Wallarm MCP. Search threats and manage rules by chat.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Wallarm connects your API security platform to any AI agent. It lets you monitor live traffic for threats and manage WAF rules using natural conversation.
You can search attack patterns by vector (like SQLi or XSS), deep-dive into malicious payloads, list all exposed API endpoints, and instantly block bad IP addresses—all from a chat interface.
What your AI agents can do
Create ip acl rule
Adds an IP address or CIDR range to the global allowlist ('white') or denylist ('black').
Get client info
Retrieves your account details, including subscription status and feature access.
Get discovered api inventory
Shows every API endpoint and method found through passive traffic analysis.
Adds an IP or CIDR range to the global allowlist or denylist based on a simple chat command.
Searches security events, grouping detected attacks by vector (e.g., SQLi, XSS) to show overall threat trends.
Shows full request headers and payloads for blocked traffic hits, allowing deep forensic review of the attack attempt.
Retrieves a list of every API endpoint and method found through passive traffic analysis.
Changes the lifecycle status of a reported vulnerability, marking it as open, closed, or false positive.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Wallarm MCP Server: 10 Tools for Security & Rule Management
These ten tools let you programmatically list rules, search attack vectors, analyze payloads, and manage vulnerabilities directly through your AI agent.
019d761ecreate ip acl rule
Adds an IP address or CIDR range to the global allowlist ('white') or denylist ('black').
019d761eget client info
Retrieves your account details, including subscription status and feature access.
019d761eget discovered api inventory
Shows every API endpoint and method found through passive traffic analysis.
019d761eget vulnerability details
Pulls detailed diagnostic data and exploit evidence for a specific vulnerability ID.
019d761elist filtering nodes
Lists all deployed Wallarm WAF/API gateway filtering nodes to check their status.
019d761elist ip acl rules
Lists every configured IP allowlist and denylist rule currently in place.
019d761esearch security attacks
Searches for security attacks detected by Wallarm, grouped by the type of attack vector (e.g., SQLi).
019d761esearch security hits
Shows full request headers and payloads for blocked traffic hits intercepted by WAF nodes.
019d761esearch vulnerabilities
Lists all security vulnerabilities discovered in your API traffic that need attention.
019d761eupdate vulnerability status
Changes the lifecycle status of a vulnerability (open, closed, or falsepositive).
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Wallarm, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
You connect your API security stack right into your agent. This thing lets you monitor live traffic for threats and manage WAF rules just by talking to it—no complex console needed. You can treat your AI client like a dedicated Security Operations Center analyst, asking it anything about your exposed endpoints or the last attack attempt.
API Inventory & Discovery
You need to know what you've got out there before you secure it. Use get_discovered_api_inventory to pull up every single API endpoint and method that Wallarm found by just watching your passive traffic. If something’s exposed, this tool lists it all for ya. You can check the current state of your defenses with list_filtering_nodes, which shows you if all your deployed WAF or API gateway filtering nodes are running right.
Threat Hunting and Analysis
When things go sideways, you need answers fast. Start by running search_security_attacks. This searches through security events, grouping detected attacks by the specific vector—you'll see if it’s mostly SQLi or XSS. If you want to dig deep into what got blocked, use search_security_hits to view full request headers and payloads for every intercepted bad traffic hit.
For a broader look at potential problems, run search_vulnerabilities, which lists all the security weaknesses Wallarm spotted in your API traffic that need eyes on them.
Vulnerability Management
Once you find a vulnerability, you gotta triage it. You can use get_vulnerability_details to pull detailed diagnostic data and exploit evidence for any specific vulnerability ID. When the fix is done or if it’s just noise, you update its status using update_vulnerability_status. This lets you mark a finding as open, closed, or false positive.
Access Control & Compliance
You control who gets in and what they can do. To keep track of your rules, run list_ip_acl_rules to see every configured IP allowlist and denylist rule currently active. If you need to change the game, use create_ip_acl_rule. You can add an IP address or a CIDR range to the global allowlist—the 'white' list—or slap it on the denylist—the 'black' list.
System Status & Management
It’s also useful to check your account details. get_client_info pulls up your full account information, including your subscription status and what features you actually have access to right now. You can run list_ip_acl_rules to audit every single rule in place.
Basically, if it involves a threat, an API endpoint, or an IP address, this agent handles the commands for ya.
How Wallarm MCP Works
- 1 Subscribe to this server and provide your Wallarm API Token and Client ID.
- 2 Your AI client connects the credentials to the Wallarm platform.
- 3 You ask a security question (e.g., 'What IPs should I block?') and the agent executes the appropriate tool call.
The bottom line is that you talk to your agent like a SOC analyst, and it handles the complex API calls to Wallarm for you.
Who Is Wallarm MCP For?
Anyone responsible for keeping APIs secure—from DevSecOps engineers triaging threats in development to SRE teams managing global access rules. If your job involves checking security dashboards, this saves hours of clicking and manual data correlation.
