by crowdstrike
Connect with CrowdStrike Falcon, a leading endpoint protection platform, for intelligent security analysis and advanced
Connects AI agents to CrowdStrike Falcon's security platform for programmatic access to threat data, detections, incidents, and security analysis capabilities.
CrowdStrike Falcon is an official MCP server published by crowdstrike that provides AI assistants with tools and capabilities via the Model Context Protocol. Connect with CrowdStrike Falcon, a leading endpoint protection platform, for intelligent security analysis and advanced It is categorized under auth security.
You can install CrowdStrike Falcon in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
MIT
CrowdStrike Falcon is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
Add new capabilities to Claude beyond text generation
Example
Access external data sources, execute code, interact with tools and services
Transform Claude from chatbot to action-taking agent
Provide Claude with access to relevant context and data
Example
Load project documentation, access knowledge bases, query databases
Get more accurate, context-aware responses
Automate multi-step workflows combining AI and external tools
Example
Research → Summarize → Create document → Send notification
Complete complex tasks end-to-end without manual steps
Share your MCP server with the developer community
I recommend CrowdStrike Falcon for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
CrowdStrike Falcon reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
CrowdStrike Falcon has been reliable for tool-calling workflows; the MCP profile page is a good permalink for internal docs.
Strong directory entry: CrowdStrike Falcon surfaces stars and publisher context so we could sanity-check maintenance before adopting.
CrowdStrike Falcon is among the better-indexed MCP projects we tried; the explainx.ai summary tracks the official description.
Strong directory entry: CrowdStrike Falcon surfaces stars and publisher context so we could sanity-check maintenance before adopting.
We evaluated CrowdStrike Falcon against two servers with overlapping tools; this profile had the clearer scope statement.
I recommend CrowdStrike Falcon for teams standardizing on MCP; the explainx.ai page compares cleanly with sibling servers.
CrowdStrike Falcon reduced integration guesswork — categories and install configs on the listing matched the upstream repo.
We wired CrowdStrike Falcon into a staging workspace; the listing’s GitHub and npm pointers saved time versus hunting across READMEs.
showing 1-10 of 39

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.
[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
Before using the Falcon MCP Server, you need to create API credentials in your CrowdStrike console:
Important: Ensure your API client has the necessary scopes for the modules you plan to use. You can always update scopes later in the CrowdStrike console.
The Falcon MCP Server supports different modules, each requiring specific API scopes:
| Module | Required API Scopes | Purpose |
|---|---|---|
| Cloud Security | Falcon Container Image:read | Find and analyze kubernetes containers inventory and container imges vulnerabilities |
| Core | No additional scopes | Basic connectivity and system information |
| Detections | Alerts:read | Find and analyze detections to understand malicious activity |
| Discover | Assets:read | Search and analyze application inventory across your environment |
| Hosts | Hosts:read | Manage and query host/device information |
| Identity Protection | Identity Protection Entities:read<br>Identity Protection Timeline:read<br>Identity Protection Detections:read<br>Identity Protection Assessment:read<br>Identity Protection GraphQL:write | Comprehensive entity investigation and identity protection analysis |
| Incidents | Incidents:read | Analyze security incidents and coordinated activities |
| NGSIEM | NGSIEM:read<br>NGSIEM:write | Execute CQL queries against Next-Gen SIEM |
| Intel | Actors (Falcon Intelligence):read<br>Indicators (Falcon Intelligence):read<br>Reports (Falcon Intelligence):read | Research threat actors, IOCs, and intelligence reports |
| IOC | IOC Management:read<br>IOC Management:write | Search, create, and remove custom IOCs using IOC Service Collection endpoints |
| Scheduled Reports | Scheduled Reports:read | Get details about scheduled reports and searches, run reports on demand, and download report files |
| Sensor Usage | Sensor Usage:read | Access and analyze sensor usage data |
| Serverless | Falcon Container Image:read | Search for vulnerabilities in serverless functions across cloud service providers |
| Spotlight | Vulnerabilities:read | Manage and analyze vulnerability data and security assessments |
[!IMPORTANT] ⚠️ Important Note on FQL Guide Resources: Several modules include FQL (Falcon Query Language) guide resources that provide comprehensive query documentation and examples. While these resources are designed to assist AI assistants and users with query construction, FQL has nuanced syntax requirements and field-specific behaviors that may not be immediately apparent. AI-generated FQL filters should be tested and validated before use in production environments. We recommend starting with simple queries and gradually building complexity while verifying results in a test environment first.
About Tools & Resources: This server provides both tools (actions you can perform) and resources (documentation and context). Tools execute operations like searching for detections or analyzing threats, while resources provide comprehensive documentation like FQL query guides that AI assistants can reference for context without requiring tool calls.
API Scopes Required:
Falcon Container Image:readProvides tools for accessing and analyzing CrowdStrike Cloud Security resources:
falcon_search_kubernetes_containers: Search for containers from CrowdStrike Kubernetes & Containers inventoryfalcon_count_kubernetes_containers: Count for containers by filter criteria from CrowdStrike Kubernetes & Containers inventoryfalcon_search_images_vulnerabilities: Search for images vulnerabilities from CrowdStrike Image AssessmentsResources:
falcon://cloud/kubernetes-containers/fql-guide: Comprehensive FQL documentation and examples for kubernetes containers searchesfalcon://cloud/images-vulnerabilities/fql-guide: Comprehensive FQL documentation and examples for images vulnerabilities searchesUse Cases: Manage kubernetes containers inventory, container images vulnerabilities analysis
API Scopes: None required beyond basic API access
The server provides core tools for interacting with the Falcon API:
falcon_check_connectivity: Check connectivity to the Falcon APIfalcon_list_enabled_modules: Lists enabled modules in the falcon-mcp server
These modules are determined by the
--modulesflag when starting the server. If no modules are specified, all available modules are enabled.
falcon_list_modules: Lists all available modules in the falcon-mcp serverAPI Scopes Required: Alerts:read
Provides tools for accessing and analyzing CrowdStrike Falcon detections:
falcon_search_detections: Find and analyze detections to understand malicious activity in your environmentfalcon_get_detection_details: Get comprehensive detection details for specific detection IDs to understand security threatsResources:
falcon://detections/search/fql-guide: Comprehensive FQL documentation and examples for detection searchesUse Cases: Threat hunting, security analysis, incident response, malware investigation
API Scopes Required: Assets:read
Provides tools for accessing and managing CrowdStrike Falcon Discover applications and unmanaged assets:
falcon_search_applications: Search for applications in your CrowdStrike environmentfalcon_search_unmanaged_assets: Search for unmanaged assets (systems without Falcon sensor installed) that have been discovered by managed systemsResources:
falcon://discover/applications/fql-guide: Comprehensive FQL doPrerequisites
Time Estimate
15-60 minutes depending on server complexity
Steps
Troubleshooting
✓ Do
✗ Don't
💡 Pro Tips
Architecture
Model Context Protocol standardizes how AI hosts (Claude, Cursor) communicate with external tools and data sources through server implementations.
Protocols
Compatibility
✓ Use when
Use when you need Claude to access external data, execute actions, or integrate with tools. Best for extending AI capabilities beyond conversation.
✗ Avoid when
Avoid when native integrations exist (use official APIs directly), for real-time critical systems, or when security/compliance requires zero external dependencies.