Sold by: CrowdStrike
Deployed on AWS
falcon-mcp enables seamless communication between AI agents and the CrowdStrike Falcon platform. Deployable directly onto Amazon Bedrock AgentCore, it provides programmatic access to Falcon data for agentic workflows and accelerating AI-native security automation.
4.6
Overview
This server provides a secure, scalable bridge between AI agents and the CrowdStrike Falcon platform, bringing security telemetry and threat intelligence directly into your AWS environment. Purpose-built for deployment on Amazon Bedrock AgentCore, the falcon-mcp server enables agentic applications to programmatically access detections, incidents, behaviors, and threat intelligence from the Falcon platform. This empowers AI agents to reason over rich security context, automate response workflows, and drive proactive defense across your cloud and enterprise environments. By exposing modular Falcon capabilities through a standardized interface, the falcon-mcp server supports a wide range of use cases, from autonomous incident triage and threat enrichment to building fully agentic, context-aware security operations workflows. The falcon-mcp server gives you the data access layer to build the foundation for an AI-native SOC, backed by the power of the CrowdStrike Falcon platform. To learn more about this resource and explore its capabilities, visit the official project page at: https://github.com/crowdstrike/falcon-mcp
Highlights
- The falcon-mcp server establishes a consistent and secure protocol for agents to communicate with the CrowdStrike Falcon platform, enabling - standardized integration across agentic systems.
- It includes native support for deployment onto Amazon Bedrock AgentCore, making it easy to integrate into your AWS environment and power agentic workflows.
- It is designed to support current and future Falcon platform capabilities, ensuring agentic workflows remain adaptive and comprehensive.
Details
Sold by
Categories
Delivery method
Type
Supported services
Delivery option
Amazon Bedrock AgentCore
Latest version
Operating system
Linux
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata. Review certifications and security standards before purchase.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
This product is available free of charge. Free subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Vendor refund policy
All orders are non-cancellable and all fees and other amounts you pay under this Agreement are non-refundable.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Amazon Bedrock AgentCore
Supported services: Learn more
- Amazon Bedrock AgentCore
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
Features
- Client Credentials: You can now pass credentials directly through the client's init parameters, providing more flexibility in how you configure the Falcon client.
- MITRE Report Formats: The Intel module now supports exporting MITRE reports in JSON or CSV format, making it easier to integrate threat intelligence data into your workflows.
- Stateless HTTP Mode: Added a new stateless HTTP transport mode designed for scalable deployments, enabling better horizontal scaling of the MCP server.
Bug Fixes
- Fixed test expectations for the get_mitre_report function in the Intel module tests.
Improvements
- Reduced repeated API code patterns across modules for better maintainability.
- Simplified the generate_md_table utility function.
Additional details
Usage instructions
Prerequisites
CrowdStrike API Credentials
Create API credentials in your CrowdStrike console:
- Log into your CrowdStrike console
- Navigate to Support > API Clients and Keys
- Click Add new API client
- Configure your API client:
- Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
- Description: Optional description for your records
- API Scopes: Select scopes based on which modules you plan to use (see scope requirements )
- Note down these values (you cannot retrieve them later):
- FALCON_CLIENT_ID - Your API client ID
- FALCON_CLIENT_SECRET - Your API client secret
- FALCON_BASE_URL - Your API base URL (region-specific)
AWS VPC Requirements
The MCP Server requires internet connectivity to communicate with CrowdStrike's APIs.
- Internet Gateway or NAT Gateway - Enables outbound internet connectivity
- Outbound HTTPS Access - Allow communication to api.crowdstrike.com on port 443
- Security Groups - Configure appropriate rules for your network requirements
Environment Variables
Configure these environment variables when deploying your AgentCore agent:
| Variable | Value | Description |
|---|---|---|
| FALCON_CLIENT_ID | Your client ID | CrowdStrike API client ID |
| FALCON_CLIENT_SECRET | Your client secret | CrowdStrike API client secret |
| FALCON_BASE_URL | <https://api.crowdstrike.com> | API base URL (region-specific) |
| FALCON_MCP_TRANSPORT | streamable-http | Transport protocol |
| FALCON_MCP_HOST | 0.0.0.0 | Host binding |
| FALCON_MCP_PORT | 8000 | Server port |
| FALCON_MCP_USER_AGENT_COMMENT | AWS/Bedrock/AgentCore | Request identifier |
| FALCON_MCP_STATELESS_HTTP | true | Required for AgentCore |
Important: FALCON_MCP_STATELESS_HTTP must be set to true for proper operation in AgentCore's stateless container environment.
Available Modules
The Falcon MCP Server provides security tools organized into modules. Each module requires specific API scopes.
| Module | Purpose |
|---|---|
| Cloud Security | Analyze Kubernetes containers and container image vulnerabilities |
| Detections | Find and analyze detections for malicious activity |
| Discover | Search application inventory across your environment |
| Hosts | Manage and query host/device information |
| Identity Protection | Entity investigation and identity protection analysis |
| Incidents | Analyze security incidents and coordinated activities |
| Intel | Research threat actors, IOCs, and intelligence reports |
| Sensor Usage | Access and analyze sensor usage data |
| Serverless | Search vulnerabilities in serverless functions |
| Spotlight | Manage vulnerability data and security assessments |
Example tool invocation (search for recent detections):
{ "jsonrpc": "2.0", "id": "1", "method": "tools/call", "params": { "name": "falcon_search_detections", "arguments": { "filter": "status:'new'", "limit": 3 } } }Verify Deployment
After deployment, verify connectivity by invoking the falcon_check_connectivity tool:
{ "jsonrpc": "2.0", "id": "1", "method": "tools/call", "params": { "name": "falcon_check_connectivity" } }Additional Resources
For full details, visit the Falcon MCP GitHub repository .
