MCP Server Overview
How Threatmatic's MCP server connects live network events, security posture, and policy action to AI assistants and external systems.
The Threatmatic MCP server implements the Model Context Protocol — an open standard that exposes structured tools and data streams to AI assistants, agentic workflows, and external integrations.
Through a single MCP connection, an AI assistant or automated system can:
- Observe live network events as they happen across your fleet
- Query the current security posture of any device, user, or workload
- Act by triggering policy enforcement in response to what it finds
This creates a closed loop: the same intelligence that powers Threatmatic's autonomous detection and response is also available to any LLM or agent you connect.
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ AI Assistant / Agent │
│ (Claude, GPT-4o, custom agent, SIEM workflow) │
└────────────────────────────┬────────────────────────────────────┘
│ MCP (stdio / SSE / HTTP)
┌────────────────────────────▼────────────────────────────────────┐
│ Threatmatic MCP Server │
│ │
│ ┌─────────────────┐ ┌──────────────────┐ ┌──────────────┐ │
│ │ Events Stream │ │ Posture Query │ │ Policy Tools │ │
│ │ (live feed) │ │ (read) │ │ (write) │ │
│ └────────┬────────┘ └────────┬─────────┘ └──────┬───────┘ │
└────────────┼────────────────────┼───────────────────┼──────────┘
│ │ │
┌────────────▼────────────────────▼───────────────────▼──────────┐
│ Threatmatic Platform │
│ (Network telemetry · Identity graph · Policy engine) │
└─────────────────────────────────────────────────────────────────┘The MCP server surfaces three capability groups:
| Capability | Type | Description |
|---|---|---|
| Live Network Events | Resource / Stream | Real-time telemetry from every device, connection, and session |
| Security Posture | Resource / Tool | Current risk scores, anomaly flags, and compliance state |
| Policy Actions | Tool | Enforce, block, isolate, or update policies by identity |
Transport Modes
The server supports all three MCP transport modes:
| Mode | Use case |
|---|---|
stdio | Local agents, CLI tools, IDE extensions |
SSE | Long-running agents that need a persistent event stream |
HTTP | Stateless queries from serverless functions or webhooks |
Configuration
Add the Threatmatic MCP server to your Claude Desktop or agent configuration:
{
"mcpServers": {
"threatmatic": {
"command": "npx",
"args": ["-y", "@threatmatic/mcp-server"],
"env": {
"THREATMATIC_API_KEY": "<your-api-key>",
"THREATMATIC_TENANT": "<your-tenant-id>"
}
}
}
}For SSE or HTTP transports, the server is available at your tenant endpoint:
https://<tenant>.threatmatic.io/mcpAuthenticate with a Bearer token using an API key generated in the Threatmatic Console under Settings → API Keys.
Capability Summary
What the AI can read
- Every network event in your fleet, streamed in real time
- Per-device, per-user, and per-workload risk scores
- Active anomalies, open incidents, and compliance gaps
- The full policy set currently enforced across your environment
What the AI can do
- Block or allow specific users, applications, or network destinations
- Isolate a compromised device into a quarantine micro-zone
- Promote or demote a device's trust level
- Create, update, or disable a named policy
- Acknowledge and close an active incident
What the AI cannot do
- Modify tenant configuration or billing settings
- Access raw payload data (Threatmatic never stores content — only behavioral metadata)
- Bypass audit logging — every tool call is recorded with full attribution
Next Steps
- Live Network Events — event schema, filters, and stream subscription
- Security Posture — risk scoring, anomaly queries, and compliance checks
- Policy Actions — enforcement tools, identity targeting, and policy lifecycle
How is this guide?
Last updated on