Which integrations are available for this server?

Allows querying Elastic security detection rules, enabling search and analysis of Elastic detection rules. Allows querying Splunk ESCU security detection rules, including searching, retrieving, and analyzing detections from Splunk's security content.

How do I use Security Detections MCP?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Security Detections MCP find Sigma rules for lateral movement" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

Security Detections MCP

by MHaggis

Overview Schema Related Servers Score Discussions

TypeScript

Hybrid

Security Detections MCP

An MCP (Model Context Protocol) server that lets LLMs query a unified database of Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL security detection rules.

New here? Start with the Setup Guide -- covers macOS, Windows (WSL & native), and Linux step by step.
Want it hosted? Skip the install entirely: Hosted MCP Setup Guide

Two Ways to Run It

Local (full power) — the npm package you're looking at. Runs on your machine, indexes your own detection repos, exposes all 81 tools. You need Node.js and ~10 minutes.

Hosted (zero setup) — a Streamable HTTP server at detect.michaelhaag.org/api/mcp/mcp. Sign up, generate a token, paste one URL into your MCP client. ~25 read-only tools, always in sync with the latest content, 200 calls/day free. Read on for quick-install buttons.

Install — Local

Install Local MCP in Cursor

Claude Code (CLI one-liner):

claude mcp add security-detections -- npx -y security-detections-mcp

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"]
    }
  }
}

OpenAI Codex (CLI):

codex mcp add security-detections -- npx -y security-detections-mcp

After install, configure env vars (SIGMA_PATHS, SPLUNK_PATHS, etc.) to point at your detection repos. See the Setup Guide for full details.

Install — Hosted (no setup, token required)

Create a token at detect.michaelhaag.org/account/tokens. Free tier: 200 calls/day, all read-only tools.
Click the button for your client — replace sdmcp_YOUR_TOKEN_HERE in the resulting config with the token you just generated.

Install Hosted MCP in Cursor

Claude Code (CLI one-liner):

claude mcp add --transport http security-detections https://detect.michaelhaag.org/api/mcp/mcp --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"

Claude Desktop (via mcp-remote — Desktop doesn't speak remote HTTP natively yet):

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://detect.michaelhaag.org/api/mcp/mcp",
        "--header",
        "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
      ]
    }
  }
}

OpenAI Codex (CLI):

export SDMCP_TOKEN="sdmcp_YOUR_TOKEN_HERE" && codex mcp add security-detections --url https://detect.michaelhaag.org/api/mcp/mcp --bearer-token-env-var SDMCP_TOKEN

See the Hosted MCP Setup Guide for the full table of clients, the complete tool inventory, and troubleshooting tips.

Related MCP server: agentic-detection-lookups

AI Model Routing (Web App)

The web chat supports Free, Pro/Admin, and BYOK (Bring Your Own Key) routing. You can also see the active model at the top of the chat UI.

Free Tier (default)

Default model: nvidia/nemotron-3-super-120b-a12b:free
Automatic fallback order if the first model is busy:
1. nvidia/nemotron-3-super-120b-a12b:free
2. nousresearch/hermes-3-llama-3.1-405b:free
3. meta-llama/llama-3.3-70b-instruct:free
4. openai/gpt-oss-120b:free

Pro/Admin (no BYOK key set)

Uses app-managed OpenRouter routing with your Preferred Model setting in /account:

Preferred Model	Routed model
`auto`	Free model pool (default: `nvidia/nemotron-3-super-120b-a12b:free`)
`claude`	`anthropic/claude-sonnet-4-6`
`claude-opus`	`anthropic/claude-opus-4-6`
`gpt`	`openai/gpt-5.4`
`gpt-codex`	`openai/gpt-5.3-codex`

BYOK behavior (takes precedence over tier routing)

If you set your own API key(s), routing priority is:

Claude key (sk-ant-...) -> claude-sonnet-4-6-20250514 via Anthropic
OpenAI key (sk-...) -> gpt-5.4 via OpenAI
OpenRouter key (sk-or-...) -> uses the same Preferred Model mapping table above

If multiple keys are present, the first match in that order is used.

Features

8,200+ detections across 6 formats — Sigma, Splunk ESCU, Elastic, KQL, Sublime, CrowdStrike CQL
MITRE ATT&CK STIX — 172 threat actors, 784 software, 4,362 actor-technique relationships
Procedure-level coverage — auto-extracted behavioral clusters from every detection rule
ATT&CK Navigator layers — export coverage/gap JSON, filterable by source/tactic/severity/actor
Autonomous pipeline — CTI ingestion → gap analysis → detection generation → Atomic testing → DRAFT PR (see Autonomous docs)
81 local tools / ~25 hosted tools — unified search, MITRE mapping, coverage analysis, knowledge graph, pattern learning, sprint planning
11 MCP Prompts — ransomware assessment, APT emulation, purple team, executive briefing, and more
MCP Resources & Completions — readable context, autocomplete for technique IDs, CVEs, process names

Quick Start

npx -y security-detections-mcp

Or clone and build: git clone https://github.com/MHaggis/Security-Detections-MCP.git && cd Security-Detections-MCP && npm install && npm run build

Configure env vars to point at your detection repos:

Variable	Description
`SIGMA_PATHS`	Sigma rule directories
`SPLUNK_PATHS`	Splunk ESCU detection directories
`ELASTIC_PATHS`	Elastic detection rule directories
`KQL_PATHS`	KQL hunting query directories
`SUBLIME_PATHS`	Sublime Security rule directories
`CQL_HUB_PATHS`	CQL Hub (CrowdStrike) query directories
`JAMF_PROTECT_PATHS`	Jamf Protect custom analytic detection directories (macOS)
`STORY_PATHS`	Splunk analytic story directories (optional)
`ATTACK_STIX_PATH`	Path to `enterprise-attack.json` for threat actor data (optional)

See the Setup Guide for full per-client config examples (Cursor, VS Code, Claude Desktop, WSL).

