Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"falcon-mcp": {
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, incidents, and behaviors—establishing the foundation for advanced security operations and automation.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'falcon-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked falcon-mcp against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in security
AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.
Model Context Protocol for WinDBG
Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.
MCP Security Weekly
Get CVE alerts and security updates for Falcon Mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.
[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
Full docs are available at developer.crowdstrike.com/falcon-mcp.
| Module | Description |
|---|---|
| Core | Basic connectivity and system information |
| Case Management | Case lifecycle management, evidence attachment, tagging, and templates |
| Cloud Security | Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules |
| Correlation Rules | Search, create, update, and manage NG-SIEM correlation rules |
| Custom IOA | Create and manage Custom IOA behavioral detection rules and rule groups |
| Data Protection | Search Data Protection classifications, policies, and content patterns |
| Detections | Find and analyze detections to understand malicious activity |
| Discover | Search application inventory and discover unmanaged assets |
| Exclusions | Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions |
| Firewall Management | Search and manage firewall rules and rule groups |
| Host Groups | Search, create, update, and delete host groups; manage group membership |
| Hosts | Manage and query host/device information |
| Identity Protection | Entity investigation and identity pr |