Sold by: CrowdStrike
Deployed on AWS
falcon-mcp enables seamless communication between AI agents and the CrowdStrike Falcon platform. Deployable directly onto Amazon Bedrock AgentCore, it provides programmatic access to Falcon data for agentic workflows and accelerating AI-native security automation.
4.6
Overview
This server provides a secure, scalable bridge between AI agents and the CrowdStrike Falcon platform, bringing security telemetry and threat intelligence directly into your AWS environment. Purpose-built for deployment on Amazon Bedrock AgentCore, the falcon-mcp server enables agentic applications to programmatically access detections, incidents, behaviors, and threat intelligence from the Falcon platform. This empowers AI agents to reason over rich security context, automate response workflows, and drive proactive defense across your cloud and enterprise environments. By exposing modular Falcon capabilities through a standardized interface, the falcon-mcp server supports a wide range of use cases, from autonomous incident triage and threat enrichment to building fully agentic, context-aware security operations workflows. The falcon-mcp server gives you the data access layer to build the foundation for an AI-native SOC, backed by the power of the CrowdStrike Falcon platform. To learn more about this resource and explore its capabilities, visit the official project page at: https://github.com/crowdstrike/falcon-mcp
Highlights
- The falcon-mcp server establishes a consistent and secure protocol for agents to communicate with the CrowdStrike Falcon platform, enabling - standardized integration across agentic systems.
- It includes native support for deployment onto Amazon Bedrock AgentCore, making it easy to integrate into your AWS environment and power agentic workflows.
- It is designed to support current and future Falcon platform capabilities, ensuring agentic workflows remain adaptive and comprehensive.
Details
Sold by
Categories
Delivery method
Type
Supported services
Delivery option
Amazon Bedrock AgentCore
Latest version
Operating system
Linux
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Trust Center
Access real-time vendor security and compliance information through their Trust Center powered by Drata or Vanta. Review certifications and security standards before purchase.
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
This product is available free of charge. Free subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Vendor refund policy
All orders are non-cancellable and all fees and other amounts you pay under this Agreement are non-refundable.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Amazon Bedrock AgentCore
Supported services: Learn more
- Amazon Bedrock AgentCore
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
Additional details
Usage instructions
Prerequisites
CrowdStrike API Credentials
Create API credentials in your CrowdStrike console:
- Log into your CrowdStrike console
- Navigate to Support > API Clients and Keys
- Click Add new API client
- Configure your API client:
- Client Name: Choose a descriptive name (e.g., "Falcon MCP Server")
- Description: Optional description for your records
- API Scopes: Select scopes based on which modules you plan to use (see scope requirements )
- Note down these values (you cannot retrieve them later):
- FALCON_CLIENT_ID - Your API client ID
- FALCON_CLIENT_SECRET - Your API client secret
- FALCON_BASE_URL - Your API base URL (region-specific)
AWS VPC Requirements
The MCP Server requires internet connectivity to communicate with CrowdStrike's APIs.
- Internet Gateway or NAT Gateway - Enables outbound internet connectivity
- Outbound HTTPS Access - Allow communication to api.crowdstrike.com on port 443
- Security Groups - Configure appropriate rules for your network requirements
Getting Started
To deploy the Falcon MCP Server to Amazon Bedrock AgentCore:
- Visit the Falcon MCP Server on AWS Marketplace
- Follow the subscription and deployment instructions
- Configure your CrowdStrike API credentials and environment variables as described below
Usage Instructions
Environment Variables
Set the environment variables in the deployment form below; recommended AgentCore values are pre-filled. FALCON_CLIENT_ID, FALCON_CLIENT_SECRET, and FALCON_BASE_URL are required, and FALCON_MCP_STATELESS_HTTP must remain true for AgentCore.
Key Capabilities
- Threat Investigation - Search detections by severity, time range, hostname, or MITRE ATT&CK technique.
- Fleet Management - Find hosts by platform, sensor version, network segment, or containment status.
- Vulnerability Hunting - Access Spotlight CVE data with ExPRT ratings and remediation priorities.
- Threat Intelligence - Look up threat actors, indicators, and intelligence reports.
- Cloud Security - Search CSPM assets, container images, and Kubernetes workloads.
- Identity Protection - Investigate entities, analyze timelines, and map relationships.
- Query Capabilities - Run searches against CrowdStrike Next-Gen SIEM using CQL.
- IOC Management - Search, create, and remove custom indicators of compromise.
- Firewall Auditing - Search and manage Falcon firewall rule groups.
Additional modules support Real Time Response, Scheduled Reports, Shield, and more. For the full module list and required API scopes, see the Falcon MCP modules overview .
Example tool invocation (search for recent detections):
{ "jsonrpc": "2.0", "id": "1", "method": "tools/call", "params": { "name": "falcon_search_detections", "arguments": { "filter": "status:'new'" } } }Additional Resources
For full details, visit the Falcon MCP documentation .
Support
Vendor support
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
The Wiz Model Context Protocol (MCP) Server acts as an MCP-compatible service that translates plain-language queries into Wiz-specific operations, like querying resources, or assessing risks.
A Terraform MCP Server has been implemented to streamline workflows, allowing developers to write and validate Infrastructure as Code efficiently. This eliminates disruptive context-switching and enables faster, more confident provisioning of cloud infrastructure.
Tavily MCP is a lightweight server that enables AI assistants to perform real time web search, intelligent crawling, and structured data extraction through the Model Context Protocol (MCP).
The Vault MCP Server enables operators to use natural language to perform basic queries and operations in Vault, which would otherwise require traditional methods of issuing requests to Vault via Vault API.
Note: This Vault MCP Server release is experimental in nature and intended for development, testing, and evaluation purposes. Use of the Vault MCP server in production settings is not recommended at this time.
Customer reviews
André B.
Maximum visibility of the cloud environment.
Reviewed on May 19, 2026
Review provided by G2
What do you like best about the product?
With minimal effort to connect the environments to Crowdstrike, we have a wealth of visibility, real-time monitoring, and a complete overview of any flaws and vulnerabilities the environment may have.
What do you dislike about the product?
The environment has been updated and has resolved the difficulties we previously had.
What problems is the product solving and how is that benefiting you?
It solves all the visibility issues, as the cloud environment can be very branched due to its characteristics, and Crowdstrike helps in this overall view.
MANI CHANDRA T.
Strong Runtime and Container Security with Solid Threat Intelligence
Reviewed on May 07, 2026
Review provided by G2
What do you like best about the product?
Agent + agentless approach.
Threat intelligence integration is solid, and the runtime and container security are strong.
Threat intelligence integration is solid, and the runtime and container security are strong.
What do you dislike about the product?
Cost and licensing complexity remain a concern for me. In some cases, cloud-native competitors feel cleaner and more straightforward. I also run into UI and workflow friction that makes day-to-day use less smooth than I’d like.
What problems is the product solving and how is that benefiting you?
Most companies today run workloads across AWS, Azure, Kubernetes, containers, SaaS apps, and remote endpoints. Security teams often end up with separate tools for posture management, runtime protection, identity monitoring, vulnerability scanning, and incident response. Falcon tries to consolidate those into a single platform.
Consumer Goods
Smashing your head into a server rack? Admin, Meet Crowdstrike Falcon Cloud Security!
Reviewed on Apr 09, 2026
Review provided by G2
What do you like best about the product?
As with any Crowdstrike product, you get a UI/UX experience that is easy to manage, and not insane to look at lol. I LOVE the fact that you can get agentless visibility with agent-based protection. That's an absolute game changer. Being able to get visibility into something before we get an agent on it, and insanely cool. The three pillars of CNAPP being CSPM (Cloud Security Posture Management), CWP (Cloud Workload Protection), and CDR (Cloud Detection and Response) - it really cant get any better. Performance is EXCELLENT. Ability to integrate with other platforms is unparalelled, and the pricing for what you get is really competitive. Plus, you know that with any Crowdstrike product you get, you get amazing support via phone or Chat. Being able to whip into a chat session with a fellow experienced IT person, is just the cherry on top. If you ever have a question, you can also run it through Charlotte AI - we use it all the time.
What do you dislike about the product?
Again, with ANY Crowdstrike product that you use, there is going to be a learning curve, and some greater than others. This is not your fathers "click boxes and forget it forever" security product. This is for those that know that they need the best CNAPP out there, to protect their cloud assets. Crowdstrike has mounds of documenatation, and super informative training videos to help you get up to speed though!
What problems is the product solving and how is that benefiting you?
We are currently loving the Cloud Security Posture Management CPSM module! It helps us maintain compliance and an ultra robust, and informed security posture in areas that traditional tools are vastly unprepared for.
Jose M.
Solid Cloud Asset Security with Easy Deployment and API Integration
Reviewed on Apr 09, 2026
Review provided by G2
What do you like best about the product?
It provides a solid platform for securing cloud assets, with strong solutions that enhance protection against threats and data breaches and help prevent them. Ease deployment accross envoriment and an ease integration with API Connector and some other options.
What do you dislike about the product?
To get the best results and achieve a strong security posture for your cloud assets, it’s necessary to have a complete Crowdstrike environment. This helps ensure full visibility and provides all the telemetry needed to deliver a solid response to the different threats you may face in a cloud platform environment.
What problems is the product solving and how is that benefiting you?
Falcon Cloud Security provides threat prevention and helps tackle data leaks in your cloud environment.
Ankush v.
Powerful and Reliable Cloud Security with Great Visibility
Reviewed on Mar 09, 2026
Review provided by G2
What do you like best about the product?
What I like best about **CrowdStrike Falcon Cloud Security** is its ease of use and quick implementation. The platform provides strong visibility and a wide range of security features while maintaining a simple and intuitive interface. It integrates smoothly with existing cloud environments and tools, making deployment and daily usage efficient. We use it frequently for monitoring and threat detection, and the customer support team is responsive and helpful whenever needed.
What do you dislike about the product?
One downside of CrowdStrike Falcon Cloud Security is that the pricing can be relatively high compared to some other cloud security solutions, especially for smaller organizations. The platform can also generate a large number of alerts, which sometimes require manual investigation and tuning to reduce noise. Additionally, the interface and dashboards can feel a bit complex for new users, and some advanced configurations may require experienced security administrators
What problems is the product solving and how is that benefiting you?
CrowdStrike Falcon Cloud Security helps us solve problems related to cloud visibility, misconfigurations, and advanced threat detection. It continuously monitors our cloud workloads and quickly identifies vulnerabilities, suspicious activity, and potential attacks. This allows our team to respond faster, reduce security risks, and maintain a stronger overall cloud security posture while simplifying security management across different cloud environments.