Scaling Security Operations with AI

Security operations is inherently complex, nuanced work that creates knowledge silos within organizations, where seasoned practitioners understand best how to extract value from SIEM data. When only a handful of security engineers can effectively query logs, investigate alerts, or create meaningful detections, this creates dangerous blind spots where threats may go undetected during off-hours or when key personnel are unavailable. This also limits the organization's ability to scale beyond its current security posture. The problem intensifies as security tool sprawl increases horizontally, forcing teams to context-switch between multiple interfaces during alert triage and incident response. The resulting inefficiencies lead to fatigue, delayed response times, and increased risk as overworked security teams struggle to keep pace.

LLMs are rapidly changing how security teams collaborate with general copilots for analytical capabilities, enhanced language comprehension, and non-deterministic problem solving. This transformation is poised to replace traditional point-and-click interfaces by executing dozens of actions per minute on users' behalf. With new AI developments emerging weekly, we're particularly excited about connecting these AI models to external systems, like your SIEM, EDR, or CSPM.

Model Context Protocol (MCP) is a new protocol providing a standard connection between AI and external data and tools to power this transition, bringing the power of natural language interaction into your day-to-day workflows in security operations. In this post, we’ll cover three distinct benefits security teams can obtain right now by utilizing MCP with their preferred AI tools.

Standardizing Communications Between AI and Enterprise Tools

The Model Context Protocol (MCP) represents a fundamental shift in how AI systems interact with external data sources and applications. Think of MCP as the "USB-C of AI"—a standardized connection that enables compatible AI models to communicate with any compatible application or data system through a shared interface. Instead of building custom integrations for each AI-to-application connection, MCP provides a consistent protocol that AI systems and applications can implement once and use everywhere.

With thousands of MCP servers to choose from, security teams can rapidly start connecting any LLM to their given stack, significantly alleviating the time and overhead of clicking manually through UIs. MCP's adoption has quickly accelerated with endorsements from all major AI providers, including OpenAI, Anthropic, and Google. This widespread adoption has established a robust foundation for AI-native integrations across virtually every category of enterprise software.

The protocol is rapidly maturing from a security perspective, and the overall AI ecosystem has a ways to go before teams feel comfortable running MCP servers on top of all sensitive tools and data. In the meantime, there are narrowly scoped, security-conscious best practices regarding MCP, such as secrets management, server validation, and tool selection, that can strike a delicate balance between AI acceleration and usability.

Connecting AI to SIEM with MCP

Recognizing the transformative potential of AI-native security operations, Panther has released an open-source MCP server developed in collaboration with Block's security team. This implementation brings AI capabilities to security operations, enabling teams to leverage natural language interfaces and AI reasoning for most daily security workflows.

The Panther MCP server enables rule writing, alert triage, and investigation capabilities. Teams can manage alerts with tools for viewing, commenting, updating status, and analyzing patterns across time ranges. Data exploration becomes intuitive through AI-generated SQL queries, automated sample log retrieval, and dynamic schema inspection. Detection engineering workflows are streamlined with rule creation, modification, and validation tools that maintain software engineering best practices while dramatically reducing time-to-deployment.

The example below simulates an analyst interacting with their SIEM via Claude Desktop. You can imagine this like a personal security AI that they can ask questions and get answers using the most appropriate MCP tool for the job, like list_alerts or list_rules.

Claude Desktop and mcp-panther

Beyond individual workflow improvements, the server enables cross-platform correlation alongside other MCP servers. Security teams can simultaneously query Panther alerts, cloud infrastructure logs, ticketing systems, and communication platforms through unified natural language interfaces, eliminating the context-switching overhead that traditionally fragments incident response efforts.

The server can be connected to popular AI tools, like Cursor, Claude Desktop, and Codename Goose, ensuring accessibility regardless of teams' preferred organization’s AI models and agents. This flexibility enables security professionals to integrate AI assistance directly into existing workflows without requiring wholesale toolchain changes.

Three Benefits of MCP for SIEM

Integrating MCP into security workflows delivers significant productivity improvements across critical operational dimensions, fundamentally reshaping how teams approach threat detection and response.

Democratized SIEM Access in the Organization

MCP eliminates the traditional barriers that restrict security insights to specialized teams. Non-security stakeholders can query authentication logs, investigate application security data, and generate compliance reports through natural language interactions. Junior analysts can leverage AI guidance to conduct sophisticated investigations that previously required years of domain expertise, accelerating professional development while reducing senior team bottlenecks. This democratization maintains enterprise security standards through robust access controls and audit mechanisms, ensuring broader organizational participation doesn't compromise security posture or compliance requirements.

The example below demonstrates how any accessible user could query Okta authentications without knowing the log schema or nuances of a query language.

Accelerated Detection Engineering

Traditional detection engineering across the industry requires deep knowledge of data schemas, query optimization, and testing frameworks. MCP transforms this process by enabling natural language descriptions of security logic to be translated into production-ready detection rules with proper validation, unit testing, and configurations.

This acceleration preserves software engineering rigor while dramatically reducing time to deployment. Security teams can rapidly iterate on detection logic, test against historical data, and deploy validated rules—all through conversational interfaces that eliminate the cognitive overhead of switching between development environments and multiple security tools.

Through AI tool hints or rules, internal best practices can be codified and followed by the AI:

Creating a new detection rule in Cursor to identify multiple SIEM rules being deleted, potentially circumventing monitoring controls.

Cross-Context Correlation

Modern security operations require correlating data across disparate systems and contexts. MCP enables natural language queries that span multiple log sources, alert contexts, and time ranges, while supporting simultaneous integration with complementary MCP servers for ticketing systems, cloud infrastructure, and communication platforms. This unified approach eliminates the fragmented investigation workflows across many security tools, enabling analysts to maintain context while gathering comprehensive intelligence across organizational boundaries and technology stacks.

The Future of AI-Native Security Operations

The Model Context Protocol represents more than technological innovation—it signals a fundamental transformation in how security capabilities scale within organizations. By establishing standardized communication frameworks between AI systems and security tools, MCP enables the kind of adaptive, intelligent ecosystems that modern threat landscapes demand.

This evolution transcends individual tool improvements, creating the foundation for security operations that dynamically adapt to organizational needs while maintaining the depth and control that security professionals require. The future lies not in replacing human expertise, but in amplifying it through intelligent interfaces that make sophisticated capabilities accessible to broader teams.

Explore Panther's open-source MCP server on GitHub and discover how AI-native interfaces can transform your security operations without sacrificing control or visibility.