AI agents can help your SOC team scale, but connecting them to security can mean building custom integrations for every tool-to-tool combination. With 15 security tools, that's 105 potential integration points to maintain. The Model Context Protocol (MCP) solves this problem.
MCP provides a standardized interface for connecting AI agents to SIEMs, threat intelligence platforms, and investigation tools. Instead of brittle point-to-point connections, your agents can query data, correlate indicators, and assemble context through natural conversation.
This guide covers how to use MCP tools to orchestrate AI SOC agents: understanding the protocol architecture, evaluating SIEM implementations, and building workflows that scale with your team.
Note: MCP is an emerging protocol (introduced in November 2024), and ecosystem capabilities, vendor implementations, and security guidance are evolving rapidly. Validate current support and risk posture with each vendor before deployment.
Key Takeaways
MCP is an open-source standard for connecting AI to external systems. In the context of security, it exposes the capabilities of security tools to AI agents through standardized interfaces.
MCP tools can serve as a foundation for building AI-driven SOC workflows, including natural language detection engineering, alert triage assistance, and cross-platform orchestration across your security stack.
Early adopters, open-source projects, and some vendors are experimenting with MCP-based integrations. Each takes a distinct approach to authentication, integration depth, and target use cases.
Best practices for deploying MCP to manage AI SOC agents include starting with a pilot, expanding to limited production with human-approval gates, and then scaling to full SOC integration.
What Is MCP?
The Model Context Protocol (MCP) is an open-source standard for connecting AI applications to external systems. Anthropic introduced MCP in late 2024, and the protocol has seen early adoption and experimentation across several AI platforms. For example, both OpenAI and Google announced compatibility with the protocol, and Google released official MCP support for their API infrastructure.
Think of MCP as a universal connector that lets AI agents interact with any tool through a single standardized protocol. MCP follows a client-server architecture with three logical roles:
MCP hosts are AI applications like Claude Desktop, Cursor, or VS Code that initiate and manage connections.
MCP clients mediate requests between hosts and servers.
MCP servers are programs that expose specific capabilities (tools, resources, and prompts) and execute tool actions.
So, what about MCP tools? In the MCP ecosystem, "tools" refers specifically to the MCP servers that expose security platform capabilities to AI agents. When you install the Panther MCP server, for example, your AI client gains access to Panther's alert management, data querying, and detection engineering tools through standardized interfaces. MCP tools can transform conversational AI from a chatbot into an operational SOC assistant.
Why MCP Tools Matter for Security Teams
MCP tools — the servers that expose security platform capabilities to AI agents — can enable three main capabilities for SOC teams:
Natural language detection engineering. You can interact with detection tools conversationally. All you need to do is describe the threat behavior you want to catch, and AI helps generate queries, build rule logic, or translate your intent into platform-specific syntax.
Alert triage assistance. AI agents can help investigate alerts by querying your SIEM, correlating indicators across threat intelligence feeds, checking user activity in your identity provider, and surfacing findings for analyst review.
Cross-platform orchestration. You can query multiple security tools from one interface. MCP servers support multiple integrations: connect your SIEM to Slack for notifications, Jira for ticketing, and GitHub for detection-as-code workflows.
MCP tools also enable SIEM access across the organization and can 10x your detection engineering workflows. Even stakeholders who are not security professionals can query logs and generate reports through natural language. At the same time, junior analysts use AI guidance to conduct investigations that previously required years of domain expertise.
Comparing MCP Implementations Across SIEM Platforms
Early adopters, open-source projects, and some vendors are experimenting with MCP-based integrations. Each takes a distinct approach to authentication, integration depth, and target use cases. The following breakdown covers the key considerations for security teams evaluating these platforms.
1. Panther
Panther is a cloud-native SIEM built on a security data lake architecture. It is designed for teams that treat detection engineering as a software discipline, use version control, test through CI/CD pipelines, and deploy with the same rigor as production software.
Panther released its open-source MCP server in collaboration with Block's security team, designing it specifically for AI-native detection engineering rather than retrofitting MCP onto an existing architecture. This partnership means the implementation reflects real enterprise security workflows and has undergone production testing.
