Lacework MCP. Audit your entire cloud security posture instantly.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Lacework (Cloud Security & CNAPP) MCP Server. Search security alerts, audit cloud assets, and scan vulnerabilities across your entire cloud footprint.
This server lets your AI client query real-time cloud control-plane data, execute specialized threat hunting queries (LQL), and map resource groups to ensure your infrastructure meets compliance needs.
Get immediate visibility into critical CVEs and unmanaged resources without logging into a dashboard.
What your AI agents can do
Execute query
Runs a specialized LQL query to find API key bypasses, unusual login patterns, or process trees.
Get alert
Extracts deep details about a security alert, including the specific AWS account or container SHA involved.
List container vulnerabilities
Checks ECR or DockerHub registries for static image vulnerabilities before they are deployed.
Query the real-time cloud control-plane to find all running instances, networking perimeters, and unmanaged buckets.
Scan the entire cloud infrastructure to identify specific nodes that are vulnerable to a designated CVE.
Search for deep behavioral telemetry related to anomalous activity, such as Kubernetes process issues or IAM brute-force attempts.
Examine container registries (ECR, DockerHub) for images carrying critical, inherited CVEs before they get deployed.
List known vulnerabilities (like Log4j) that are actively running on cloud hosts and VMs.
Execute specialized Lacework Query Language (LQL) requests to analyze complex datasets for abuse or unusual patterns.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Lacework (Cloud Security & CNAPP) MCP Server: 10 Tools
These tools let your AI client perform deep security checks, query asset inventories, and run specialized threat hunting queries across your Lacework data.
019d75c3execute query
Runs a specialized LQL query to find API key bypasses, unusual login patterns, or process trees.
019d75c3get alert
Extracts deep details about a security alert, including the specific AWS account or container SHA involved.
019d75c3list container vulnerabilities
Checks ECR or DockerHub registries for static image vulnerabilities before they are deployed.
019d75c3list host vulnerabilities
Lists known vulnerabilities actively running on cloud hosts and VMs.
019d75c3list lql queries
Provides a list of all available Lacework Query Language (LQL) structures for querying data.
019d75c3list resource groups
Lists logical resource groups, helping define 'Production' versus 'Staging' policies.
019d75c3list security policies
Retrieves all global cloud security policies enforced by Lacework.
019d75c3search alerts
Finds recent cloud security alerts, mapping events like Kubernetes anomalies or AWS IAM brute-force attempts.
019d75c3search cloud inventory
Queries the real-time cloud control-plane to list running instances, networking perimeters, or unrestricted S3 buckets.
019d75c3search cve exposure
Filters the entire cloud infrastructure to determine which specific machines are vulnerable to a designated CVE.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Lacework (Cloud Security & CNAPP), then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
You connect your AI client to the Lacework MCP Server. This lets your agent query real-time cloud control-plane data, find vulnerabilities, and audit your whole cloud footprint without you having to log into a dashboard. You'll check for running instances, networking perimeters, and unmanaged S3 buckets using search_cloud_inventory. You'll run a deep search for security alerts using search_alerts, finding things like Kubernetes anomalies or AWS IAM brute-force attempts.
You can check which specific machines are vulnerable to a designated CVE across your infrastructure using search_cve_exposure. When you need to check for vulnerabilities on containers before they deploy, use list_container_vulnerabilities against ECR or DockerHub registries. To list known vulnerabilities running on your cloud hosts and VMs, you'll call list_host_vulnerabilities.
You can execute specialized Lacework Query Language (LQL) requests to analyze complex datasets for abuse or unusual patterns with execute_query. You'll get detailed info about any security alert, like the specific AWS account or container SHA, by running get_alert. To define boundaries, you can list logical resource groups with list_resource_groups, and see what global cloud security policies are enforced by Lacework using list_security_policies.
You can also get a full list of all available Lacework Query Language (LQL) structures by running list_lql_queries and query the current cloud inventory using search_cloud_inventory to list running instances, networking perimeters, or unrestricted S3 buckets. Finally, you can use search_alerts to find recent cloud security alerts, mapping events like Kubernetes anomalies or AWS IAM brute-force attempts.
How Lacework MCP Works
- 1 Subscribe to this server and enter your Lacework Account, Key ID, and Secret.
- 2 Direct your AI client (Claude, Cursor, etc.) to the Lacework MCP endpoint.
- 3 Ask a natural language question, like 'Show all S3 buckets with world-readable access.' The agent runs the necessary tool and returns the data.
