Tenable Identity Exposure MCP Server
The Tenable Identity Exposure MCP Server exposes the Tenable Identity Exposure (TIE) REST API as tools for LLM clients, enabling AI-driven Active Directory security monitoring, threat detection, and identity risk analysis.
Discover API Resources (
tie_catalog): List all available TIE API resources and their paths — recommended as a first step before using other tools.Raw API Access (
tie_request): Make direct HTTP calls (GET, POST, PUT, PATCH, DELETE) to any TIE API endpoint for maximum flexibility.Generic CRUD Operations (
tie_resource_action): Perform list, get, create, update, or delete operations on any TIE resource (directories, attacks, users, alerts, etc.).Unified Recent Activity Timeline (
tie_recent_activity): Get a merged, time-ordered view of both IoE (Indicator of Exposure) alerts and IoA (Indicator of Attack) attacks, enriched with deviance details.Security Profiles (
tie_profiles): List all security profiles, which are required to scope IoE/IoA queries.Security Scores (
tie_scores): Retrieve per-directory AD security scores reflecting outstanding IoE deviances.AD Topology (
tie_topology): View Active Directory topology including domains, forests, and trust relationships.IoA Attack Instances (
tie_attacks): Query attack instances scoped to an infrastructure, directory, hostname, or IP, with optional filtering by attack type, date range, and status.Alerts (
tie_alerts): List security alerts for a profile, with optional filtering by archived status.IoE Deviances (Time-Windowed) (
tie_deviances): Find AD objects with IoE deviances for a specific checker within a relative or absolute time window.IoE Deviances by Checker (
tie_deviances_by_checker): Retrieve full IoE deviances for a checker without a date filter, with optional expression-based filtering.IoE Deviances by Directory (
tie_deviances_by_directory): Retrieve full IoE deviances scoped to a specific directory without a date filter.AD Event Search (
tie_search_events): Search AD security events across one or more directories within a specified date range.AD Object Search (
tie_search_ad_objects): Search for Active Directory objects (users, computers, groups, OUs) by name or attribute, with optional type and directory filtering.Current User Identity (
tie_whoami): Retrieve the identity, roles, and permissions associated with the current API key.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Tenable Identity Exposure MCP Serverlist my security profiles"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Tenable Identity Exposure MCP Server
An MCP server exposing the Tenable Identity Exposure (TIE, formerly Tenable.ad) REST API as tools for LLM clients. Built on FastMCP from the official mcp SDK.
Verified end-to-end against a live TIE SaaS instance (v3.120.1).
⚠️ Disclaimer: This is not an officially supported Tenable project. It was built with assistance from Claude — treat its output as a starting point and validate responses against the Tenable console before acting on them.
Tools
Tool | Description |
| List available resources (flat + nested) — call this first |
| Raw HTTP call to any endpoint ( |
| Generic CRUD ( |
| Unified IoE+IoA timeline for the last N hours (one call) |
| List security profiles (IoE/IoA data is profile-scoped) |
| Per-directory security scores for a profile |
| AD topology (domains, forests, trusts) for a profile |
| IoA attack instances (requires |
| Alerts for a profile |
| IoE deviant AD objects for a checker within a time window |
| Full IoE deviances for a checker (no date filter) |
| Full IoE deviances for a directory (no date filter) |
| Search AD security events in a date range |
| Search AD objects (users/computers/groups/OUs) |
| Current user identity, roles, permissions |
Time windows, profiles, and token budget
Time-aware tools (
tie_recent_activity,tie_deviances) accept a relativehours=Nwindow or explicitdate_start/date_end. All timestamps are UTC.IoE/IoA data is profile-scoped. The API does not expose which profile your console has selected, so pass
profile_idexplicitly — usetie_profilesto list them.By default, deviance/object results are slimmed: descriptions are rendered from their templates and oversized attribute values (SID lists, member dumps) are dropped. Pass
verbose=truefor the full raw payload.
Related MCP server: Timely MCP Server
Configuration
Set via environment variables (or --tie-url / --tie-api-key flags):
Variable | Description |
| Base URL, e.g. |
| API key (TIE console → System → Configuration → API key) |
|
|
Auth uses the X-API-Key header.
Install & run
python -m venv .venv && . .venv/bin/activate
pip install -e .
cp .env.example .env # fill in TIE_URL and TIE_API_KEY
# stdio (Claude Desktop / Claude Code)
set -a; . ./.env; set +a
tenable-tie-mcp
# or network transports
tenable-tie-mcp --transport sse --port 8000
tenable-tie-mcp --transport http --port 8000Running with uv / uvx (alternative to a manual venv)
uv can manage the environment for you. uv is the
full tool; uvx (alias for uv tool run) runs a package in a throwaway env, like
npx. Both need uv installed (brew install uv).
# uv run: resolves deps from pyproject.toml into a managed .venv, then runs
uv run tenable-tie-mcp
# uvx: run ephemerally from the project path, nothing persisted
uvx --from . tenable-tie-mcpClaude Desktop / Claude Code config
Use the full path to the executable. Claude Desktop does not launch from your
shell, so it does not inherit your PATH — a bare tenable-tie-mcp will fail with
"command not found" unless the tool is on the system PATH (e.g. a pipx install).
For a venv install, point at the venv's launcher:
{
"mcpServers": {
"tenable-tie": {
"command": "/absolute/path/to/tenable-ie-mcp/.venv/bin/tenable-tie-mcp",
"env": {
"TIE_URL": "https://your-host.tenable.ad",
"TIE_API_KEY": "your-key"
}
}
}
}Find the exact path with echo "$PWD/.venv/bin/tenable-tie-mcp" from the project
root. See claude_desktop_config.sample.json for a complete example.
If you installed globally with
pipx install .(oruv tool install), the bare"command": "tenable-tie-mcp"works because it lands on the system PATH.
With uv (alternative)
Point command at the full path of uv (which uv, e.g. /opt/homebrew/bin/uv)
and let it manage the environment:
{
"mcpServers": {
"tenable-tie": {
"command": "/opt/homebrew/bin/uv",
"args": ["run", "--directory", "/absolute/path/to/tenable-ie-mcp", "tenable-tie-mcp"],
"env": {
"TIE_URL": "https://your-host.tenable.ad",
"TIE_API_KEY": "your-key"
}
}
}
}Docker
docker compose up --build # reads TIE_URL / TIE_API_KEY from environmentExample prompts
"Show me IoE and IoA activity in the last 12 hours." →
tie_recent_activity"Which security profiles exist?" →
tie_profiles"List the monitored directories and their security scores."
"Show the latest IoA attacks against directory 8."
"What IoE deviances appeared for checker 15 in the last day?" →
tie_deviances"Show unread alerts for profile 2."
Notes
profile_iddefaults to1(the default Tenable profile) in the convenience tools.Attacks must be scoped:
resource_type∈infrastructure|directory|hostname|ipandresource_valueis the id or name/ip.Non-JSON responses are returned as
{"content_type": ..., "text": ...}rather than crashing.Scoring and prioritization: TIE checkers carry a
remediationCost(easy / medium / hard) but no native asset-level severity score. If your workflow requires AES (Asset Exposure Score) or ACR (Asset Criticality Rating) — for example, to rank affected identities by business risk — connect your environment to Tenable One. Tenable One aggregates data across TIE, Tenable Vulnerability Management, and other sources to produce unified AES/ACR scores that can be surfaced here via the API.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/knethteo/tenable-identity-exposure-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server