Key Differentiators
Open-source transparency. You can inspect every line of code, contribute improvements, and avoid vendor lock-in. This MCP is the only open-source MCP implementation with enterprise validation.
Security data lake architecture. Your security data lives in infrastructure you control, and is queryable through standard SQL or PantherFlow. When you write detection rules or run threat hunts, you're operating on your data, not a vendor's abstraction layer.
Cross-platform orchestration. Connect Slack for notifications, Jira for ticketing, and GitHub for detection-as-code workflows. The open-source foundation means natural interoperability with other community MCP implementations.
Capabilities
The Panther MCP server exposes tools for alert management, data exploration, detection engineering, and schema inspection. Analysts can view, comment on, and update alert status while analyzing patterns across time ranges.
Data exploration is conducted using AI-generated SQL queries across the entire security data lake, with automated sample log retrieval helping teams understand unfamiliar data sources.
Detection engineers can create, modify, and validate rules through conversational workflows, and dynamic schema inspection automatically surfaces the structure of ingested logs.
Use Cases in Practice
The Panther MCP server supports four primary workflows:
Detection engineering: Build rules directly from actual log data in your security data lake. In Cursor, describe what you want to catch, like monitoring for newly created AWS admin accounts in a specific environment.
Alert triage: Aggregate and correlate alerts across timeframes conversationally. Ask Claude Desktop to group recent medium-severity or higher alerts by source IP, and get actionable summaries instead of raw data.
Threat investigation: Hunt through security logs using natural language queries. In Claude Desktop, request a CloudTrail analysis of authentication failures from the past day without writing SQL.
Operational troubleshooting: Diagnose and resolve platform issues, such as rule errors and system alerts. Generate performance insights, such as identifying which detection rules produce the highest alert volumes.
The server provides tools for interacting with alerts, log data, detection rules, data models, schemas, metrics, and user management, covering the full breadth of SOC workflows.
Authentication
Currently, Panther MCP does not support user-linked API keys or OAuth/SSO authentication. Access control is managed through API tokens that define permissions at the token level. The recommended approach is to create tokens scoped to each use case.
Threat hunting tokens may be limited to querying the data lake and schemas, while rule development tokens may require access to detections, alerts, and the data lake. If you need OAuth/SSO authentication, you can request this feature through Panther Support.
Best For
Teams that are serious about detection-as-code and organizations concerned about vendor lock-in or data ownership.
2. Splunk
Splunk is an enterprise SIEM with a broad ecosystem of apps and integrations. It uses Search Processing Language (SPL) for queries and has an ecosystem of apps and integrations.
Splunk has released an MCP server with conversational AI features and vendor support. For organizations already using Splunk, MCP integration could extend existing workflows rather than requiring a new platform. Access requires requesting enrollment through official Splunk channels.
Key Differentiators
Enterprise authentication. Full OAuth/SSO support with granular RBAC.
Vendor-managed deployment. MCP access is available through Splunk's official enrollment program, with onboarding supported through official channels.
Marketplace availability. Available across AWS Marketplace, Azure Marketplace, and Splunkbase, with integration into Splunk's AI Assistant for SPL generation.
Capabilities
Splunk's MCP server lets analysts run natural-language searches, translating conversational queries into SPL. Teams can access saved searches without remembering the exact syntax, explore indexes conversationally, and use the AI Assistant integration to generate SPLs.
Authentication
Full OAuth/SSO support with granular RBAC.
Best For
Organizations already using Splunk who want to add MCP capabilities to existing workflows. Note that MCP access requires enrollment through official Splunk channels, so teams should expect a more structured onboarding path compared to open-source alternatives.
3. Elastic Security
Elastic Security, built on Elasticsearch, combines SIEM capabilities with endpoint protection and cloud security. The platform has open-source roots and supports multiple deployment options.
Elastic has released an official MCP server (elastic/mcp-server-elasticsearch) and integrated MCP capabilities through Agent Builder. If you're running Elastic 9.2 or newer, MCP access is available through the Agent Builder MCP endpoint.