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
The Wiz Model Context Protocol (MCP) Server acts as an MCP-compatible service that translates plain-language queries into Wiz-specific operations, like querying resources, or assessing risks.
A Terraform MCP Server has been implemented to streamline workflows, allowing developers to write and validate Infrastructure as Code efficiently. This eliminates disruptive context-switching and enables faster, more confident provisioning of cloud infrastructure.
The Vault MCP Server enables operators to use natural language to perform basic queries and operations in Vault, which would otherwise require traditional methods of issuing requests to Vault via Vault API.
Note: This Vault MCP Server release is experimental in nature and intended for development, testing, and evaluation purposes. Use of the Vault MCP server in production settings is not recommended at this time.
Tavily MCP is a lightweight server that enables AI assistants to perform real time web search, intelligent crawling, and structured data extraction through the Model Context Protocol (MCP).
Structured agent access to Elasticsearch: Query indices using natural language via a standardized protocol -- no custom APIs needed
Customer reviews
Prasanth K.
Powerful Cloud Security with Great Visibility, But Some Learning Curve and Pricing Concerns
Reviewed on Dec 20, 2025
Review provided by G2
What do you like best about the product?
I like how easily it plugs into our AWS environment and gives us real‑time visibility into what’s happening across our cloud workloads. The threat detection is strong — it quickly flags unusual behavior or misconfigurations without a lot of noise. I also appreciate how lightweight it is; it doesn’t slow anything down and requires very little maintenance once it’s set up. The unified dashboard makes it simple to monitor EC2 instances, containers, and IAM risks all in one place, which saves a lot of time during investigations.
What do you dislike about the product?
I’ve noticed that some of the findings can feel a bit noisy at times, especially when it flags low‑risk configuration issues that don’t always need immediate attention. The pricing can also be on the higher side as you scale, which makes it harder for smaller teams to justify. And while the dashboard is powerful, it takes a little time to get used to where everything lives, especially when switching between cloud and workload views.
However, even the security scans does the same, so this is not a major complaint.
However, even the security scans does the same, so this is not a major complaint.
What problems is the product solving and how is that benefiting you?
It helps us spot security risks in our AWS environment much earlier, especially things like misconfiguartions, unusual activity or access, or workloads behaving in ways they shouldn’t be. It also gave us a single place to monitor everything, so we dont have to jump between different AWS tools to understand what’s going on. The automated alerts and clear visibility make investigations faster in most environments, and that cuts down the time we spend chasing issues. Overall, it keeps our cloud setup safer and lets us focus more on building instead of constantly worrying about security gaps that users introduce.
Eduardo M.
Comprehensive Cloud Security with Real-Time Threat Protection
Reviewed on Dec 04, 2025
Review provided by G2
What do you like best about the product?
What I appreciate most about CrowdStrike Falcon Cloud Security is how it delivers unified visibility and intelligent protection throughout the entire cloud environment.
What do you dislike about the product?
One aspect I find less appealing about CrowdStrike Falcon Cloud Security is its expensive pricing, which, combined with its complexity, can make it difficult for smaller teams to handle effectively.
What problems is the product solving and how is that benefiting you?
CrowdStrike Falcon Cloud Security addresses cloud misconfigurations and provides real-time threat detection, enhancing our security while also minimizing the need for manual intervention.
Furkan .
“Fast, accurate, and highly dependable endpoint protection”
Reviewed on Nov 19, 2025
Review provided by G2
What do you like best about the product?
“The platform provides excellent threat visibility, a lightweight agent, and highly accurate real-time detection. It is very reliable, performs consistently well, and the investigation and response capabilities are strong. The management console is intuitive, and the detection quality is noticeably hig
What do you dislike about the product?
“Overall, I am very satisfied. I would only prefer to see some advanced filtering options on the dashboard become more intuitive. Other than that, I have not experienced any significant issues.”
What problems is the product solving and how is that benefiting you?
“It helps us maintain continuous visibility across our cloud workloads and quickly detect misconfigurations, vulnerabilities, and abnormal behaviors. By consolidating cloud posture management, threat detection, and analytics on a single platform, it significantly reduces investigation time and strengthens our overall cloud security posture. This results in faster response, reduced operational overhead, and greater confidence in the security of our cloud environment.”
Amar K.
Real-Time Threat Detection with Insightful Dashboard Reports
Reviewed on Nov 18, 2025
Review provided by G2
What do you like best about the product?
The platform offers real-time threat detection and displays reports directly on the dashboard.
What do you dislike about the product?
My main concern with this product is its cost. Additionally, it tends to use a significant amount of system resources, and its features are quite limited when used offline.
What problems is the product solving and how is that benefiting you?
It helps protect against serious threats such as zero-day attacks and ransomware, reducing the risk of successful breaches. This added layer of security makes me feel more confident about my system's safety.
Gibs S.
Centralized and Practical—A Top Security Platform
Reviewed on Oct 24, 2025
Review provided by G2
What do you like best about the product?
It is one of the best security platforms available today. It is practical and everything is centralized.
What do you dislike about the product?
When you need to find a specific function, it can be a little tricky to locate it.
What problems is the product solving and how is that benefiting you?
The updated organization of workloads, meaning it is easier to find the configuration you need.