abnormal-mcp
abnormal-mcp
MCP server for Abnormal Security — AI-powered threat detection, case management, and email remediation.
Tools
This server uses a decision-tree architecture. Start by calling abnormal_navigate to select a domain, then use the domain-specific tools.
Navigation
Tool | Description |
| Navigate to a domain (threats, messages, remediation, abuse, cases) |
| Return to domain selection |
Threats domain
Tool | Description |
| List detected threat cases (paginated) |
| Get full details of a specific threat by ID |
Messages domain
Tool | Description |
| List messages within a threat case |
| Get detailed message analysis (headers, URLs, attachments, AI analysis) |
Remediation domain
Tool | Description |
| Trigger or check remediation actions for a message |
Abuse domain
Tool | Description |
| List phishing emails reported via the Abuse Mailbox |
Cases domain
Tool | Description |
| List active security investigation cases |
| Get details of a specific case |
Authentication
Abnormal Security uses Bearer token authentication.
Standalone (env mode)
export ABNORMAL_API_TOKEN=your-api-token
node dist/index.jsGenerate your token in the Abnormal portal under Settings > Integrations > API.
Gateway mode
When deployed behind the MCP gateway, set AUTH_MODE=gateway. The gateway injects the Authorization: Bearer {token} header automatically on each request.
Running
stdio (for Claude Desktop)
npm install
npm run build
node dist/index.jsHTTP Streamable (for hosted/gateway deployment)
MCP_TRANSPORT=http AUTH_MODE=gateway node dist/index.jsDocker
docker compose upDevelopment
npm install
npm run dev # watch mode
npm test # run tests
npm run typecheck # TypeScript type checkLicense
Apache-2.0
This server cannot be installed
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wyre-technology/abnormal-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server