by CrowdStrike
Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting
# Add to your Claude Code skills
git clone https://github.com/CrowdStrike/falcon-mcpLast scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T15:54:19.348Z",
"npmAuditRan": true,
"pipAuditRan": true
}falcon-mcp is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by CrowdStrike. Connect AI agents to CrowdStrike Falcon for automated security analysis and threat hunting. It has 212 GitHub stars.
Yes. falcon-mcp passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/CrowdStrike/falcon-mcp" and add it to your Claude Code skills directory (see the Installation section above).
falcon-mcp is primarily written in Python. It is open-source under CrowdStrike on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh falcon-mcp against similar tools.
No comments yet. Be the first to share your thoughts!

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.
[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.
Full docs are available at developer.crowdstrike.com/falcon-mcp.
| Module | Description |
|---|---|
| Core | Basic connectivity and system information |
| Case Management | Case lifecycle management, evidence attachment, tagging, and templates |
| Cloud Security | Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, suppression rules, cloud risks, and cloud groups |
| Correlation Rules | Search, create, update, and manage NG-SIEM correlation rules |
| Custom IOA | Create and manage Custom IOA behavioral detection rules and rule groups |
| Data Protection | Search Data Protection classifications, policies, and content patterns |
| Detections | Find and analyze detections to understand malicious activity |
| Discover | Search application inventory and discover unmanaged assets |
| Exclusions | Search, create, update, and delete IOA, machine learning, sensor visibility, and certificate-based exclusions |
| Firewall Management | Search and manage firewall rules and rule groups |
| Host Groups | Search, create, update, and delete host groups; manage group membership |
| Hosts | Manage and query host/device information |
| Identity Protection | Entity investigation and identity protection analysis |
| Intel | Research threat actors, IOCs, and intelligence reports |
| IOC | Search, create, and remove custom indicators of compromise |
| NGSIEM | Execute CQL queries against Next-Gen SIEM |
| Policies | Search, create, update, and delete prevention, sensor update, firewall, device control, response, and content update policies; manage host-group assignment, enable/disable, and precedence |
| Quarantine | Search quarantine records, preview action counts, and release, unrelease, or delete quarantined files |
| Real Time Response | Audit, summarize, and run read-only RTR triage workflows |
| Recon | Search Falcon Intelligence Recon notifications (recon alerts), monitoring rules, and exposed-data records for dark web, leaked credentials, and typosquatting |
| Scheduled Reports | Manage scheduled reports and download report files |
| Sensor Usage | Access and analyze sensor usage data |
| Serverless | Search for vulnerabilities in serverless functions |
| Shield | SaaS security posture, checks, alerts, and app inventory |
| Spotlight | Manage and analyze vulnerability data and security assessments |
See the Module Overview for required API scopes, available tools, and FQL resources.
uv tool install falcon-mcp
pip install falcon-mcp
Set the required environment variables (or use a .env file — see the Configuration Guide):
export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"
falcon-mcp
See the Getting Started guide for full installation and configuration details.
uvx (recommended){
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp"
]
}
}
}
{
"mcpServers": {
"falcon-mcp": {
"command": "uvx",
"args": [
"--env-file",
"/path/to/.env",
"falcon-mcp",
"--modules",
"detections,hosts,intel"
]
}
}
}
{
"mcpServers": {
"falcon-mcp-docker": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--env-file",
"/full/path/to/.env",
"quay.io/crowdstrike/falcon-mcp:latest"
]
}
}
}
See the Usage guide for all command line options, module configuration, and library usage.
# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest
# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest
# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0
See the Docker Deployment guide for building locally, custom ports, and advanced configurations.
Running many modules at once inflates the context window every AI client must hold. Dynamic mode
replaces the full tool surface with three tools — falcon_list_enabled_modules to see which
modules are loaded, falcon_search_tools to discover the right tool on demand, and
falcon_execute_tool to run it — so agents only load the schemas they actually need.
falcon-mcp --dynamic
# or: FALCON_MCP_DYNAMIC=true
See the Dynamic Mode guide for the full discover → execute workflow and trade-offs.
# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras
# Run tests
uv run pytest
[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.
falcon-mcp is publis