Skip to main content
Glama
threadlinqs-cmd

Security Detections MCP


Dashboard

What is this?

Security Detections MCP is an open-source platform that unifies 7,283+ detection rules from four major sources into a single queryable interface using the Model Context Protocol (MCP). It combines:

  • An MCP Server with 74 tools for searching, analyzing, and engineering detections

  • A Threat Intelligence MCP Server (Threadlinqs Intel) with 32 tools for real-time threat feeds, C2 tracking, MITRE mapping, and DNS enrichment

  • A Web Dashboard (Detection Workbench) for visual exploration, workflow execution, and AI-powered ad-hoc analysis

  • An Autonomous Agent Pipeline (LangGraph) for end-to-end detection generation and validation

Detection Sources

Source

Rules

Format

Description

Sigma

3,200+

YAML

Community-driven, platform-agnostic detection rules

Splunk ESCU

1,800+

YAML/SPL

Splunk's Enterprise Security Content Update detections

Elastic

1,400+

TOML/EQL

Elastic Security detection rules

KQL

880+

KQL

Microsoft Sentinel / Defender analytics rules


Related MCP server: wrg-mcp-server

Quick Start

Prerequisites

  • Node.js >= 18.0.0

  • npm >= 8.0.0

  • Git (for cloning detection repos)

1. Clone and build the MCP server

git clone https://github.com/MHaggis/Security-Detections-MCP.git
cd Security-Detections-MCP
npm install
npm run build

2. Clone detection rule repositories

mkdir -p detections && cd detections

# Sigma rules
git clone https://github.com/SigmaHQ/sigma.git

# Splunk ESCU
git clone https://github.com/splunk/security_content.git

# Elastic detection rules
git clone https://github.com/elastic/detection-rules.git

# KQL rules
git clone https://github.com/bert-jan/kql.git kql-bertjanp
git clone https://github.com/jkerai1/SentinelAnalyticRules.git kql-jkerai1

cd ..

3. Start the workbench

cd workbench
npm install
npm run dev

Open http://localhost:3000 in your browser.

4. Configure API keys

Navigate to Settings in the workbench sidebar and configure:

  • LLM Provider — Choose Anthropic (Claude) or OpenAI (GPT-4) and enter your API key

  • Threadlinqs Intel API Key — Get yours at intel.threadlinqs.com for real-time threat intelligence

Without an LLM API key, ad-hoc queries and llm_prompt workflow steps won't function. Without a Threadlinqs key, threat intelligence workflows will skip intel steps but detection tools will work normally.


Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    Detection Workbench (Next.js)                │
│  Dashboard │ Tools │ Workflows │ Ad-Hoc │ Threats │ Coverage    │
├──────────────────────┬──────────────────────────────────────────┤
│    MCP Bridge        │         LLM Client                      │
│  (StdioTransport)    │   (Anthropic / OpenAI)                  │
├──────────┬───────────┼──────────────────────────────────────────┤
│          │           │                                          │
│  ┌───────▼────────┐  │  ┌─────────────────────┐                │
│  │ security-      │  │  │ threadlinqs-intel    │                │
│  │ detections     │  │  │ MCP Server (v3.1.1)  │                │
│  │ MCP Server     │  │  │                      │                │
│  │                │  │  │ 32 tools:            │                │
│  │ 74 tools:      │  │  │ • Threat feeds       │                │
│  │ • Search       │  │  │ • C2 tracking        │                │
│  │ • MITRE map    │  │  │ • MITRE mapping      │                │
│  │ • Knowledge    │  │  │ • CVE/CWE lookup     │                │
│  │ • Engineering  │  │  │ • IOC search         │                │
│  │ • Autonomous   │  │  │ • Simulations        │                │
│  └───────┬────────┘  │  └──────────┬──────────┘                │
│          │           │             │                            │
│  ┌───────▼───────────▼─────────────▼──────────┐                │
│  │              SQLite Cache                   │                │
│  │         7,283+ indexed detections           │                │
│  └───────────────┬────────────────────────────┘                │
│                  │                                              │
│  ┌───────────────▼────────────────────────────┐                │
│  │         Detection Rule Repositories         │                │
│  │   Sigma │ Splunk ESCU │ Elastic │ KQL       │                │
│  └─────────────────────────────────────────────┘                │
└─────────────────────────────────────────────────────────────────┘

Detection Workbench

The workbench is a full-featured web dashboard built with Next.js 15, React 19, and Tailwind CSS v4. It features a terminal-inspired hacker aesthetic with JetBrains Mono font, colored status indicators, and // section headers.