Key Differentiators
Official MCP server. Elastic maintains an official MCP server distributed via
docker.elastic.co/mcp/elasticsearch, supporting stdio, SSE, and streamable-HTTP transports.Elasticsearch operations. Natural language queries translate into Elasticsearch operations, including index management and complex aggregations.
Access patterns. Teams familiar with Elasticsearch will recognize the query patterns. Teams without Elasticsearch experience can use natural language instead.
Capabilities
The Agent Builder MCP endpoint gives AI clients access to built-in and custom tools. Natural language queries are translated into Elasticsearch operations for index management and aggregation. Custom tools can be added through the Agent Builder framework.
Authentication
API keys with Kibana application privileges. OAuth support is planned for future releases.
Tradeoffs
Teams on older Elastic versions need to upgrade to 9.2+ or Serverless to access MCP capabilities. The standalone mcp-server-elasticsearch exists as a bridge, but upgrading is the recommended path.Teams prioritising open-source portability may want to evaluate how that aligns with their long-term tooling strategy.
Best For
Organizations running Elastic Security who want MCP without deploying additional infrastructure.
4. Chronicle
Chronicle is Google Cloud's security operations platform that combines search infrastructure with Mandiant threat intelligence. It's designed for organizations using Google Cloud Platform.
Chronicle's MCP implementation is part of Google's broader mcp-security project, which includes MCP servers for SecOps, Google Threat Intelligence, and Security Command Center, with Gemini AI integration.
Key Differentiators
Google infrastructure. Mandiant Intelligence can be purchased separately or as part of the unified Google Security Operations package.
GCP-native authentication. Authentication flows through GCP IAM with Workforce Identity for RBAC.
Pricing model. Data retention is bundled within Chronicle's GCP licensing structure.
Capabilities
Chronicle's MCP server enables conversational queries across security events and alerts, with entity lookups and IOC matching. Specific MCP tools include gti-mcp.get_file_report for threat intelligence file reports and secops-mcp.search_security_events for security event searches. Mandiant threat intelligence integration surfaces context during investigations, and Gemini AI integration is available for teams using Google's AI capabilities.
Authentication
GCP IAM with Workforce Identity. Organizations that already manage permissions in Google Cloud use the same identity model.
Best For
Organizations with GCP-first strategies, especially those already using Chronicle. For multi-cloud environments, MCP workflows will be most naturally scoped to GCP services, which is worth factoring into integration planning.
How to Deploy MCP Servers in Your SOC
Deploying MCP servers securely requires decisions across four areas: authentication configuration, client selection, deployment strategy, and ongoing monitoring. This section walks through each step.
Step 1: Configure Authentication
Authentication determines who can access your security data through AI agents and what actions they can perform. Choose an approach that balances your security requirements with deployment complexity.
Token-based systems (Panther, Elastic) trade granular control for deployment speed. OAuth systems (Splunk) provide better audit trails and integration with enterprise identity providers, but add configuration complexity.
For token-based systems, scope tokens to specific use cases. A threat-hunting token might only need read access to the data lake and schemas, while a rule-development token requires access to detections, alerts, and data-exploration capabilities. This configuration limits the blast radius if a token is compromised.
Step 2: Select Your MCP Client
Your choice of MCP client shapes how analysts interact with security tools day-to-day. Each client optimizes for different workflows:
Claude Desktop works well for alert triage and investigation. Analysts query their SIEM conversationally during incident response.
Cursor suits detection engineering workflows, where natural language descriptions become production-ready rules.
VS Code with MCP extensions fits developer-focused workflows that integrate with existing toolchains.
Goose (developed by Block) targets enterprise automation scenarios requiring programmatic control.
Most teams start with one client and expand as they identify additional use cases. There's no requirement to standardize on a single client across the SOC—different roles often benefit from different interfaces.
Step 3: Plan Your Deployment Phases
Rushing to full deployment creates risk. A phased approach de-risks the implementation and builds organizational confidence in AI-powered workflows:
Phase 1: Pilot. Start small with a single MCP server for one security tool. This phase focuses on implementing basic RBAC and audit logging while testing with a small analyst team.
