npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

security-detections-mcp

v3.3.0

Published

Advanced MCP server for security detections with Detection Engineering Intelligence, Knowledge Graph (Tribal Knowledge), Elicitation, and Resource Subscriptions

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mhaggismhaggis

Keywords

mcpsecuritydetectionssigmasplunkescuelastickqlkustodefendersentinelsublimecrowdstrikecqljamfmacossiemmitreattack

Readme

Security Detections MCP

An MCP (Model Context Protocol) server that lets LLMs query a unified database of Sigma, Splunk ESCU, Elastic, KQL, Sublime, and CrowdStrike CQL security detection rules.

New here? Start with the Setup Guide -- covers macOS, Windows (WSL & native), and Linux step by step.

Want it hosted? Skip the install entirely: Hosted MCP Setup Guide

Two Ways to Run It

Local (full power) — the npm package you're looking at. Runs on your machine, indexes your own detection repos, exposes all 81 tools. You need Node.js and ~10 minutes.

Hosted (zero setup) — a Streamable HTTP server at detect.michaelhaag.org/api/mcp/mcp. Sign up, generate a token, paste one URL into your MCP client. ~25 read-only tools, always in sync with the latest content, 200 calls/day free. Read on for quick-install buttons.

Install — Local

Install Local MCP in Cursor Install Local MCP in VS Code Install Local MCP in VS Code Insiders

Claude Code (CLI one-liner):

claude mcp add security-detections -- npx -y security-detections-mcp

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"]
    }
  }
}

OpenAI Codex (CLI):

codex mcp add security-detections -- npx -y security-detections-mcp

After install, configure env vars (SIGMA_PATHS, SPLUNK_PATHS, etc.) to point at your detection repos. See the Setup Guide for full details.

Install — Hosted (no setup, token required)

  1. Create a token at detect.michaelhaag.org/account/tokens. Free tier: 200 calls/day, all read-only tools.
  2. Click the button for your client — replace sdmcp_YOUR_TOKEN_HERE in the resulting config with the token you just generated.

Install Hosted MCP in Cursor Install Hosted MCP in VS Code Install Hosted MCP in VS Code Insiders

Claude Code (CLI one-liner):

claude mcp add --transport http security-detections https://detect.michaelhaag.org/api/mcp/mcp --header "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"

Claude Desktop (via mcp-remote — Desktop doesn't speak remote HTTP natively yet):

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://detect.michaelhaag.org/api/mcp/mcp",
        "--header",
        "Authorization: Bearer sdmcp_YOUR_TOKEN_HERE"
      ]
    }
  }
}

OpenAI Codex (CLI):

export SDMCP_TOKEN="sdmcp_YOUR_TOKEN_HERE" && codex mcp add security-detections --url https://detect.michaelhaag.org/api/mcp/mcp --bearer-token-env-var SDMCP_TOKEN

See the Hosted MCP Setup Guide for the full table of clients, the complete tool inventory, and troubleshooting tips.

AI Model Routing (Web App)

The web chat supports Free, Pro/Admin, and BYOK (Bring Your Own Key) routing. You can also see the active model at the top of the chat UI.

Free Tier (default)

  • Default model: nvidia/nemotron-3-super-120b-a12b:free
  • Automatic fallback order if the first model is busy:
    1. nvidia/nemotron-3-super-120b-a12b:free
    2. nousresearch/hermes-3-llama-3.1-405b:free
    3. meta-llama/llama-3.3-70b-instruct:free
    4. openai/gpt-oss-120b:free

Pro/Admin (no BYOK key set)

Uses app-managed OpenRouter routing with your Preferred Model setting in /account:

| Preferred Model | Routed model | |---|---| | auto | Free model pool (default: nvidia/nemotron-3-super-120b-a12b:free) | | claude | anthropic/claude-sonnet-4-6 | | claude-opus | anthropic/claude-opus-4-6 | | gpt | openai/gpt-5.4 | | gpt-codex | openai/gpt-5.3-codex |

BYOK behavior (takes precedence over tier routing)

If you set your own API key(s), routing priority is:

  1. Claude key (sk-ant-...) -> claude-sonnet-4-6-20250514 via Anthropic
  2. OpenAI key (sk-...) -> gpt-5.4 via OpenAI
  3. OpenRouter key (sk-or-...) -> uses the same Preferred Model mapping table above

If multiple keys are present, the first match in that order is used.

Features

  • 8,200+ detections across 6 formats — Sigma, Splunk ESCU, Elastic, KQL, Sublime, CrowdStrike CQL
  • MITRE ATT&CK STIX — 172 threat actors, 784 software, 4,362 actor-technique relationships
  • Procedure-level coverage — auto-extracted behavioral clusters from every detection rule
  • ATT&CK Navigator layers — export coverage/gap JSON, filterable by source/tactic/severity/actor
  • Autonomous pipeline — CTI ingestion → gap analysis → detection generation → Atomic testing → DRAFT PR (see Autonomous docs)
  • 81 local tools / ~25 hosted tools — unified search, MITRE mapping, coverage analysis, knowledge graph, pattern learning, sprint planning
  • 11 MCP Prompts — ransomware assessment, APT emulation, purple team, executive briefing, and more
  • MCP Resources & Completions — readable context, autocomplete for technique IDs, CVEs, process names

Quick Start

npx -y security-detections-mcp

Or clone and build: git clone https://github.com/MHaggis/Security-Detections-MCP.git && cd Security-Detections-MCP && npm install && npm run build

Configure env vars to point at your detection repos:

| Variable | Description | |----------|-------------| | SIGMA_PATHS | Sigma rule directories | | SPLUNK_PATHS | Splunk ESCU detection directories | | ELASTIC_PATHS | Elastic detection rule directories | | KQL_PATHS | KQL hunting query directories | | SUBLIME_PATHS | Sublime Security rule directories | | CQL_HUB_PATHS | CQL Hub (CrowdStrike) query directories | | JAMF_PROTECT_PATHS | Jamf Protect custom analytic detection directories (macOS) | | STORY_PATHS | Splunk analytic story directories (optional) | | ATTACK_STIX_PATH | Path to enterprise-attack.json for threat actor data (optional) |

See the Setup Guide for full per-client config examples (Cursor, VS Code, Claude Desktop, WSL).

