How to Use the CrowdStrike Falcon MCP in Claude Code

Q: Can I use Claude Code to isolate a compromised host through CrowdStrike Falcon?

Yes. You can command Claude Code to run containdevice on a specific host ID. The network containment takes effect immediately, cutting off the compromised machine.

Pipeline threat intelligence and quarantine hosts directly from your terminal using Claude Code.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect CrowdStrike Falcon MCP to Claude Code

Create your Vinkius account to connect CrowdStrike Falcon to Claude Code and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup CrowdStrike Falcon with Claude Code

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Run headless threat hunts in Claude Code

The `search_hosts` tool fetches full device inventory details directly into your terminal session. You can query thousands of endpoints with simple natural language commands instead of writing complex API scripts. Once the agent locates the targets, you can pipe the output to other terminal utilities. It makes auditing your fleet's security posture as fast as running a standard bash command.

Automate IOC deployment with this MCP Server

The `create_ioc` tool registers threat indicators like SHA256 hashes, domains, and IP addresses straight from your shell. If you are investigating a server breach, you can feed malicious hashes to Falcon instantly. By integrating this MCP Server into your terminal workflow, you can audit existing definitions using `list_iocs`. It keeps your network defenses updated without opening a browser.

Control incident lifecycles on the command line

The `list_incidents` tool queries your active security queue using FQL filter syntax. You filter by severity or date range to isolate the exact alerts that demand your attention. When you resolve a threat, the agent calls `update_detection` to close the alert and add triage comments. This lets you manage your entire security operations queue without leaving your SSH session.

Setup guide

Set up CrowdStrike Falcon MCP in Claude Code

Prerequisites

Claude Code CLI installed (npm install -g @anthropic-ai/claude-code)
Active Vinkius subscription with a valid endpoint token

1

Run the add command

Open your terminal and run the command shown on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com. Use --scope user to make it available across all projects.
2

Verify the connection

Start a Claude Code session and type /mcp to list connected servers. You should see crowdstrike-falcon-mcp with a green status indicator.
3

Start using tools

Ask Claude Code something like "Check my latest CrowdStrike Falcon transactions." It will automatically discover and invoke the available CrowdStrike Falcon tools.

Terminal

claude mcp add --transport http crowdstrike-falcon-mcp https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

Get your connection token →

Prerequisites

Claude Code CLI installed
Active Vinkius subscription with a valid endpoint token

1

Open the config file

Create or edit .mcp.json in your project root for project-level scope, or ~/.claude.json for user-level scope.
2

Add the CrowdStrike Falcon MCP

Paste the JSON snippet shown on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Code

Start a new Claude Code session. Type /mcp to confirm the server is connected. The tools will be automatically available in your conversation.

.mcp.json

{
  "mcpServers": {
    "crowdstrike-falcon-mcp": {
      "type": "url",
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by CrowdStrike Falcon. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect CrowdStrike Falcon now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about CrowdStrike Falcon MCP in Claude Code

Yes. You can command Claude Code to run `contain_device` on a specific host ID. The network containment takes effect immediately, cutting off the compromised machine.

Run a command asking the agent to check Spotlight vulnerabilities. It calls `list_vulnerabilities` and prints the active CVEs and severity levels directly to your stdout.

Absolutely. Because Claude Code is a CLI tool, you can script it to run `list_detections` in your deployment pipelines. It flags active threats before you push code to production.

The agent translates your plain English queries into precise Falcon Query Language syntax. It applies these filters to tools like `list_incidents` to return exact matches.

Vinkius uses an isolated V8 sandbox to execute the MCP Server, keeping your session ephemeral. Your detection alerts, triage comments, and API tokens remain encrypted in transit and are never stored.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript