cisco-secure-access-mcp
This server provides an MCP interface to the Cisco Secure Access REST API, enabling AI clients to manage security infrastructure, policies, and deployments across five categories: Admin, Deployments, Policies, Investigate, and Reports.
Administration
API Keys: List, get, create, refresh (rotate), and delete Secure Access API keys
Alert Rules: List, get, create, and delete alert rules
Tenants: List tenants for multi-org/MSSP environments
Deployments
Network Tunnel Groups: List, get, create, and delete; list available regions
Sites: List, get, create, and delete organizational sites
Networks: List, get, create (by CIDR), and delete networks
Roaming Computers: List (with filters), get, and delete endpoint devices
Policies
Destination Lists: List, get, create, and delete allow/block lists (domains, URLs, IPs, CIDRs, apps)
Destinations: List entries, add, and remove destinations within a list
Access Rules: List, get, create, update, and delete access rules
Application Lists: List, get, create, and delete application lists
Authentication is handled via OAuth 2.0 client credentials with automatic token refresh, and multi-organization support is available via SECURE_ACCESS_ORG_ID.
Provides tools for interacting with Cisco Secure Access REST API, enabling management of admin resources, deployments, investigations, policies, and reports in a Cisco Secure Access environment.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@cisco-secure-access-mcpshow recent security alerts"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
cisco-secure-access-mcp
A community Model Context Protocol (MCP) server for Cisco Secure Access.
It exposes the Secure Access REST API to MCP-compatible AI clients (Cursor, Claude Desktop, VS Code GitHub Copilot, etc.) as a curated catalog of tools grouped by Cisco's own resource categories: Admin, Deployments, Investigate, Policies, and Reports.
Status: v1.1 + composites batches 1 & 2 — 5 categories / 44 modules / 185 tools. See
install.mdfor the build journal and per-phase progress.
Why a community DevNet server
This repo is structured to be hosted as a Cisco DevNet community MCP server, following
the CiscoDevNet/devnet-template
layout. The standard template files (AGENTS.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md,
LICENSE, README.md, SECURITY.md) are present and conform to that template.
In addition, install.md is a working journal that captures every step
taken to build the server, troubleshooting notes, and any tools we add as enhancements.
It is intentionally kept in-tree so future contributors can see the reasoning trail.
Related MCP server: wrg-mcp-server
Quick start
# 1. Clone and install (using uv)
git clone https://github.com/sdntechforum/Secure_Access.git
cd Secure_Access
uv sync
# 2. Provide your Cisco Secure Access API credentials via environment variables
# (Admin > API Keys in the Secure Access dashboard)
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# 3. Run the server (stdio transport, default)
uv run cisco-secure-access-mcpFor client configuration (Cursor / Claude Desktop / VS Code), Docker usage, the full
list of tools, and the list of supported environment variables, see
AGENTS.md.
Authentication at a glance
OAuth 2.0 Client Credentials Flow against
POST https://api.sse.cisco.com/auth/v2/token.Bearer token cached in memory and refreshed shortly before its 1-hour expiry.
Credentials read from environment variables only — never from CLI flags or committed files.
Multi-org / MSSP supported via
SECURE_ACCESS_ORG_ID(sent asX-Umbrella-OrgId).A separate, optional Key Admin credential pair gates the small set of tools that manage other API keys.
See Cisco Secure Access — API Authentication for how to mint API keys.
Tool catalog
The full catalog of every MCP tool exposed by this server — grouped by Cisco's category taxonomy (Admin / Deployments / Investigate / Policies / Reports), with API path, signature, one-line description, and live verification status for each module — lives in TOOLS.md.
At a glance: 185 tools across 5 categories / 44 modules. 0 prompts, 0 resources — this is a tools-only MCP server.
To regenerate the catalog directly from the registered code (no hand-maintained list to drift):
python scripts/dump_catalog.py # human-readable text
python scripts/dump_catalog.py --json # machine-readable JSONTo re-run the live verification (requires a Cisco Secure Access API key
secret):
pytest -m integration tests/integration/test_list_coverage.py -vStatus note for community evaluators: as of 2026-05-04 a coverage sweep against a real Secure Access tenant found that ~32 of 47 reachable list endpoints return
404 no Route matched, indicating the v1.1API_BASEpaths in many tool modules don't match the live Cisco surface. The auth + client + retry layers are bulletproof (every 2xx exercised them end-to-end), and Admin/Deployments/ Investigate/Policies/Reports each have at least one verified working module. Seeinstall.mdPhase 9 (2026-05-04 follow-up) andTOOLS.mdfor which modules are verified vs. need a path fix. Contributions welcome.
Repo layout
.
├── AGENTS.md # Install + tool catalog + env vars (read this first if you're an AI agent)
├── CODE_OF_CONDUCT.md # Cisco DevNet template (unchanged)
├── CONTRIBUTING.md # Cisco DevNet template (project name filled in)
├── LICENSE # Apache-2.0 (Cisco DevNet template)
├── README.md # this file
├── SECURITY.md # Cisco DevNet template (project name filled in)
├── TOOLS.md # Full tool catalog (185 tools, per-module verification status)
├── install.md # Build journal — phases, troubleshooting, enhancements
├── pyproject.toml # Package metadata + entry point
├── Dockerfile # Optional secondary distribution
├── .env.example # Documented env vars; NEVER real secrets
├── scripts/
│ └── dump_catalog.py # Generates TOOLS.md content from the live registry
├── src/cisco_secure_access_mcp/
│ ├── server.py # FastMCP entrypoint (stdio default)
│ ├── auth.py # OAuth2 client-credentials + token cache
│ ├── client.py # httpx-based REST client (TLS-only, retry-aware)
│ ├── config.py # Env-var loading + validation
│ ├── errors.py # SDK / HTTP errors → MCP errors
│ ├── logging.py # Structured JSON logs with secret redaction
│ ├── registry.py # Discovers and registers tools from each category
│ └── tools/
│ ├── admin/ # admin_* — Admin Resources
│ ├── deployments/ # deploy_* — Deployments Resources
│ ├── investigate/ # investigate_* — Investigate Resources (v1.1)
│ ├── policies/ # policy_* — Policies Resources
│ └── reports/ # report_* — Reports Resources (v1.1)
└── tests/
├── unit/ # Offline; mock HTTP and clock
└── integration/ # Opt-in; requires real DevNet sandbox credentialsRunning the tests
# Unit tests only — fast, fully offline (default)
uv run pytest
# Live smoke tests against a real Secure Access tenant — opt-in only
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# optional: SECURE_ACCESS_ORG_ID, SECURE_ACCESS_BASE_URL
uv run pytest -m integration tests/integrationThe smoke tests are read-only by design: they exercise list/get endpoints
across each category (and one Investigate domain-categorization call against
cisco.com) and never mutate the org. Override the test domain with
SECURE_ACCESS_INTEGRATION_TEST_DOMAIN=example.com if needed.
Security
This repo follows the security rules in .cursor (parameterization, no hardcoded
credentials, structured logging with redaction, TLS 1.2+ enforcement, distroless-style
container hardening, etc.). To report a vulnerability, see SECURITY.md.
License
Apache License 2.0 — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sdntechforum/mcp-secure-access-community'
If you have feedback or need assistance with the MCP directory API, please join our Discord server