The bottom line is, your AI client talks directly to Lacework, running security checks and data pulls without you touching a dashboard.
Who Is Lacework MCP For?
This is for the Security Analyst who needs to triage a critical alert in minutes, not hours. It’s for the SRE who has to prove an image is clean before deployment. And it's for the Compliance Officer who can't afford a major audit failure. If your job involves knowing 'where the gaps are,' this server saves you time.
Investigates polygraph alerts and threat patterns by executing specialized queries, finding the root cause of anomalous behavior.
Monitors container and host vulnerabilities to ensure that only images and code passing strict security checks move through the CI/CD pipeline.
Audits cloud security policies and unmanaged cloud assets to prove the organization maintains a secure, compliant posture.
What Changes When You Connect
- Check the cloud inventory first. The
search_cloud_inventorytool lets you see every running instance and every S3 bucket, instantly flagging any unrestricted or unmanaged assets. You map your total blast radius before you start investigating alerts. - Triage alerts faster than ever. Use
search_alertsto pull deep behavioral telemetry on anomalies, like unauthorized Kubernetes processes or AWS IAM brute-forcing. You get the context needed for immediate action. - Control your deployments. Before pushing code, run
list_container_vulnerabilitiesto scan registries like ECR. You ensure that only secure images pass the CI/CD gate, stopping bad code before it hits production. - Know your exposure. If Log4j drops, you don't guess. Use
search_cve_exposureto pinpoint every single machine running the vulnerable software across your entire cloud footprint. - Audit policies manually. The
list_security_policiestool lets you confirm if Lacework is even monitoring for structural issues, like opening port 22 to the public internet. You maintain compliance without guessing. - Run custom investigations. Need to track API key abuse?
execute_querylets you run specialized LQL requests to analyze niche datasets that standard dashboards miss.
Real-World Use Cases
Post-Incident Review: Where did the attacker go?
An alert fires for a suspicious login. Instead of clicking through AWS logs, the agent runs search_alerts first. Then, it uses get_alert to pull the full behavioral payload, identifying the exact AWS account and correlated external IP anomaly. This pinpoints the breach vector instantly.
Compliance Check: Do we have public buckets?
The Compliance Officer needs to audit for data leaks. The agent runs search_cloud_inventory. It immediately returns a list of unrestricted S3 buckets, allowing the officer to prioritize remediation efforts without manually sifting through accounts.
Pre-Deployment Gate: Is this image clean?
The DevOps Engineer is pushing a new service. The agent runs list_container_vulnerabilities against the ECR registry. If critical CVEs are found, the pipeline halts immediately, stopping the deployment and saving hours of potential risk.
Emergency Patching: What's running Log4j?
A zero-day vulnerability hits. The analyst doesn't know where the service lives. The agent uses search_cve_exposure to scan every machine in the cloud, giving a definitive list of vulnerable nodes and allowing the team to patch immediately.
The Tradeoffs
Focusing only on the alert.
The analyst sees a critical alert and immediately runs search_alerts. They fix the visible symptom but miss the underlying misconfiguration that allowed the attack.
→
First, run search_cloud_inventory to map the entire scope. Then, cross-reference that list of assets with search_alerts to see if other resources are exposed. Start with the blast radius, not the symptom.
Checking only the main services.
The team reviews the three primary application clusters, but forget to check the secondary, unmanaged staging environment, leaving the risk visible.
→
Use list_resource_groups to define your scope, and then run search_cloud_inventory across all defined groups. This ensures you cover everything from 'Staging' to 'Production' policies.
Running a single, broad query.
The engineer runs a generic execute_query without filtering, getting a massive, unusable data dump that requires hours of manual analysis.
→
Always start by using list_lql_queries to understand the available data structure. Then, refine your execute_query with specific filters to get actionable results.
When It Fits, When It Doesn't
Use this server if your primary concern is knowing 'what exists' and 'what's broken' across a complex, multi-cloud environment. If you need to quickly map the entire blast radius, check for specific CVEs, or audit what's public, this is your tool.
Don't use this if your primary task is simply reporting on historical metrics that don't require real-time data correlation. For that, a simple dashboard might suffice. If you only need to check a single, isolated container's manifest, a dedicated registry tool is faster. But if you need to correlate that container vulnerability against the host's running processes, you need the depth of this server. It's for the initial, deep-dive triage.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Lacework. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
The worst part of cloud security is the manual audit checklist.
Today, auditing your cloud security means jumping between the console, the vulnerability scanner, and the log aggregator. You run a script for S3 buckets, open a separate dashboard for IAM, and then manually cross-reference a list of CVEs against your active machines. It's a nightmare of tabs and copy-pasting.
With this MCP server, you just talk to your agent. You ask, 'Show me all public S3 buckets and any nodes vulnerable to Log4j.' The server runs `search_cloud_inventory` and `search_cve_exposure` and hands you a single, clean list of every problem. That's it.
Lacework (Cloud Security & CNAPP) MCP Server: Find every gap.
You used to run reports for compliance, then manually checked the policy engine for structural violations (like exposing port 22). These checks were siloed, and if a policy changed, you had to re-run the whole workflow. It was slow and brittle.
Now, you ask the agent to list all security policies using `list_security_policies`. It checks the full scope and reports back on structural risks. You get a definitive, real-time view of your entire security posture.
Common Questions About Lacework MCP
How do I use the `search_alerts` tool with Lacework? +
You ask the agent to search for alerts using search_alerts and specify the time window and alert type. The agent returns deep telemetry, helping you identify if the anomalous activity was a K8s issue or an IAM brute force.
Can `list_container_vulnerabilities` check my local Docker images? +
No. The tool examines external registries like ECR or DockerHub, checking for static CVEs before those images are promoted to a live cluster. It focuses on the supply chain, not local development machines.
What is the best way to check for a new CVE using `search_cve_exposure`? +
You pass the specific CVE identifier (e.g., 'CVE-2021-44228') to the agent. The server then filters the entire cloud infrastructure and returns only the machine IDs that are currently vulnerable.
Does `search_cloud_inventory` show networking details? +
Yes. It queries the cloud control-plane to enumerate active networking perimeters, alongside running instances and any unrestricted S3 buckets.
How do I use `get_alert` to understand a specific security event? +
The get_alert tool provides deep context about a security alert. It extracts the exact behavioral payload, showing details like the AWS Accounts involved, the container image SHAs, and any correlated external IPs.
Can I use `list_host_vulnerabilities` to check compliance for a resource group? +
No, list_host_vulnerabilities only lists known vulnerabilities on running cloud hosts. To check compliance against a defined resource group, you should use list_resource_groups first.
What should I use if I need to run a custom threat hunt query, like bypassing IAM logic? +
You need to use the execute_query tool. This tool runs a specialized Lacework Query Language (LQL) query, letting you track things like API keys bypassing IAM logic or unusual Kubernetes process spawns.
Does `list_security_policies` help me understand what's exposed globally? +
Yes, list_security_policies confirms all global cloud security policies. It shows if Lacework will alert if an engineer violates structural norms, such as exposing port 22 directly to the internet.
Can I search for specific CVE exposure across my whole cloud environment? +
Yes. Use the search_cve_exposure tool and provide the official CVE ID (e.g. CVE-2023-1234). Your agent will filter the entire cloud footprint to determine exactly which specific nodes or machines are currently vulnerable.
How do I investigate the behavioral telemetry of a specific security alert? +
The get_alert tool extracts precisely what baseline behavior was deviated from for a specific Alert ID. Your agent will return detailed contextual metadata, including offending container SHAs and correlated IP anomalies.
Can my agent run custom threat hunting queries using LQL? +
Absolutely. Use the execute_query tool to run specialized Lacework Query Language (LQL) blocks. This allows your agent to perform complex mathematical analysis on cloud telemetry to identify deep security patterns.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Deterministic JWT Inspector
Transform your AI into a cybersecurity diagnostic tool. Instantly decode and inspect JSON Web Tokens (Headers, Payloads, and Expiry metadata) without requiring signature keys.
Amazon S3 Bucket
Single-bucket object storage for AI agents — scoped access to one S3 bucket for secure, focused data operations.
Bugcrowd
Manage crowdsourced security via Bugcrowd — track submissions, programs, and targets directly from any AI agent.
You might also like
Salesforce Commerce Cloud
Manage products, orders, price books, and catalog operations through natural conversation with your Salesforce Commerce data.
INI Parser Engine
Convert INI config files (php.ini, my.cnf, .editorconfig) to JSON and back with absolute precision. 55M+ weekly downloads.
Kling AI (Generative Video & Image)
Generate cinematic videos and images via Kling AI — use text-to-video, image-to-video, and AI virtual try-on.