Sold by: CrowdStrike
Deployed on AWS
falcon-mcp enables seamless communication between AI agents and the CrowdStrike Falcon platform. Deployable directly onto Amazon Bedrock AgentCore, it provides programmatic access to Falcon data for agentic workflows and accelerating AI-native security automation.
4.6
Overview
This server provides a secure, scalable bridge between AI agents and the CrowdStrike Falcon platform, bringing security telemetry and threat intelligence directly into your AWS environment. Purpose-built for deployment on Amazon Bedrock AgentCore, the falcon-mcp server enables agentic applications to programmatically access detections, incidents, behaviors, and threat intelligence from the Falcon platform. This empowers AI agents to reason over rich security context, automate response workflows, and drive proactive defense across your cloud and enterprise environments. By exposing modular Falcon capabilities through a standardized interface, the falcon-mcp server supports a wide range of use cases, from autonomous incident triage and threat enrichment to building fully agentic, context-aware security operations workflows. The falcon-mcp server gives you the data access layer to build the foundation for an AI-native SOC, backed by the power of the CrowdStrike Falcon platform. To learn more about this resource and explore its capabilities, visit the official project page at: https://github.com/crowdstrike/falcon-mcp
Highlights
- The falcon-mcp server establishes a consistent and secure protocol for agents to communicate with the CrowdStrike Falcon platform, enabling - standardized integration across agentic systems.
- It includes native support for deployment onto Amazon Bedrock AgentCore, making it easy to integrate into your AWS environment and power agentic workflows.
- It is designed to support current and future Falcon platform capabilities, ensuring agentic workflows remain adaptive and comprehensive.
Details
Sold by
Categories
Delivery method
Type
Supported services
Delivery option
Amazon Bedrock AgentCore
Latest version
Operating system
Linux
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
This product is available free of charge. Free subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Vendor refund policy
All orders are non-cancellable and all fees and other amounts you pay under this Agreement are non-refundable.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Amazon Bedrock AgentCore
Supported services: Learn more
- Amazon Bedrock AgentCore
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
Additional details
Usage instructions
Prerequisites
CrowdStrike API Credentials
Create API credentials in your CrowdStrike console:
- Log into your CrowdStrike console
- Navigate to Support > API Clients and Keys
- Click Add new API client
- Configure your API client:
- Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
- Description: Optional description for your records
- API Scopes: Select scopes based on which modules you plan to use (see scope requirements )
- Note down these values (you cannot retrieve them later):
- FALCON_CLIENT_ID - Your API client ID
- FALCON_CLIENT_SECRET - Your API client secret
- FALCON_BASE_URL - Your API base URL (region-specific)
AWS VPC Requirements
The MCP Server requires internet connectivity to communicate with CrowdStrike's APIs.
- Internet Gateway or NAT Gateway - Enables outbound internet connectivity
- Outbound HTTPS Access - Allow communication to api.crowdstrike.com on port 443
- Security Groups - Configure appropriate rules for your network requirements
Getting Started
To deploy the Falcon MCP Server to Amazon Bedrock AgentCore:
- Visit the Falcon MCP Server on AWS Marketplace
- Follow the subscription and deployment instructions
- Configure your CrowdStrike API credentials and environment variables as described below
Usage Instructions
Environment Variables
Set the environment variables in the deployment form below; recommended AgentCore values are pre-filled. FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, and FALCON_BASE_URL are required, and FALCON_MCP_STATELESS_HTTP must remain true for AgentCore.
Key Capabilities
- Threat Investigation - Search detections by severity, time range, hostname, or MITRE ATT&CK technique.
- Fleet Management - Find hosts by platform, sensor version, network segment, or containment status.
- Vulnerability Hunting - Access Spotlight CVE data with ExPRT ratings and remediation priorities.
- Threat Intelligence - Look up threat actors, indicators, and intelligence reports.
- Cloud Security - Search CSPM assets, container images, and Kubernetes workloads.
- Identity Protection - Investigate entities, analyze timelines, and map relationships.
- Query Capabilities - Run searches against CrowdStrike Next-Gen SIEM using CQL.
- IOC Management - Search, create, and remove custom indicators of compromise.
- Firewall Auditing - Search and manage Falcon firewall rule groups.
Additional modules support Real Time Response, Scheduled Reports, Shield, and more. For the full module list and required API scopes, see the Falcon MCP modules overview .
Example tool invocation (search for recent detections):
{ "jsonrpc": "2.0", "id": "1", "method": "tools/call", "params": { "name": "falcon_search_detections", "arguments": { "filter": "status:'new'" } } }Additional Resources
For full details, visit the Falcon MCP documentation .
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
The Wiz Model Context Protocol (MCP) Server acts as an MCP-compatible service that translates plain-language queries into Wiz-specific operations, like querying resources, or assessing risks.
A Terraform MCP Server has been implemented to streamline workflows, allowing developers to write and validate Infrastructure as Code efficiently. This eliminates disruptive context-switching and enables faster, more confident provisioning of cloud infrastructure.
Tavily MCP is a lightweight server that enables AI assistants to perform real time web search, intelligent crawling, and structured data extraction through the Model Context Protocol (MCP).
The Vault MCP Server enables operators to use natural language to perform basic queries and operations in Vault, which would otherwise require traditional methods of issuing requests to Vault via Vault API.
Note: This Vault MCP Server release is experimental in nature and intended for development, testing, and evaluation purposes. Use of the Vault MCP server in production settings is not recommended at this time.
Customer reviews
Information Technology and Services
Unified CNAPP Platform Covering App, Data, Infrastructure, and Runtime Security
Reviewed on Jun 18, 2026
Review provided by G2
What do you like best about the product?
It provides a single CNAPP platform that covers application, data, infrastructure, and runtime security. This aligns well with enterprise needs to avoid fragmented controls and reduce siloed alerts.
What do you dislike about the product?
The heavy dependency on SaaS availability creates vendor lock-in and introduces a real risk to overall availability. Also requires skilled SOC / cloud security teams & slower adoption in DevSecOps pipelines without proper training.
What problems is the product solving and how is that benefiting you?
Organizations use multiple siloed tools (CSPM, CWPP, container security, etc.), leading to Poor visibility, Tool sprawl, Integration gaps.
CrowdStrike provides a unified CNAPP platform integrating multiple cloud security capabilities into one solution.
CrowdStrike provides a unified CNAPP platform integrating multiple cloud security capabilities into one solution.
anand a.
Unified Cloud Visibility That Finally Makes CSPM Manageable
Reviewed on Jun 17, 2026
Review provided by G2
What do you like best about the product?
Managing cloud security posture across our environment used to be a headache. Falcon Cloud Security gives us unified visibility across workloads and containers with clear, actionable findings. The CSPM capabilities are mature and the integration with our CI/CD pipeline was straightforward
What do you dislike about the product?
Pricing can be difficult to predict as your cloud footprint grows. Cost visibility could be clearer, especially for teams managing multiple cloud accounts.
What problems is the product solving and how is that benefiting you?
We struggled to maintain consistent security policies across multi-cloud environments. Falcon Cloud Security solved our blind spots by giving us a single pane of glass for cloud workload protection. We’ve significantly reduced misconfigurations that previously went unnoticed for weeks
Computer Software
Quiet, Unobtrusive Endpoint Security That Just Works
Reviewed on Jun 17, 2026
Review provided by G2
What do you like best about the product?
It runs quietly in the background without noticeably slowing down my laptop, which was my main concern when it was first installed by our IT team. I rarely notice it's there during regular work — no constant pop-ups or interruptions during video calls or while running other applications. It also gives me a sense of reassurance knowing endpoint security is being handled centrally by our organization (Capgemini) without me having to manage anything manually.
What do you dislike about the product?
As an end user, I don't have visibility into the dashboard, alerts, or detailed security reports, so it's hard for me to comment on the deeper analytics or threat-detection capabilities. Occasionally I've noticed minor lag during system startup, though I can't be fully certain this is due to Falcon specifically or other background processes. I'd also appreciate clearer communication or a simple status indicator showing that protection is active, just for peace of mind.
What problems is the product solving and how is that benefiting you?
It protects my work laptop from malware and other endpoint threats without requiring any action on my part, which lets me focus on my actual work instead of worrying about security. Since it's managed centrally by our IT/security team, I don't need to run manual scans or worry about updates — everything happens automatically in the background.
André B.
Maximum visibility of the cloud environment.
Reviewed on May 19, 2026
Review provided by G2
What do you like best about the product?
With minimal effort to connect the environments to Crowdstrike, we have a wealth of visibility, real-time monitoring, and a complete overview of any flaws and vulnerabilities the environment may have.
What do you dislike about the product?
The environment has been updated and has resolved the difficulties we previously had.
What problems is the product solving and how is that benefiting you?
It solves all the visibility issues, as the cloud environment can be very branched due to its characteristics, and Crowdstrike helps in this overall view.
MANI CHANDRA T.
Strong Runtime and Container Security with Solid Threat Intelligence
Reviewed on May 07, 2026
Review provided by G2
What do you like best about the product?
Agent + agentless approach.
Threat intelligence integration is solid, and the runtime and container security are strong.
Threat intelligence integration is solid, and the runtime and container security are strong.
What do you dislike about the product?
Cost and licensing complexity remain a concern for me. In some cases, cloud-native competitors feel cleaner and more straightforward. I also run into UI and workflow friction that makes day-to-day use less smooth than I’d like.
What problems is the product solving and how is that benefiting you?
Most companies today run workloads across AWS, Azure, Kubernetes, containers, SaaS apps, and remote endpoints. Security teams often end up with separate tools for posture management, runtime protection, identity monitoring, vulnerability scanning, and incident response. Falcon tries to consolidate those into a single platform.