBytes/threatlocker-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server