Dashboard

The command center with real-time stats, quick-launch workflows, recent activity, and server status at a glance.

Dashboard

Metric

Value

Total Tools

106

Indexed Detections

7,283+

Pre-built Workflows

22

MCP Servers

2

Tool Explorer

Browse, search, and execute all 106 tools across both MCP servers. Blue indicators for security-detections, purple for threadlinqs-intel.

Tool Explorer

Click any tool to inspect its schema, parameters, and test it directly from the browser.

Tool Detail

Filter by server to see the 32 Threadlinqs Intel tools — threat feeds, C2 tracking, simulations, and more.

Intel Tools

Workflow Library

22 pre-built detection engineering workflows spanning threat hunting, coverage analysis, CVE assessment, and intelligence operations.

Workflows

Visual Workflow Builder

Drag-and-drop canvas for designing custom detection pipelines. Connect tool calls, transforms, LLM analysis steps, conditionals, loops, and parallel branches.

Workflow Builder

Workflow Execution

Execute workflows against live MCP servers with real-time step-by-step progress tracking. Each step shows its type (tool_call, transform, llm_prompt), target server, and execution status.

Workflow Execution

Results include LLM-generated analysis with executive summaries, threat inventories, MITRE coverage matrices, and prioritized recommendations.

Execution Results

Ad-Hoc Terminal

Natural language interface powered by your configured LLM. Ask questions about your detections, threats, and coverage — the system automatically selects and calls the right MCP tools, then synthesizes the results.

Ad-Hoc Terminal

Example queries:

  • "What ransomware detections do we have?"

  • "Show coverage gaps for credential access"

  • "Compare Sigma vs Splunk detection counts"

  • "Pull the latest threats from Threadlinqs and contrast them against my detections"

Ad-Hoc Results

All Pages

Page

Path

Description

Dashboard

/

Stats, quick-launch, recent activity, server status

Ad-Hoc Terminal

/adhoc

Natural language queries with automatic tool orchestration

Tool Explorer

/tools

Browse and execute all 106 MCP tools

Workflow Library

/workflows

View and run 22 pre-built workflows

Workflow Builder

/workflows/builder

Visual drag-and-drop pipeline designer

Threats

/threats

Real-time threat intelligence feed

Coverage

/coverage

MITRE ATT&CK coverage analysis

History

/history

Execution history and past results

Settings

/config

LLM provider, API keys, MCP server status


MCP Tools

security-detections (74 tools)

Core Detection Tools

Tool

Params

Description

search

query, limit, source_type

Full-text search across all detection fields

get_by_id

id

Get detection by unique identifier

get_raw_yaml

id

Get original YAML/TOML source

list_all

limit, offset

List all detections with pagination

list_by_source

source, limit, offset

Filter by source (sigma, splunk_escu, elastic, kql)