Getting Detection Content

Download all sources with sparse checkout (rules only, not full repos):

mkdir -p detections && cd detections
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git && cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git && cd security_content && git sparse-checkout set detections stories && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git && cd detection-rules && git sparse-checkout set rules && cd ..
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git && cd sublime-rules && git sparse-checkout set detection-rules && cd ..
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub

MCP Tools

Core Detection Tools

Tool	Description
`search(query, limit)`	Full-text search across all detection fields
`get_by_id(id)`	Get a single detection by ID
`list_all(limit, offset)`	Paginated list of all detections
`list_by_source(source_type)`	Filter by source (`sigma`, `splunk_escu`, `elastic`, `kql`, `sublime`, `crowdstrike_cql`, `jamf_protect`)
`get_stats()`	Index statistics
`rebuild_index()`	Force re-index from configured paths

MITRE ATT&CK & Filtering

Tool	Description
`list_by_mitre(technique_id)`	Filter by technique ID (e.g., T1059.001)
`list_by_mitre_tactic(tactic)`	Filter by tactic (execution, persistence, etc.)
`list_by_cve(cve_id)`	Find detections for a CVE
`list_by_process_name(process_name)`	Find detections referencing a process
`list_by_severity(level)`	Filter by severity level
`list_by_data_source(data_source)`	Filter by data source

Coverage & Analysis (Token-Optimized)

Tool	Description
`analyze_coverage(source_type?)`	Coverage stats by tactic, top techniques, weak spots (~2KB)
`identify_gaps(threat_profile)`	Find gaps for ransomware, apt, persistence, etc. (~500B)
`suggest_detections(technique_id)`	Detection ideas for a technique (~2KB)
`get_coverage_summary(source_type?)`	Tactic percentages (~200B)
`analyze_actor_coverage(actor)`	Coverage against a specific threat actor
`compare_actor_coverage(actors)`	Compare coverage across multiple actors
`analyze_procedure_coverage(technique_id)`	Behavioral procedure breakdown
`generate_navigator_layer(...)`	Export ATT&CK Navigator JSON layers

Engineering, Knowledge Graph & More

81 tools total including pattern learning, template generation, knowledge graph, dynamic tables, and autonomous analysis. See the Tools Reference for the complete list.

MCP Prompts

11 pre-built expert workflows. Just ask by name:

Prompt	Description
`ransomware-readiness-assessment`	Full kill-chain analysis with risk scoring
`apt-threat-emulation`	Coverage against specific threat actors (APT29, Lazarus, etc.)
`purple-team-exercise`	Complete test plans with procedures and expected detections
`soc-investigation-assist`	Triage guidance, hunting queries, escalation criteria
`detection-engineering-sprint`	Prioritized backlog with user stories
`executive-security-briefing`	C-level report with business risk language
`cve-response-assessment`	Rapid assessment for emerging CVEs
`data-source-gap-analysis`	Telemetry requirements analysis
`detection-quality-review`	Deep-dive quality analysis for a technique
`threat-landscape-sync`	Align priorities with current threats
`detection-coverage-diff`	Compare coverage against actors or baseline

You: "Run apt-threat-emulation for APT29"
→ Technique-by-technique coverage, gaps, and purple team test plan

Using with MITRE ATT&CK MCP

Pairs with mitre-attack-mcp for complete threat coverage analysis. Install both:

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": { "SIGMA_PATHS": "/path/to/sigma/rules" }
    },
    "mitre-attack": {
      "command": "npx",
      "args": ["-y", "mitre-attack-mcp"],
      "env": { "ATTACK_DOMAIN": "enterprise-attack" }
    }
  }
}

Stats

Source	Count
Sigma Rules	~3,200+
Splunk ESCU	~2,000+
Elastic Rules	~1,500+
KQL Queries	~420+
Sublime Rules	~900+
CrowdStrike CQL	~139+
Total	~8,200+

Development

npm install && npm run build && npm test

Documentation

Setup Guide — Full install walkthrough for all platforms
Hosted MCP Guide — Hosted setup, token management, tool inventory
Autonomous Platform — CTI-to-detection pipeline
E2E Testing Guide — Per-SIEM setup (Splunk, Sentinel, Elastic, Sigma)
Architecture — System design decisions
Knowledge Graph — Tribal knowledge and analytical memory
Engineering Intelligence — Pattern learning and templates
Tools Reference — Complete reference for all 81 tools

License

Apache 2.0

This server cannot be installed

license - permissive license

quality - not tested

maintenance

How are these scores calculated?

Maintenance

–Maintainers

14hResponse time

2moRelease cycle

2Releases (12mo)

Commit activity

Resources

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/MHaggis/Security-Detections-MCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server