CrowdStrike Falcon MCP
Official CrowdStrike Falcon MCP server. Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting. 148 stars and 8 commits on main in the last 30 days.
“Official CrowdStrike Falcon MCP server. Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting. 148 stars and 8 commits on main in the last 30 days. Pairs with Prowler, Auth0, Vault in the security category for incident response flows.”
INSTALL THIS SERVER
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "python",
"args": [
"-m",
"falcon_mcp"
],
"env": {
"CROWDSTRIKE_CLIENT_ID": "<your-client-id>",
"CROWDSTRIKE_CLIENT_SECRET": "<your-client-secret>"
}
}
}
}
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "python",
"args": [
"-m",
"falcon_mcp"
],
"env": {
"CROWDSTRIKE_CLIENT_ID": "<your-client-id>",
"CROWDSTRIKE_CLIENT_SECRET": "<your-client-secret>"
}
}
}
}
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "python",
"args": [
"-m",
"falcon_mcp"
],
"env": {
"CROWDSTRIKE_CLIENT_ID": "<your-client-id>",
"CROWDSTRIKE_CLIENT_SECRET": "<your-client-secret>"
}
}
}
}
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "python",
"args": [
"-m",
"falcon_mcp"
],
"env": {
"CROWDSTRIKE_CLIENT_ID": "<your-client-id>",
"CROWDSTRIKE_CLIENT_SECRET": "<your-client-secret>"
}
}
}
}
{
"mcpServers": {
"crowdstrike-falcon": {
"command": "python",
"args": [
"-m",
"falcon_mcp"
],
"env": {
"CROWDSTRIKE_CLIENT_ID": "<your-client-id>",
"CROWDSTRIKE_CLIENT_SECRET": "<your-client-secret>"
}
}
}
}
7 TOOLS AVAILABLE
OUR ASSESSMENT
- Official CrowdStrike maintenance.
- 148 GitHub stars and MIT licence.
- 8 commits on main in the last 30 days.
- Tool surface covers detections, hosts, incidents, and Real Time Response commands.
- Threat hunting workflows benefit from agent-driven detection triage.
- 148 GitHub stars; community contribution surface is small.
- CrowdStrike Falcon subscription required.
- RTR commands carry significant blast radius; scope agent flows accordingly.
CrowdStrike Falcon API credentials grant access to detection data, host inventory, and RTR commands depending on the API client scope. Use a read-only API client for diagnostic agents; reserve write or RTR-capable clients for explicit incident-response workflows. RTR commands can execute shell on managed hosts; restrict RTR tools to dedicated incident-response agents only.
CrowdStrike Falcon customers running threat hunting and incident response flows who want agent-driven detection triage; SOC teams using MCP-enabled tools for security analysis; controlled incident-response automation with RTR for managed hosts.
TECHNICAL DETAILS
ADOPTION METRICS
// Reading this148 stars on the CrowdStrike/falcon-mcp repo. 8 commits on main in the last 30 days. Official CrowdStrike maintenance carries the editorial weight.
// Reading thisEDR-focused security MCP. Pairs with Prowler (CSPM), Vault (secrets), Auth0 (identity), AWS IAM (cloud access), AWS CloudTrail (audit logs) for end-to-end security workflows.
SOURCES & VERIFICATION
We don't take any single directory's word for it. Before scoring, we cross-reference 4 public MCP sources, install the server ourselves against the clients we cover, and record when we last re-verified.
The same server, 4 different lenses. We reconcile these signals into our editorial score, which is why our number sometimes diverges from a directory-aggregate star count.
| Source | Their rating | Their star count | Their downloads | Last synced |
|---|---|---|---|---|
| AutomationSwitch This page | 4.4editorial | 148 | — | MAY 3, 2026 |
| PulseMCP | — unrated | unavailable | unavailable | MAY 3, 2026 |
| MCP.so | — unrated | unavailable | unavailable | MAY 3, 2026 |
| Glama | — unrated | unavailable | unavailable | MAY 3, 2026 |
| Official MCP Registry | — unrated | unavailable | unavailable | MAY 3, 2026 |
// Counts are directory-reported; we don't adjust them. Discrepancies usually come from different snapshot times or star-caching.
OTHER SECURITY MCP SERVERS
Prowler MCP
Cloud Security Posture Management (CSPM) platform with 1000+ security checks across multiple cloud providers and 70+ compliance frameworks, exposed through MCP. Three deployment options: Prowler Cloud (recommended), local stdio, self-hosted HTTP. 13,717 stars, Apache-2.0.
Auth0 MCP Server
Official Auth0 MCP server connecting Claude, Cursor, Windsurf, VS Code, and Gemini to Auth0 Management APIs. Create apps, deploy Actions, debug logs, and query users with natural-language commands. Read-only mode and tool-glob filtering supported. Beta software per Auth0.
HashiCorp Vault MCP
Official HashiCorp MCP for Vault: secrets, mounts, KV, and PKI management with stdio and Streamable HTTP transports. 9 commits on main in the last 30 days. MPL-2.0 with HashiCorp official-vendor signal.
AWS IAM MCP
Official AWS Labs MCP for IAM administration: users, roles, groups, policies, inline policies, access keys, and policy simulation. Read-only mode supported via --allow-write opt-in pattern. Apache-2.0 within awslabs/mcp monorepo.
AWS CloudTrail MCP
Official AWS Labs MCP for CloudTrail: 90 days of management events via lookup_events and Trino-compatible SQL queries against CloudTrail Lake Event Data Stores. 3 commits on the server path in the last 30 days. Pairs with the IAM MCP for security audit workflows.
Infisical MCP
Official Infisical MCP server for secrets management. 10 tools cover the full secret lifecycle plus project, environment, folder, and member management. Two authentication methods (machine identity universal-auth and access-token), self-hostable instance support via INFISICAL_HOST_URL.
DISCUSS YOUR
MCP REQUIREMENTS.
Evaluating a server, scoping an internal deployment, or working out whether MCP is the right fit at all. Start the conversation and we will point you at the right piece of the ecosystem.