list_by_mitre

technique_id, limit

Filter by MITRE ATT&CK technique

list_by_logsource

category, product, service, limit, offset

Filter by log source fields

list_by_severity

severity, limit, offset

Filter by severity level

list_by_cve

cve_id, limit

Find detections related to a CVE

list_by_analytic_story

story, limit

Filter by Splunk analytic story

list_by_process_name

process, limit, offset

Filter by process name

list_by_detection_type

type, limit, offset

Filter by detection type

list_by_data_source

data_source, limit, offset

Filter by data source

list_by_mitre_tactic

tactic, limit, offset

Filter by MITRE tactic

list_by_kql_category

category, limit, offset

Filter KQL by category

list_by_kql_tag

tag, limit, offset

Filter KQL by tag

list_by_kql_datasource

datasource, limit, offset

Filter KQL by data source

list_by_name_pattern

pattern, limit, offset

Wildcard search on detection name

Analytics & Coverage

Tool

Description

get_stats

Platform-wide detection statistics

get_technique_ids

All MITRE technique IDs with detection counts

get_technique_count

Count detections for a specific technique

analyze_coverage

Analyze MITRE coverage with gap identification

identify_gaps

Find techniques with missing or thin coverage

suggest_detections

Get recommendations for new detections to build

get_detection_list

Generate filterable detection inventory

compare_sources

Compare coverage across Sigma, Splunk, Elastic, KQL

count_by_source

Count detections per source type

smart_compare

Intelligent cross-source comparison

get_coverage_summary

Executive-level coverage summary

get_top_gaps

Highest-priority detection gaps

Analytic Stories

Tool

Description

search_stories

Full-text search across analytic stories

get_story

Get detailed story information

list_stories

List all analytic stories

list_stories_by_category

Filter stories by category

Knowledge Graph (Tribal Knowledge)

Tool

Description

create_entity

Create knowledge entities (threat actors, techniques, etc.)

create_relation

Create relationships between entities with reasoning

add_observation

Add facts with confidence scoring

delete_entity

Remove entity and associated data

delete_observation

Delete specific observation

search_knowledge

Full-text search across all knowledge

read_graph

Read entire graph or filtered subgraph

open_entity

Full entity details with relations and observations

log_decision

Record significant decisions with reasoning

add_learning

Store reusable patterns and insights

get_relevant_decisions

Find past decisions relevant to current context

get_learnings

Get applicable learnings for current task

Engineering Intelligence

Tool

Description

get_query_patterns

Common query patterns for a MITRE technique

get_field_reference

Available fields for a Splunk data model

get_macro_reference

Common Splunk macros and usage patterns

find_similar_detections

Find detections similar to what you want to create

suggest_detection_template

Generate detection template from technique + patterns

Dynamic Tables

Tool

Description

create_table

Create custom runtime tables

insert_row

Insert data into dynamic table

query_table

Query with filtering, sorting, pagination

list_tables

List all tables (including pre-built analysis tables)

drop_table

Remove table and data

describe_table

Get schema and statistics

Pre-built tables: gap_analyses, source_comparisons, threat_actor_profiles, detection_recommendations

Autonomous Analysis

Tool

Description

auto_analyze_coverage

Automatic coverage analysis across threat profiles

auto_gap_report

Comprehensive gap report with prioritized recommendations

auto_compare_sources

Detailed cross-source comparison with reasoning

llm_enhanced_analysis

LLM-enhanced analysis via MCP sampling

check_sampling_status

Check if MCP sampling is available

Cache & Templates

Tool

Description

save_query

Cache query results with optional TTL

get_saved_query

Retrieve cached results

list_saved_queries

List all saved queries

rebuild_index

Force re-index all detections

save_template

Save reusable query templates with {{placeholders}}

run_template

Execute template with parameter substitution

list_templates

List all templates with usage stats

get_template

Get template details and schema

delete_template

Remove a template

threadlinqs-intel (32 tools) — intelthreadlinqs-mcp@3.1.1

Threat Intelligence

Tool

Description

search_threats

Search threat intelligence database by keyword, CVE, MITRE technique, or actor

get_threat

Get full threat report with TTPs, IOCs, detections, and attribution

get_recent_threats

Get most recently published threats, ordered by creation date

list_threat_categories

List all threat categories with counts

get_threat_transcripts

Multi-agent intelligence analysis transcripts for a threat

Detections & Coverage

Tool

Description

get_detections

Get detection rules, filter by threat ID or type (SPL, KQL, Sigma)

export_detection

Export detection in raw SIEM format

get_mitre_coverage

Full MITRE ATT&CK framework coverage map

get_mitre_technique

Detailed info for a specific MITRE ATT&CK technique

IOC Intelligence & DNS Enrichment

Tool

Description

search_iocs

Search IOCs — IPs, domains, hashes, URLs, behavioral indicators

enrich_iocs

Trigger DNS enrichment for IOCs (single, per-threat, or bulk)

