How do I install Falcon?

Falcon is a local plugin. Install it using PyPI package: falcon-mcp and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Falcon need?

Falcon requires the following credentials or environment variables: FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, FALCON_BASE_URL, FALCON_MEMBER_CID, FALCON_MCP_MODULES, FALCON_MCP_TRANSPORT, FALCON_MCP_DEBUG, FALCON_MCP_HOST, FALCON_MCP_PORT, FALCON_MCP_USER_AGENT_COMMENT, FALCON_MCP_STATELESS_HTTP, FALCON_MCP_API_KEY. You can find setup instructions on the server detail page.

What AI apps work with Falcon?

Falcon uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Falcon MCP Server

by CrowdStrike

Developer ToolsUse Caution4.5MCP RegistryLocal

Free

Server data from the Official MCP Registry

Connects AI agents with CrowdStrike Falcon for security analysis and automation.

About

Connects AI agents with CrowdStrike Falcon for security analysis and automation.

Security Report

4.5

Use Caution4.5High Risk

This is a well-structured CrowdStrike Falcon MCP server with proper authentication requirements and reasonable API scope. The codebase demonstrates good security practices with input sanitization, credential handling via environment variables, and structured error handling. However, there are moderate concerns around GraphQL query construction that could be vulnerable to injection attacks, and some code quality gaps in validation and error handling that warrant attention. Supply chain analysis found 4 known vulnerabilities in dependencies (0 critical, 1 high severity). Package verification found 1 issue.

4 files analyzed · 12 issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

env_vars

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

File System Read

Reads files on your machine. Normal for tools that analyze or process local data.

What You'll Need

Set these up before or after installing:

CrowdStrike API client IDRequired

Environment variable: FALCON_CLIENT_ID

CrowdStrike API client secretRequired

Environment variable: FALCON_CLIENT_SECRET

CrowdStrike API region URLOptional

Environment variable: FALCON_BASE_URL

Child CID for Flight Control (MSSP) supportOptional

Environment variable: FALCON_MEMBER_CID

Comma-separated list of modules to enableOptional

Environment variable: FALCON_MCP_MODULES

Transport protocol to useOptional

Environment variable: FALCON_MCP_TRANSPORT

Enable debug loggingOptional

Environment variable: FALCON_MCP_DEBUG

Host to bind to for HTTP transportsOptional

Environment variable: FALCON_MCP_HOST

Port to listen on for HTTP transportsOptional

Environment variable: FALCON_MCP_PORT

Additional information to include in the User-Agent comment sectionOptional

Environment variable: FALCON_MCP_USER_AGENT_COMMENT

Enable stateless HTTP mode for scalable deploymentsOptional

Environment variable: FALCON_MCP_STATELESS_HTTP

API key for HTTP transport authentication (x-api-key header)Required

Environment variable: FALCON_MCP_API_KEY

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-crowdstrike-falcon-mcp": {
      "env": {
        "FALCON_BASE_URL": "your-falcon-base-url-here",
        "FALCON_MCP_HOST": "your-falcon-mcp-host-here",
        "FALCON_MCP_PORT": "your-falcon-mcp-port-here",
        "FALCON_CLIENT_ID": "your-falcon-client-id-here",
        "FALCON_MCP_DEBUG": "your-falcon-mcp-debug-here",
        "FALCON_MEMBER_CID": "your-falcon-member-cid-here",
        "FALCON_MCP_API_KEY": "your-falcon-mcp-api-key-here",
        "FALCON_MCP_MODULES": "your-falcon-mcp-modules-here",
        "FALCON_CLIENT_SECRET": "your-falcon-client-secret-here",
        "FALCON_MCP_TRANSPORT": "your-falcon-mcp-transport-here",
        "FALCON_MCP_STATELESS_HTTP": "your-falcon-mcp-stateless-http-here",
        "FALCON_MCP_USER_AGENT_COMMENT": "your-falcon-mcp-user-agent-comment-here"
      },
      "args": [
        "-y",
        "falcon-mcp-docs"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

falcon-mcp

falcon-mcp is a Model Context Protocol (MCP) server that connects AI agents with the CrowdStrike Falcon platform, powering intelligent security analysis in your agentic workflows. It delivers programmatic access to essential security capabilities—including detections, threat intelligence, and host management—establishing the foundation for advanced security operations and automation.

[!IMPORTANT] 🚧 Public Preview: This project is currently in public preview and under active development. Features and functionality may change before the stable 1.0 release. While we encourage exploration and testing, please avoid production deployments. We welcome your feedback through GitHub Issues to help shape the final release.

Documentation

Full docs are available at crowdstrike.github.io/falcon-mcp.

