Knowledge BaseCommunityRelease NotesRequest Demo

MCP Server (Beta)

Interact with Panther's API using conversational AI

Overview

The Panther MCP server is in open beta, and is available to all customers. Please share any bug reports and feature requests by creating an issue in the repository.

The Panther Model Context Protocol (MCP) server enables natural language interactions with Panther in your MCP client of choice. Whether you're an analyst investigating alerts, a detection engineer writing rules in Cursor, or a CISO seeking metrics and quick insights, the MCP server lets you work with the Panther API using conversational AI.

The Panther MCP server democratizes Panther access to users across your organization—imagine not having to know how to program in Python to write a rule, or not needing a query language like SQL or PantherFlow to search data.

For example, you can use the Panther MCP server for:

  • Detection engineering: Generate rules based on real logs in your data lake, using clients like Cursor.

    • In Cursor, "Create a rule to monitor when AWS admins are created in account 333333444444"

  • Panther operations: Expedite the resolution of operational issues end-to-end, such as rule errors or system errors.

    • In Claude for Desktop, "Generate a report of our top 10 rules by alert volume this month"

  • Alert triage: Review and correlate many alerts generated within a given time period.

    • In Claude for Desktop, "Show me all medium+ alerts from the last 24 hours grouped by IP"

The Panther MCP server includes tools for working with alerts, data, rules, schemas, metrics, and Panther user operations. Learn more about these tools in the Available Tools section in the mcp-panther repository's README.

You can install the Panther MCP server locally using docker or uvx. For full instructions, see the MCP Installation section of the README.

The Panther MCP server is open-source—see the contribution guidelines here. If you find a bug in the MCP server or need extra support while using it, please create an issue in the repository.

Use of Panther MCP features is subject to the AI disclaimer found on the Legal page.

Securing your MCP server

To safely use the Panther MCP server, it's strongly recommended to follow the guidelines in the Security Best Practices section in the mcp-panther repository's README.

The Panther MCP server vs. Panther AI

Panther MCP Server vs. Panther AI

The Panther MCP server and Panther AI both allow you to interact with your Panther instance with AI using free-form prompts, but there are a few key differences:

Panther MCP server
Panther AI

Primary use case

Detection engineering, cross-tool workflows, ad-hoc investigations, custom internal agent creation

Guided alert triage and incident response

Access method

MCP clients like Cursor, Claude for Desktop, and Goose

Panther Console (and API, for Cloud Connected customers)

Integration capability

Works alongside other MCP servers (e.g., GitHub, Slack, Notion, etc.)

Panther-specific workflows only

Best for

Complex, exploratory tasks requiring flexibility across Panther

Repeatable, consistent security operations workflows

AI model

Uses your MCP client's chosen model (e.g., GPT-4, Claude, LLama4, etc.)

Powered by Claude AI models by Anthropic through Amazon Bedrock

PreviousConverting Sigma RulesNextHelp

Last updated

Was this helpful?