get_ioc_dns

Get passive DNS enrichment data for a specific IOC (IP or domain)

get_enrichment_graph

DNS enrichment infrastructure graph — nodes and edges

get_enrichment_overview

DNS enrichment overview — totals, discovered domains, cross-threat links

C2 Tracking

Tool

Description

list_c2_beacons

Wild C2 beacons — command-and-control infrastructure intel

get_c2_stats

C2 framework distribution, geographic spread, watermarks

get_c2_operators

C2 operator cluster analysis — behavioral fingerprints

get_c2_cross_correlations

Cross-intelligence correlations — IP, tag, MITRE matches

get_c2_watermarks

Cobalt Strike watermark clusters

get_c2_timeline

Monthly C2 framework version distribution

get_c2_configs

Full C2 beacon configurations — sleep, jitter, user agents

Correlations & Lookups

Tool

Description

get_correlations_overview

Aggregated intelligence from 7 correlation engines

get_correlation_engine

Detailed data from a specific correlation engine

get_cve_details

CVE lookup with severity, CVSS, and description

get_cwe_details

CWE weakness lookup with description and mitigations

Simulations & Debriefs

Tool

Description

list_simulations

List attack simulation scenarios

get_threat_simulations

Get simulation commands for a specific threat

list_debriefs

List daily intelligence debriefs

get_debrief

Get specific daily debrief by date

Platform

Tool

Description

get_platform_stats

Platform statistics — threats, detections, IOCs, coverage

get_roadmap

Platform roadmap — planned features and ideas

get_changelog

Recent updates, features, and fixes


Workflow Engine

The workflow engine supports 6 step types that can be chained into multi-step detection engineering pipelines:

Step Type

Description

Example

tool_call

Execute an MCP tool on a specified server

search on security-detections

transform

Extract or reshape data between steps

$steps.threats[0].id

llm_prompt

Send a prompt to the configured LLM for analysis

Coverage gap analysis

conditional

Branch execution based on a condition

$steps.count > 0

loop

Iterate over an array, executing steps per item

Loop over techniques

parallel

Execute multiple steps concurrently

Query multiple sources

Binding System

Steps can reference outputs from previous steps using $-expressions:

$input.cve_id              # Workflow input parameter
$steps.threats             # Output from step with id "threats"
$steps.threats[0].id       # First item's id field
$steps.detail.mitre_attack # Nested field access

Pre-built Workflows (22)

