MCP Server (Beta)

Overview

The Panther server enables natural language interactions with Panther in your MCP of choice. Whether you're an analyst investigating alerts, a detection engineer writing rules in , or a CISO seeking metrics and quick insights, the MCP server lets you work with the using conversational AI.

The Panther MCP server democratizes Panther access to users across your organization—imagine not having to know how to program in Python to write a rule, or not needing a query language like SQL or PantherFlow to search data.

For example, you can use the Panther MCP server for:

• Detection engineering: Generate rules based on real logs in your data lake, using clients like Cursor.

  • In Cursor, "Create a rule to monitor when AWS admins are created in account 333333444444"

• Panther operations: Expedite the resolution of operational issues end-to-end, such as or .

  • In Claude for Desktop, "Generate a report of our top 10 rules by alert volume this month"

• Alert triage: Review and correlate many alerts generated within a given time period.

  • In Claude for Desktop, "Show me all medium+ alerts from the last 24 hours grouped by IP"

The Panther MCP server includes tools for working with alerts, data, rules, schemas, metrics, and Panther user operations. Learn more about these tools in the .

You can install the Panther MCP server locally using docker or uvx. For full instructions, see the .

The Panther MCP server is open-source—see the . If you find a bug in the MCP server or need extra support while using it, please .

Securing your MCP server

The Panther MCP server vs. Panther AI

Panther MCP Server vs. Panther AI