Getting Detection Content

Download all sources with sparse checkout (rules only, not full repos):

mkdir -p detections && cd detections
git clone --depth 1 --filter=blob:none --sparse https://github.com/SigmaHQ/sigma.git && cd sigma && git sparse-checkout set rules rules-threat-hunting && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/splunk/security_content.git && cd security_content && git sparse-checkout set detections stories && cd ..
git clone --depth 1 --filter=blob:none --sparse https://github.com/elastic/detection-rules.git && cd detection-rules && git sparse-checkout set rules && cd ..
git clone --depth 1 https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules.git kql-bertjanp
git clone --depth 1 https://github.com/jkerai1/KQL-Queries.git kql-jkerai1
git clone --depth 1 --filter=blob:none --sparse https://github.com/sublime-security/sublime-rules.git && cd sublime-rules && git sparse-checkout set detection-rules && cd ..
git clone --depth 1 https://github.com/ByteRay-Labs/Query-Hub.git cql-hub

MCP Tools

Core Detection Tools

| Tool | Description | |------|-------------| | search(query, limit) | Full-text search across all detection fields | | get_by_id(id) | Get a single detection by ID | | list_all(limit, offset) | Paginated list of all detections | | list_by_source(source_type) | Filter by source (sigma, splunk_escu, elastic, kql, sublime, crowdstrike_cql, jamf_protect) | | get_stats() | Index statistics | | rebuild_index() | Force re-index from configured paths |

MITRE ATT&CK & Filtering

| Tool | Description | |------|-------------| | list_by_mitre(technique_id) | Filter by technique ID (e.g., T1059.001) | | list_by_mitre_tactic(tactic) | Filter by tactic (execution, persistence, etc.) | | list_by_cve(cve_id) | Find detections for a CVE | | list_by_process_name(process_name) | Find detections referencing a process | | list_by_severity(level) | Filter by severity level | | list_by_data_source(data_source) | Filter by data source |

Coverage & Analysis (Token-Optimized)

| Tool | Description | |------|-------------| | analyze_coverage(source_type?) | Coverage stats by tactic, top techniques, weak spots (~2KB) | | identify_gaps(threat_profile) | Find gaps for ransomware, apt, persistence, etc. (~500B) | | suggest_detections(technique_id) | Detection ideas for a technique (~2KB) | | get_coverage_summary(source_type?) | Tactic percentages (~200B) | | analyze_actor_coverage(actor) | Coverage against a specific threat actor | | compare_actor_coverage(actors) | Compare coverage across multiple actors | | analyze_procedure_coverage(technique_id) | Behavioral procedure breakdown | | generate_navigator_layer(...) | Export ATT&CK Navigator JSON layers |

Engineering, Knowledge Graph & More

81 tools total including pattern learning, template generation, knowledge graph, dynamic tables, and autonomous analysis. See the Tools Reference for the complete list.

MCP Prompts

11 pre-built expert workflows. Just ask by name:

| Prompt | Description | |--------|-------------| | ransomware-readiness-assessment | Full kill-chain analysis with risk scoring | | apt-threat-emulation | Coverage against specific threat actors (APT29, Lazarus, etc.) | | purple-team-exercise | Complete test plans with procedures and expected detections | | soc-investigation-assist | Triage guidance, hunting queries, escalation criteria | | detection-engineering-sprint | Prioritized backlog with user stories | | executive-security-briefing | C-level report with business risk language | | cve-response-assessment | Rapid assessment for emerging CVEs | | data-source-gap-analysis | Telemetry requirements analysis | | detection-quality-review | Deep-dive quality analysis for a technique | | threat-landscape-sync | Align priorities with current threats | | detection-coverage-diff | Compare coverage against actors or baseline |

You: "Run apt-threat-emulation for APT29"
→ Technique-by-technique coverage, gaps, and purple team test plan

Using with MITRE ATT&CK MCP

Pairs with mitre-attack-mcp for complete threat coverage analysis. Install both:

{
  "mcpServers": {
    "security-detections": {
      "command": "npx",
      "args": ["-y", "security-detections-mcp"],
      "env": { "SIGMA_PATHS": "/path/to/sigma/rules" }
    },
    "mitre-attack": {
      "command": "npx",
      "args": ["-y", "mitre-attack-mcp"],
      "env": { "ATTACK_DOMAIN": "enterprise-attack" }
    }
  }
}

Stats

| Source | Count | |--------|-------| | Sigma Rules | ~3,200+ | | Splunk ESCU | ~2,000+ | | Elastic Rules | ~1,500+ | | KQL Queries | ~420+ | | Sublime Rules | ~900+ | | CrowdStrike CQL | ~139+ | | Total | ~8,200+ |

Development

npm install && npm run build && npm test

Documentation

License

Apache 2.0