Threat Intelligence

Workflow

Tags

Description

Threat Coverage Check

threats, coverage, gaps

Get recent threats, extract MITRE techniques, identify detection gaps

CVE Impact Assessment

cve, threats, assessment

Assess CVE impact by finding related threats and detections

Daily Threat Debrief

daily, debrief, threats

Generate daily threat intelligence summary with coverage report

New Threat Triage

triage, threat, detections

Triage specific threat with detection check and recommendations

Threat Actor Profile

threat-actor, profile, techniques

Build complete threat actor profile with TTPs and coverage

IOC Enrichment

ioc, enrichment, threats

Enrich IOCs with threat context, technique mapping, coverage check

Weekly Security Report

weekly, report, summary

Comprehensive weekly report with stats and correlations

Coverage Analysis

Workflow

Tags

Description

Detection Gap Analysis

gaps, coverage, mitre

Compare MITRE coverage between threat intel and detections

Coverage Sync

sync, coverage, mitre

Parallel sync of MITRE coverage across intel and detections

Detection Source Comparison

comparison, sources

Compare counts and coverage across Sigma, Splunk, Elastic, KQL

Detection Quality Report

quality, optimization

Find thin coverage, over-covered areas, rebalancing suggestions

Threat Hunting

Workflow

Tags

Description

C2 Framework Hunting

c2, hunting

Identify C2 frameworks and check detection coverage

Lateral Movement Hunt

lateral-movement, hunting

Map lateral movement techniques, build hunting plan

Credential Theft Audit

credentials, audit

Audit credential dumping, brute force, kerberoasting detections

Exfiltration Watchlist

exfiltration, dlp

Map exfiltration techniques, C2 channels, DLP blind spots

Posture Assessment

Workflow

Tags

Description

Ransomware Readiness

ransomware, readiness

Evaluate detection posture against ransomware TTPs

Initial Access Posture

initial-access, phishing

Assess phishing, drive-by, supply chain, valid account coverage

Privilege Escalation Review

privesc, escalation

Deep dive into UAC bypass, token manipulation, process injection

PowerShell Threat Matrix

powershell, lolbas

PowerShell attack analysis: obfuscation, AMSI bypass, LOLBins

Cloud Security Coverage

cloud, aws, azure, gcp

Cloud-specific attack coverage across AWS, Azure, GCP

Defense Evasion Deep Dive

evasion, defense

Exhaustive analysis of the largest MITRE tactic

Threat Simulation Readiness

simulation, purple-team

Check if detection stack catches simulated TTPs


Autonomous Pipeline

The agents/ directory contains a LangGraph-based autonomous pipeline for end-to-end detection generation and validation:

CTI Analyst ──► Coverage Analyzer ──► Detection Engineer ──► Atomic Executor
                                                                    │
                                                            Splunk Validator
                                                                    │
                                                              Data Dumper
                                                                    │
                                                              PR Stager

Agent Nodes

Agent

Role

CTI Analyst

Analyzes threat intelligence and extracts TTPs

Coverage Analyzer

Maps existing detection coverage against threats

Detection Engineer

Generates new detection rules for gaps

Atomic Executor

Creates Atomic Red Team test cases

Splunk Validator

Validates SPL syntax and logic

SIEM Validator

Cross-platform SIEM validation

FP Analyst

Assesses false positive risk

QA Reviewer

Quality assurance review

Verifier

End-to-end verification

Data Dumper

Exports results to structured formats

PR Stager

Stages detection PRs for review

Attack Range Builder

Provisions test environments

Setup

cd agents
cp .env.example .env
# Edit .env with your ANTHROPIC_API_KEY and SIEM_PLATFORM
npm install
npm run build

Configuration

MCP Server Configuration

The MCP servers are configured in .cursor/mcp.json:

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["./dist/index.js"],
      "env": {
        "SIGMA_PATHS": "./detections/sigma/rules,./detections/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "./detections/security_content/detections",
        "ELASTIC_PATHS": "./detections/detection-rules/rules",
        "KQL_PATHS": "./detections/kql-bertjanp,./detections/kql-jkerai1",
        "STORY_PATHS": "./detections/security_content/stories"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": ""
      }
    }
  }
}

LLM Configuration

The workbench supports two LLM providers configured in the Settings page:

Provider

Models

API Key Env Var

Anthropic

claude-sonnet-4-20250514, claude-haiku-4-20250414, claude-opus-4-20250514

ANTHROPIC_API_KEY

OpenAI

gpt-4o, gpt-4o-mini, gpt-4-turbo

OPENAI_API_KEY

API keys can be set in three ways (in priority order):

  1. Settings page in the workbench UI

  2. Environment variables (ANTHROPIC_API_KEY, OPENAI_API_KEY, THREADLINQS_API_KEY)

  3. .env.local file in the workbench/ directory

Workbench Engine Settings

Setting

Default

Description

max_prompt_size

12,000 chars

Maximum prompt length sent to LLM

per_binding_limit

3,000 chars

Max chars per step binding in prompts

llm_timeout

180s

LLM request timeout

error_policy

continue

continue or stop on step failure

max_tokens

4,096

Maximum LLM response tokens


Using with AI Assistants

Claude Code (CLI)

Add the MCP servers to your Claude Code configuration:

