← Projects

Security MCP Server Suite: 7 Open Source AI Integrations for SOC Platforms

Status: Complete Origin: Security Operations Since: 2026.03
TypeScriptMCP SDKZodNode.jsVitesttsupnpm

Overview

Seven open source MCP (Model Context Protocol) servers that connect AI agents directly to security operations platforms. 221 tools total, all tested against live instances, all available on npm. One npx command to install any of them.

MCP is Anthropic's open protocol for giving AI agents structured access to external tools. These servers implement it for the security stack: SIEM, incident response, threat intelligence, network IDS, and the MITRE ATT&CK knowledge base. The result is AI agents that can execute full incident response workflows across platforms without custom integrations for each model.

Open Source — 7 Repositories

All servers are MIT licensed and available on npm

View All Repos npm Packages

The 7 Servers

221 tools across 7 security platforms. Each server installs with a single npx command.

thehive-mcp
TheHive 5 35 tools

Full case management, alert triage, task tracking, observable handling, and Cortex analyzer integration for TheHive 5 incident response platform

Case CRUD with custom fieldsAlert management and promotionObservable creation and bulk operationsTask assignment and trackingComment threads on casesSharing and access control
npx thehive-mcp
GitHub
cortex-mcp
Cortex 31 tools

Observable analysis and response automation through Cortex analyzers and responders. Run VirusTotal, MISP, AbuseIPDB lookups and active response actions via AI

Run analyzers on observablesExecute response actionsView analysis reports and taxonomiesManage analyzer/responder configsJob tracking and historyOrganization management
npx thehive-cortex-mcp
GitHub
misp-mcp
MISP 36 tools

Threat intelligence platform integration for IOC lookups, event management, attribute correlation, galaxy/cluster exploration, and feed management

IOC search and correlationEvent creation and managementAttribute and object handlingGalaxy and cluster browsingTag managementFeed and sharing group config
npx misp-mcp
GitHub
mitre-mcp
MITRE ATT&CK 20 tools

MITRE ATT&CK knowledge base access for technique lookups, tactic browsing, threat group profiling, software identification, and detection coverage analysis

Technique and sub-technique lookupTactic enumerationThreat group profilesSoftware/malware identificationMitigation recommendationsDetection coverage mapping
npx mitre-mcp
GitHub
wazuh-mcp
Wazuh 25 tools

SIEM/XDR integration for alert queries, agent monitoring, rule management, vulnerability data, and indexed event search across the Wazuh platform

Alert queries by severity and timeframeAgent health monitoringRule information retrievalVulnerability assessment dataSCA policy complianceIndexed event search via OpenSearch
npx wazuh-mcp
GitHub
suricata-mcp
Suricata IDS/IPS 35 tools

Network IDS/IPS log analysis and rule management for Suricata EVE JSON logs. Query alerts, analyze flows, inspect DNS/HTTP/TLS metadata, and manage detection rules

EVE JSON alert parsingFlow analysis and statisticsDNS query inspectionHTTP transaction analysisTLS certificate metadataRule management and testing
npx suricata-mcp
GitHub
zeek-mcp
Zeek 39 tools

Network analysis framework integration for querying Zeek logs across conn, dns, http, ssl, files, and more. Behavioral analysis and connection forensics via AI

Connection log queriesDNS resolution analysisHTTP session inspectionSSL/TLS certificate analysisFile extraction metadataNotice and weird log analysis
npx zeek-mcp
GitHub

How They Work Together

The real value is chaining servers together. Here is a full incident response workflow executed by an AI agent in a single conversation:

1
Wazuh Alert triggers

Wazuh detects suspicious network activity and fires an alert with source IP, rule ID, and severity

2
Suricata IDS correlation

Agent queries Suricata EVE logs for the source IP to check matching IDS signatures and flow data

3
Zeek Network forensics

Agent pulls Zeek conn, dns, and http logs for the IP to build a behavioral profile of the connection

4
MISP Threat intel lookup

Agent searches MISP for IOC matches on the IP, domain, and any file hashes from the alert

5
MITRE ATT&CK Technique mapping

Agent maps the observed behavior to ATT&CK techniques and identifies the likely attack stage

6
TheHive Case creation

Agent creates a TheHive case with all findings attached as observables, tags techniques, assigns severity

7
Cortex Automated analysis

Agent triggers Cortex analyzers on case observables for enrichment (VirusTotal, AbuseIPDB, WHOIS)

Tech Stack

Every server follows the same architecture. Consistent patterns across the entire suite.

