MCP IntegrationOfficial

AI-Powered Security with MCP

Bridge your AI agents with LiteSOC forensics. The official Model Context Protocol server gives tools like Cursor, Claude, and VS Code direct access to your live security alerts — without leaving your editor.

4 tools exposed

Zero config — runs via npx

SOC 2 audit trail on every action

Setup Guide View Tools

Prerequisites

What you need before you start

Node.js ≥ 18

Required to run the MCP server via npx

LiteSOC API Key

Get yours at dashboard/settings →

Pro plan required for alerts

The list_alerts, analyze_alert, and resolve_incident tools require a Pro or Enterprise plan. The get_recent_events tool is available on all plans.

Setup Guide

Choose your AI editor. The server runs automatically via npx — no global install needed.

Cursor MCP

Cursor supports MCP servers in Settings → Tools & MCP. Make sure you have Cursor 2.6+ and the MCP Server enabled.

Open Cursor MCP settings

Go to Cmd+Shift+P → Cursor Settings → Tools & MCP → enable MCP Servers.

Add the LiteSOC server

Click Add MCP Server and paste the following configuration:

{
  "mcpServers": {
    "litesoc": {
      "command": "npx",
      "args": ["-y", "@litesoc/mcp-server"],
      "env": {
        "LITESOC_API_KEY": "lsk_live_your_api_key_here"
      }
    }
  }
}

Replace the API key

Swap lsk_live_your_api_key_here with your real key from dashboard/settings.

Verify the connection

Open the Cursor composer and type @LiteSOC list my open alerts. You should see a response with live data from your project.

Available Tools

The MCP server exposes 4 tools your AI agent can call autonomously.

list_alerts

Pro+

Fetch open security alerts filtered by severity, type, or status. Returns actor ID, source IP, and creation time.

List all critical open alerts.

analyze_alert

Pro+

Full forensic details for a single alert — VPN/Tor detection, geolocation, ISP data, and a Google Maps link.

Analyze alert <id> and tell me if the actor used a VPN.

get_recent_events

All plans

Fetch the latest raw security event logs. Filter by event name, actor ID, or severity.

Show me the last 20 auth.login_failed events.

resolve_incident

Pro+

Resolve or dismiss an alert with internal notes. Writes an immutable SOC 2-compliant audit log entry.

Resolve alert <id> — confirmed false positive, internal IP.

The Power of MCP

Once connected, your AI agent can reason over your security posture in natural language.

“@LiteSOC analyze my open alerts and suggest a fix.”

Fetches all open alerts, cross-references forensic data, and returns prioritized remediation steps.

“Are there any new threats detected in the last 10 minutes?”

The agent calls get_recent_events and list_alerts, then summarizes what's happening right now.

“Show me auth.login_failed events from Russia in the last hour.”

Filters recent events by event name and cross-references geolocation data to build a threat picture.

“Resolve alert abc-123 — confirmed false positive, internal office IP.”

Calls resolve_incident with your notes. The action is logged to the immutable SOC 2 audit trail.

“Is this user acting suspiciously? Their ID is user_456.”

Searches events by actor ID to identify anomalous patterns — unusual hours, new devices, geo jumps.

Security & Privacy

The MCP server inherits all of LiteSOC's data isolation and privacy guarantees.

Tenant isolation

Every query is scoped to your organization. Cross-tenant access is enforced at the API level.

No credential storage

The API key is read from the environment at runtime and never written to disk or logs.

PII redaction

API keys, emails, and tokens are automatically masked in all log output.

SOC 2 audit trail

Every resolve_incident call writes an immutable audit log entry meeting CC7.2 requirements.

Ready to connect your AI agent?

Grab your API key from settings and you'll be up in under 2 minutes.

Go to API Settings View Source

All Integrations API Reference