Modules

Module	Description
Core	Basic connectivity and system information
Case Management	Case lifecycle management, evidence attachment, tagging, and templates
Cloud Security	Kubernetes containers, image vulnerabilities, CSPM asset inventory, IOM findings, and suppression rules
Custom IOA	Create and manage Custom IOA behavioral detection rules and rule groups
Detections	Find and analyze detections to understand malicious activity
Discover	Search application inventory and discover unmanaged assets
Firewall Management	Search and manage firewall rules and rule groups
Hosts	Manage and query host/device information
Identity Protection	Entity investigation and identity protection analysis
Intel	Research threat actors, IOCs, and intelligence reports
IOC	Search, create, and remove custom indicators of compromise
NGSIEM	Execute CQL queries against Next-Gen SIEM
Real Time Response	Initialize RTR sessions and execute read-only triage commands
Scheduled Reports	Manage scheduled reports and download report files
Sensor Usage	Access and analyze sensor usage data
Serverless	Search for vulnerabilities in serverless functions
Shield	SaaS security posture, checks, alerts, and app inventory
Spotlight	Manage and analyze vulnerability data and security assessments

See the Module Overview for required API scopes, available tools, and FQL resources.

Quick Start

Install

Using uv (recommended)

uv tool install falcon-mcp

Using pip

pip install falcon-mcp

Configure

Set the required environment variables (or use a .env file — see the Configuration Guide):

export FALCON_CLIENT_ID="your-client-id"
export FALCON_CLIENT_SECRET="your-client-secret"
export FALCON_BASE_URL="https://api.crowdstrike.com"

Run

falcon-mcp

See the Getting Started guide for full installation and configuration details.

Editor Integration

Using `uvx` (recommended)

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp"
      ]
    }
  }
}

With Module Selection

{
  "mcpServers": {
    "falcon-mcp": {
      "command": "uvx",
      "args": [
        "--env-file",
        "/path/to/.env",
        "falcon-mcp",
        "--modules",
        "detections,hosts,intel"
      ]
    }
  }
}

Docker

{
  "mcpServers": {
    "falcon-mcp-docker": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--env-file",
        "/full/path/to/.env",
        "quay.io/crowdstrike/falcon-mcp:latest"
      ]
    }
  }
}

See the Usage guide for all command line options, module configuration, and library usage.

Container Usage

# Pull the latest image
docker pull quay.io/crowdstrike/falcon-mcp:latest

# Run with .env file (stdio transport)
docker run -i --rm --env-file /path/to/.env quay.io/crowdstrike/falcon-mcp:latest

# Run with streamable-http transport
docker run --rm -p 8000:8000 --env-file /path/to/.env \
  quay.io/crowdstrike/falcon-mcp:latest --transport streamable-http --host 0.0.0.0

See the Docker Deployment guide for building locally, custom ports, and advanced configurations.

Deployment Options

Contributing

# Clone and install
git clone https://github.com/CrowdStrike/falcon-mcp.git
cd falcon-mcp
uv sync --all-extras

# Run tests
uv run pytest

[!IMPORTANT] This project uses Conventional Commits for automated releases. Please follow the commit message format outlined in our Contributing Guide.

Developer Documentation

Docs Site Guide: Architecture and development guide for the documentation site
Module Development Guide: Instructions for implementing new modules
Resource Development Guide: Instructions for implementing resources
End-to-End Testing Guide: Guide for running and understanding E2E tests
Integration Testing Guide: Guide for running integration tests with real API calls

License

This project is licensed under the MIT License - see the LICENSE file for details.

Support

This is a community-driven, open source project. While it is not an official CrowdStroke product, it is actively maintained by CrowdStrike and supported in collaboration with the open source developer community.

For more information, please see our SUPPORT file.

Reviews

No reviews yet

Be the first to review this server!

More Developer Tools MCP Servers

Fetch

Free

by Modelcontextprotocol · Developer Tools

Web content fetching and conversion for efficient LLM usage

Git

Free

by Modelcontextprotocol · Developer Tools

Read, search, and manipulate Git repositories programmatically

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

Falcon MCP Server

About

Security Report

Findings (12)Action required

Permissions Required

What You'll Need

How to Install

Documentation

falcon-mcp

Documentation

Modules

Quick Start

Install

Using uv (recommended)

Using pip

Configure

Run

Editor Integration

Using `uvx` (recommended)

With Module Selection

Docker

Container Usage

Deployment Options

Contributing

Developer Documentation

License

Support

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

Falcon MCP Server

About

Security Report

Findings (12)Action required

Permissions Required

What You'll Need

How to Install

Documentation

falcon-mcp

Documentation

Modules

Quick Start

Install

Using uv (recommended)

Using pip

Configure

Run

Editor Integration

Using uvx (recommended)

With Module Selection

Docker

Container Usage

Deployment Options

Contributing

Developer Documentation

License

Support

Reviews

No reviews yet

More Developer Tools MCP Servers

Fetch

Git

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

Using `uvx` (recommended)