Is Wazuh MCP Server safe to use?

Wazuh MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Wazuh MCP Server?

Wazuh MCP Server can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Wazuh MCP Server?

Wazuh MCP Server is compatible with claude-desktop, cursor, claude-code. It uses sse and http transport.

Is Wazuh MCP Server actively maintained?

Wazuh MCP Server is recently maintained — last commit was 50 days ago. It has 175 GitHub stars.

Wazuh MCP Server

Name: Wazuh MCP Server
Author: gensecaihq

by gensecaihq

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational SOC workflows.

175 0 tools GitHub

No known CVEs

MIT license

Maintained

Last commit 50d ago

Works with most clients

Transport: sse, http

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopsse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "wazuh-mcp-server": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/wazuh-mcp-server)](https://mcppedia.org/s/wazuh-mcp-server)

Read me

What Wazuh MCP Server does

Talk to your SIEM. Query alerts, hunt threats, check vulnerabilities, and trigger active responses across your entire Wazuh deployment — through natural conversation with any AI assistant.

Test This Server

This server supports HTTP transport. Be the first to test it — help the community know if it works.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

38/100across 5 weighted dimensions

How we score →

0255075100

−62

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Wazuh MCP Server safe to use?: Wazuh MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Wazuh MCP Server?: Wazuh MCP Server can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Wazuh MCP Server?: Wazuh MCP Server is compatible with claude-desktop, cursor, claude-code. It uses sse and http transport.
Is Wazuh MCP Server actively maintained?: Wazuh MCP Server is recently maintained — last commit was 50 days ago. It has 175 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

8.7k 3

io.github.peacprotocol/peac90

Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.

11 5

Iam Policy Autopilot90

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within AI coding assistants for quickly building IAM policies.

361 1

MCP Security Weekly

Get CVE alerts and security updates for Wazuh MCP Server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopsse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "wazuh-mcp-server": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/wazuh-mcp-server)](https://mcppedia.org/s/wazuh-mcp-server)

Read me

What Wazuh MCP Server does

Talk to your SIEM. Query alerts, hunt threats, check vulnerabilities, and trigger active responses across your entire Wazuh deployment — through natural conversation with any AI assistant.

Test This Server

This server supports HTTP transport. Be the first to test it — help the community know if it works.

README

Wazuh MCP Server

Talk to your SIEM. Query alerts, hunt threats, check vulnerabilities, and trigger active responses across your entire Wazuh deployment — through natural conversation with any AI assistant.

v4.2.1 | 48 security tools | Wazuh 4.8.0–4.14.4 | Changelog

What This Does

Your Wazuh SIEM generates thousands of alerts, vulnerability findings, and agent events daily. Investigating them means juggling dashboards, writing API queries, and manually correlating data across tools.

This MCP server turns that workflow into a conversation:

You:    "Show me critical alerts from the last hour"
AI:     [calls get_wazuh_alerts] Found 3 critical alerts:
        1. SSH brute force from 10.0.1.45 → agent-003 (Rule 5712, Level 10)
        2. Rootkit detection on agent-007 (Rule 510, Level 12)
        3. FIM change /etc/shadow on agent-001 (Rule 550, Level 10)

You:    "Block that source IP on agent-003"
AI:     [calls wazuh_block_ip] Blocked 10.0.1.45 via firewall-drop on agent-003.

You:    "Which agents have unpatched critical CVEs?"
AI:     [calls get_critical_vulnerabilities] 3 agents with critical vulnerabilities...

It works with Claude Desktop, Open WebUI + Ollama (fully local, air-gapped), mcphost, or any MCP-compliant client.

Works With Cloud AND Local LLMs

This is a standard MCP tool server. It doesn't care what LLM you use — it just executes tools and returns results.

Mode	LLM	Client	Data leaves your network?
Cloud	Claude, GPT, etc.	Claude Desktop, any MCP client	Yes (to LLM provider)
Local	Llama, Qwen, Mistral via Ollama	Open WebUI, mcphost, IBM/mcp-cli	No. Fully air-gappable.

For security teams that can't send SIEM data to cloud APIs (compliance, air-gapped networks, data sovereignty), the local mode with Ollama keeps everything on-premises. Both modes coexist — same server, same tools, same API.

Quick Start: Local LLM with mcphost

# 1. Start the MCP server
docker compose up -d

# 2. Install mcphost (Go binary, no dependencies)
go install github.com/mark3labs/mcphost@latest

# 3. Configure
cat > ~/.mcphost.yml << 'EOF'
mcpServers:
  wazuh:
    type: remote
    url: http://localhost:3000/mcp
    headers: ["Authorization: Bearer ${env://MCP_API_KEY}"]
EOF

# 4. Chat with your SIEM using a local model
export MCP_API_KEY="your-key-from-server-logs"
mcphost --model ollama/qwen2.5:7b

Quick Start: Multi-User SOC with Open WebUI

Open WebUI v0.6.31+ connects to our /mcp endpoint natively. Add it as an MCP tool server in Admin Settings, and your entire team gets AI-powered SIEM analysis with conversation history, RBAC, and a web UI.

48 Security Tools

Every tool is validated, rate-limited, scope-checked, and audit-logged.

Category	Tools	What They Do
Alerts (4)	`get_wazuh_alerts` `get_wazuh_alert_summary` `analyze_alert_patterns` `search_security_events`	Query, filter, search, and analyze alert data via Elasticsearch
Agents (6)	`get_wazuh_agents` `get_wazuh_running_agents` `check_agent_health` `get_agent_processes` `get_agent_ports` `get_agent_configuration`	Monitor agent status, running processes, open ports, and configs
Vulnerabilities (3)	`get_wazuh_vulnerabilities` `get_critical_vulnerabilities` `vulnerability_summary`	Query CVEs by severity, agent, and package
Security Analysis (6)	`analyze_security_threat` `chec

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

38/100across 5 weighted dimensions

How we score →

0255075100

−62

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Wazuh MCP Server safe to use?: Wazuh MCP Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Wazuh MCP Server?: Wazuh MCP Server can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Wazuh MCP Server?: Wazuh MCP Server is compatible with claude-desktop, cursor, claude-code. It uses sse and http transport.
Is Wazuh MCP Server actively maintained?: Wazuh MCP Server is recently maintained — last commit was 50 days ago. It has 175 GitHub stars.