Phase 2: Limited Production. With the pilot validated, expand to 3 to 5 MCP tools with OAuth-secured deployment where available. This phase introduces cross-tool correlation workflows and establishes human approval gates for sensitive operations. Success means multi-tool orchestration functioning with full audit trails.
Phase 3: Full SOC Integration. Once confidence is established, deploy the complete MCP server ecosystem, enable real-time notifications, and scale for production load. Success means AI agents handling tier-1 operations with mandatory human oversight.
Once SIEM integration is stable, consider adding complementary MCP servers. Connecting Slack for notifications, Jira for ticketing, and GitHub for detection-as-code workflows turns MCP from a SIEM enhancement into an orchestration infrastructure.
For reference, Panther's MCP server can be installed locally using docker or uvx. Full installation instructions are available at the GitHub repository. Other platforms have their own installation paths documented in their respective documentation.
Step 4: Establish Monitoring and Governance
AI agents accessing security data require the same oversight you'd apply to any privileged access. Monitor your SIEM's MCP access by integrating MCP audit logs into your existing security monitoring. Kill-switch capabilities that can immediately suspend an AI agent's activity are essential in case something unexpected happens. Human oversight remains critical for high-impact actions: let AI investigate and recommend, but require analyst approval before execution.
For security best practices specific to each platform, consult its documentation. Panther's security best practices cover secrets management, server validation, and tool selection controls as a reference example.
Real Limitations of MCP Tools Worth Knowing
MCP isn't the right fit for every security workflow. Three categories of use cases consistently fall outside what the protocol handles well:
High-frequency automation where sub-second response times exceed MCP's design parameters. DDoS mitigation and IPS blocking need direct API calls, not AI reasoning overhead. The protocol's request-response cycle can't match microsecond latency requirements.
Air-gapped environments such as classified networks, isolated OT environments, and truly disconnected systems need traditional SOAR platforms or custom automation that doesn't rely on external AI services.
Deterministic compliance workflows, such as SOX audits, PCI DSS compliance validation, and similar regulatory requirements that expect identical inputs to produce identical outputs. Language models are non-deterministic by design. Rule-based automation remains the right choice when regulatory auditors need to see reproducible processes.
Beyond these use cases, LLM API calls can also add operational expenses. Some platforms may bundle MCP into licensing, while others charge separately for AI inference.
Security considerations are critical. The MCP ecosystem faces four significant security challenges that teams must address before production deployment:
Supply chain risks. Approximately 75% of MCP servers are built by individual developers without organizational backing or formal security review. Security researchers have identified documented vulnerabilities, including SQL injection in PostgreSQL MCP servers.
Expanded attack surface. Compromising a single MCP server could grant attackers broad access to connected security tools. The primary risk is the expanded attack surface created when AI models gain direct access to enterprise tools and data sources.
Prompt injection vulnerabilities. MCP's reliance on natural language processing creates vulnerabilities to prompt-injection and tool-manipulation attacks that traditional security tools cannot adequately address.
Regulatory compliance gaps. MCP currently lacks native support for audit trail requirements, data residency enforcement, and SLA guarantees expected by regulated industries (SOC 2, ISO 27001, PCI DSS, HIPAA).
These findings highlight the need for strong governance, validation layers, network segmentation, and careful security review before production deployment. Consult each platform's documentation for current security recommendations.
Getting Started with MCP Tools
The four SIEM implementations covered in this guide represent different approaches to MCP, each with distinct strengths around authentication, integration depth, and target workflows. Your environment, team skills, and strategic priorities around data ownership determine the right choice.
Organizations that prioritize data ownership and avoid vendor lock-in will find Panther's open-source implementation and security data lake architecture a good fit. The Block partnership shows the approach works at enterprise scale. Detection-as-code translates naturally into AI-powered workflows when your rules are already written in Python, and the open-source foundation means your methodology isn't tied to proprietary query languages.
MCP tools have the potential to transform security operations from manual investigation to AI-assisted workflows. The teams experimenting with these tools today are helping define how SOCs may operate in the future.
Autonomous SecOps, 24/7
Panther's AI SOC analyst reviews every alert, builds context from your logs, and escalates only what matters.
Share:
RESOURCES