# Add the security-detections MCP server
claude mcp add security-detections \
  -e SIGMA_PATHS="/path/to/detections/sigma/rules,/path/to/detections/sigma/rules-threat-hunting" \
  -e SPLUNK_PATHS="/path/to/detections/security_content/detections" \
  -e ELASTIC_PATHS="/path/to/detections/detection-rules/rules" \
  -e KQL_PATHS="/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1" \
  -e STORY_PATHS="/path/to/detections/security_content/stories" \
  -- node /path/to/Security-Detections-MCP/dist/index.js

# Add the threadlinqs-intel MCP server
claude mcp add threadlinqs-intel \
  -e THREADLINQS_API_KEY="your-threadlinqs-api-key" \
  -- npx -y intelthreadlinqs-mcp@3.1.1

Or add them directly to ~/.claude.json (global) or .claude/settings.json (project-level):

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["/path/to/Security-Detections-MCP/dist/index.js"],
      "env": {
        "SIGMA_PATHS": "/path/to/detections/sigma/rules,/path/to/detections/sigma/rules-threat-hunting",
        "SPLUNK_PATHS": "/path/to/detections/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detections/detection-rules/rules",
        "KQL_PATHS": "/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1",
        "STORY_PATHS": "/path/to/detections/security_content/stories"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": "your-threadlinqs-api-key"
      }
    }
  }
}

Claude Desktop / Cursor / Windsurf

Add the servers to your MCP configuration file (.cursor/mcp.json, claude_desktop_config.json, etc.):

{
  "mcpServers": {
    "security-detections": {
      "command": "node",
      "args": ["/path/to/Security-Detections-MCP/dist/index.js"],
      "env": {
        "SIGMA_PATHS": "/path/to/detections/sigma/rules",
        "SPLUNK_PATHS": "/path/to/detections/security_content/detections",
        "ELASTIC_PATHS": "/path/to/detections/detection-rules/rules",
        "KQL_PATHS": "/path/to/detections/kql-bertjanp,/path/to/detections/kql-jkerai1"
      }
    },
    "threadlinqs-intel": {
      "command": "npx",
      "args": ["-y", "intelthreadlinqs-mcp@3.1.1"],
      "env": {
        "THREADLINQS_API_KEY": "your-threadlinqs-api-key"
      }
    }
  }
}

Example Prompts

"Search for all detections related to T1059.001 (PowerShell)"

"Compare Sigma vs Splunk ESCU coverage for credential access techniques"

"Find detection gaps in our lateral movement coverage"

"What detections do we have for ransomware encryption behaviors?"

"Create a knowledge entity for APT29 with all known techniques"

"Generate a gap report for the top 10 most critical MITRE techniques"

API Reference

The workbench exposes a REST API for programmatic access:

Method

Endpoint

Description

GET

/api/mcp/servers

List MCP servers and status (auto-connects on first call)

POST

/api/mcp/servers

Reconnect a server ({action: "reconnect", server: "name"})

GET

/api/mcp/tools

List all available tools

POST

/api/mcp/{server}/{tool}

Execute a tool

GET

/api/workflows

List all workflows

POST

/api/workflows

Create a workflow

GET

/api/workflows/{id}

Get workflow details

PUT

/api/workflows/{id}

Update a workflow

POST

/api/workflows/{id}/execute

Execute a workflow

GET

/api/workflows/{id}/stream

Stream execution events (SSE)

GET

/api/executions

List execution history

DELETE

/api/executions

Clear execution history

POST

/api/adhoc

Execute ad-hoc query (SSE stream)

GET

/api/settings

Get settings (keys masked)