TypeScript 5.7
Language

Strict mode throughout. Every tool input validated with Zod schemas. Every API response typed. Zero any types.

MCP SDK
Protocol Layer

Anthropic's Model Context Protocol SDK handles server lifecycle, tool registration, and transport (stdio/SSE). One protocol, any AI model.

Zod
Input Validation

Runtime schema validation on every tool call. Catches malformed inputs before they hit the API. Generates type-safe parameter definitions automatically.

Native fetch
HTTP Client

No heavy HTTP libraries. Native fetch with timeout management, HTTP status code mapping to descriptive errors, and auth failure detection.

tsup
Build Tool

Ships each server as a single ESM bundle (30-60KB packaged). Tree-shaking removes unused code. Fast builds for rapid iteration.

Vitest
Testing

Integration tests against live platform instances. Not mocks. Real API calls, real data validation, real failure mode coverage.

Technical Highlights

Architecture Unified Server Pattern
Problem: Each security platform has different APIs, authentication methods, and data models. Building one-off integrations creates maintenance nightmares.
Solution: Every server follows the same architecture: typed client class wrapping the platform API, Zod-validated tool definitions, resource endpoints for discovery, and prompt templates for common workflows. Adding a new tool takes minutes because the patterns are established.
Result: Consistent developer experience across all 7 servers. Same config pattern, same error handling, same testing approach.
Workflow Chaining Cross-Platform SOC Automation
Problem: Security analysts spend too much time switching between consoles. An alert in the SIEM requires pivoting to threat intel, then case management, then back to the SIEM. Every context switch costs time.
Solution: An AI agent with all 7 servers connected can execute a full incident response workflow in one conversation: Wazuh fires an alert, agent checks Suricata/Zeek for network context, queries MISP for threat intel, maps behavior to MITRE ATT&CK techniques, creates a TheHive case with findings, and runs Cortex analyzers on observables.
Result: Complete triage workflow in one conversation. No console switching. No copy-pasting IOCs between tabs.
Compatibility TheHive 5 API Discovery
Problem: TheHive 5 changed several API behaviors from v4 with minimal documentation. PATCH returns 204 No Content. Observable creation returns arrays even for single items. Cortex connector endpoints moved.
Solution: Built the client through extensive testing against a live TheHive 5.4.11 instance. Documented every breaking change. Client re-fetches after PATCH operations, handles array wrapping for observables, and routes Cortex calls through the correct connector endpoints.
Result: 36 passing integration tests. First MCP server with verified TheHive 5 compatibility.

Quick Start

Pick any server and try it in 30 seconds:

# Set credentials for your platform
export THEHIVE_URL=http://your-thehive:9000
export THEHIVE_API_KEY=your-api-key

# Run the server (Claude Desktop, Cursor, etc. connect automatically)
npx thehive-mcp

For Claude Desktop, add to your MCP config:

{
  "mcpServers": {
    "thehive": {
      "command": "npx",
      "args": ["thehive-mcp"],
      "env": {
        "THEHIVE_URL": "http://your-thehive:9000",
        "THEHIVE_API_KEY": "your-api-key"
      }
    }
  }
}

Skills Demonstrated

Protocol Design
  • MCP server architecture
  • Tool schema design
  • Resource and prompt patterns
  • Transport layer (stdio/SSE)
Security Platforms
  • SIEM (Wazuh)
  • Incident Response (TheHive)
  • Threat Intel (MISP)
  • Network IDS (Suricata/Zeek)
API Engineering
  • RESTful client design
  • Auth flow handling
  • Error normalization
  • Timeout management
TypeScript
  • Strict mode patterns
  • Zod schema validation
  • ESM module bundling
  • Generic type utilities
Testing
  • Live integration tests
  • API compatibility verification
  • Cross-platform validation
  • Edge case coverage
Open Source
  • npm package publishing
  • README documentation
  • Semantic versioning
  • Zero-config installation

Project Status

Complete — All 7 servers published on npm
  • 7 MCP servers built and tested
  • 221 tools across all platforms
  • Published on npm with zero-config install
  • Integration tests against live instances
  • Full README documentation per server
  • Prompt templates for common workflows
  • Resource endpoints for platform discovery
  • Cross-platform workflow chaining verified