POST

/api/settings

Update settings

GET

/api/settings?test=true

Test LLM connection


Project Structure

Security-Detections-MCP/
├── src/                          # MCP server source
│   ├── index.ts                  # Server entry point
│   ├── db/                       # SQLite database layer
│   ├── handlers/                 # MCP protocol handlers
│   ├── resources/                # MCP resources
│   ├── tools/                    # 74 MCP tools
│   │   ├── detections/           # Core detection query tools
│   │   ├── stories/              # Analytic story tools
│   │   ├── knowledge/            # Knowledge graph (12 tools)
│   │   ├── engineering/          # Detection engineering intelligence
│   │   ├── autonomous/           # Autonomous analysis tools
│   │   ├── dynamic/              # Dynamic table tools
│   │   ├── cache/                # Query caching tools
│   │   ├── meta/                 # Template tools
│   │   └── registry.ts           # Plugin-style tool registry
│   ├── types/                    # TypeScript type definitions
│   └── utils/                    # Shared utilities
│
├── workbench/                    # Detection Workbench (Next.js 15)
│   ├── app/                      # App Router pages & API routes
│   │   ├── api/                  # REST API endpoints
│   │   ├── adhoc/                # Ad-hoc terminal page
│   │   ├── tools/                # Tool explorer page
│   │   ├── workflows/            # Workflow library + builder
│   │   ├── threats/              # Threat intelligence page
│   │   ├── coverage/             # Coverage analysis page
│   │   ├── history/              # Execution history page
│   │   └── config/               # Settings page
│   ├── components/               # React components
│   │   ├── layout/               # Sidebar, header
│   │   ├── tools/                # Tool list, tool form
│   │   ├── shared/               # Loading, markdown renderer
│   │   └── workflow-builder/     # Visual workflow builder
│   ├── lib/                      # Core libraries
│   │   ├── mcp-pool.ts           # MCP server process pool
│   │   ├── mcp-config.ts         # MCP configuration loader
│   │   ├── llm-client.ts         # LLM abstraction (Anthropic/OpenAI)
│   │   ├── workflow-engine.ts    # Workflow execution engine
│   │   ├── workflow-presets.ts   # 22 pre-built workflows
│   │   └── transforms.ts        # $-binding expression resolver
│   └── types/                    # Workbench type definitions
│
├── agents/                       # Autonomous LangGraph pipeline
│   ├── nodes/                    # 12 agent node implementations
│   ├── graphs/                   # Orchestration graph definitions
│   ├── state/                    # LangGraph state management
│   ├── tools/                    # Specialized agent tools
│   └── tests/                    # Agent test suite
│
├── detections/                   # Detection rule repositories (git cloned)
│   ├── sigma/                    # SigmaHQ rules
│   ├── security_content/         # Splunk ESCU
│   ├── detection-rules/          # Elastic rules
│   ├── kql-bertjanp/             # KQL rules (bert-jan)
│   └── kql-jkerai1/              # KQL rules (jkerai1)
│
├── .cursor/
│   ├── mcp.json                  # MCP server configuration
│   ├── rules/                    # 6 Cursor AI rules
│   └── agents/                   # 15 Cursor agent definitions
│
├── docs/                         # Documentation & screenshots
└── package.json                  # Root package (v3.0.0)

Tech Stack

Layer

Technology

MCP Server

Node.js, TypeScript, @modelcontextprotocol/sdk, better-sqlite3

Workbench

Next.js 15, React 19, Tailwind CSS v4, Zustand, React Flow

LLM Integration

Anthropic Claude API, OpenAI API (configurable)

Threat Intel

Threadlinqs Intel MCP (intelthreadlinqs-mcp@3.1.1)

Agent Pipeline

LangGraph, TypeScript

Database

SQLite with FTS5 full-text search

Detection Formats

Sigma YAML, Splunk YAML/SPL, Elastic TOML/EQL, KQL


Development

Build the MCP server

npm run build          # Compile TypeScript
npm run dev            # Watch mode
npm run lint           # Type check (strict)

Run the workbench

cd workbench
npm run dev            # Development server (hot reload)
npm run build          # Production build
npm run start          # Production server

Run tests

npm test               # Full test suite
npm run test:platform  # Cross-platform tests
npm run test:ci        # CI integration tests
npm run test:engineering  # Engineering tools tests

Contributing

  1. Fork the repository

  2. Create a feature branch (git checkout -b feature/amazing-detection)

  3. Commit your changes (git commit -m 'Add amazing detection workflow')

  4. Push to the branch (git push origin feature/amazing-detection)

  5. Open a Pull Request


Acknowledgments


A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/threadlinqs-cmd/Threadlinqs-Security-Detection-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server