Uses the agent to perform rapid incident forensics, searching for malicious hits using search_security_hits or blocking IPs via create_ip_acl_rule during a live alert.
Monitors live threats and reviews vulnerabilities with get_vulnerability_details, ensuring security fixes are applied before deployment.
Checks the health of security infrastructure by listing nodes (list_filtering_nodes) or auditing network access rules using list_ip_acl_rules.
What Changes When You Connect
- Rapid Incident Response: Instead of navigating multiple security tabs, you can ask the agent to 'List all attacks from last night,' triggering
search_security_attacksimmediately. This gives you a high-level view of attack clusters instantly. - Deep Forensic Dive: When an alert hits, don't just read the summary. Use the agent to run
search_security_hitsand see the raw headers and payloads for malicious traffic. You get the evidence needed to prove compromise. - Proactive API Mapping: Forget manually documenting every endpoint. Running
get_discovered_api_inventoryshows you everything exposed through actual usage, identifying shadow APIs before attackers do. - Instant Containment: Found a bad actor IP? You don't need to log into the console. Just ask your agent to 'Block 192.0.2.4,' and it executes
create_ip_acl_ruleinstantly across your global network. - Vulnerability Lifecycle Management: The process of finding a vulnerability is only half the job. Use
update_vulnerability_statusto change its state (e.g., falsepositive) directly from chat, keeping your records clean.
Real-World Use Cases
Handling a suspected breach.
A platform team suspects an attacker used SQLi. They ask their agent to run search_security_attacks first. The results show 5 distinct SQLi clusters. Next, they use get_discovered_api_inventory to see which API endpoints were targeted, and finally, they run search_security_hits on the most critical endpoint to grab the exact payloads for the incident report.
Auditing compliance requirements.
A compliance officer needs proof that all external partners are properly vetted. They ask their agent to list current rules using list_ip_acl_rules and cross-reference this with a check of the client's status via get_client_info. This ensures no unauthorized access paths exist.
Triage after a major traffic spike.
Traffic suddenly spikes. The SRE team asks the agent to list all active vulnerabilities (search_vulnerabilities). They identify an IDOR issue, use get_vulnerability_details for technical guidance, and then update the status using update_vulnerability_status so it moves into the developer backlog.
Disabling a compromised service.
A specific microservice is found to be leaky. The engineer uses the agent to run get_discovered_api_inventory, confirming the exact endpoint path. Then, they instruct the agent to add an IP range from that service's region to the denylist using create_ip_acl_rule until it can be patched.
The Tradeoffs
Checking only dashboard summaries.
An analyst sees an alert for 'XSS attempt' on the main dash. They assume the problem is fixed, but they don't know if it was a one-off hit or a repeating pattern of attacks from multiple vectors.
→
Don't stop at the summary view. Use search_security_hits to pull the full request payloads for that XSS attempt. Then, run search_security_attacks to confirm if this vector is appearing elsewhere in your infrastructure.
Manually cross-referencing endpoints.
A developer thinks their API endpoint /v1/users/{id} is secure. They spend hours checking old documentation and network diagrams, but they might miss an undocumented, shadow path used by a forgotten internal service.
→
Use get_discovered_api_inventory. This tool passively scans your live traffic and gives you the definitive list of every exposed endpoint, saving you weeks of manual discovery.
Blocking IPs without context.
A junior analyst sees a suspicious IP (5.5.5.5) hit once and immediately adds it to the denylist using create_ip_acl_rule. Later, they realize 5.5.5.5 is a legitimate partner's testing machine that needs access.
→
When It Fits, When It Doesn't
Use this server if your core need is deep forensic investigation and real-time threat response. You must be dealing with API security: finding undocumented endpoints, analyzing payload dumps, or reacting to active attacks (SQLi, XSS). If you're just checking uptime, basic logging volume, or simple user authentication status, this might be overkill—a simple metrics dashboard is enough. However, if the problem involves who can talk to what API endpoint and how they are doing it (the 'why' of a failure), then use it. For example, if you need to check only which APIs exist, get_discovered_api_inventory is your go-to. If you just want to know the overall health of your WAF nodes, list_filtering_nodes handles that better than general searching.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Wallarm. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Sifting through security logs shouldn't feel like archaeology.
Today, figuring out a breach requires jumping between the dashboard, the raw log viewer, the vulnerability report, and the network flow map. You copy timestamps here, cross-reference IPs there, and manually correlate what looks like an SQLi attempt with the specific API endpoint it hit—it's slow, error-prone, and frankly, exhausting.
With this MCP server, you just ask your agent: 'What were the top 5 attack vectors last night?' It runs `search_security_attacks`, groups them by vector, and gives you a clean summary. You get actionable intelligence without doing the manual data stitching.
Wallarm MCP Server: Get API context from chat.
You no longer need to open the IP Access Control List tool, navigate to the 'rules' tab, and filter by date range just to check if a partner was accidentally blocked. You simply ask your agent to list rules or add a new one using `create_ip_acl_rule`.
This moves security management from slow UI clicks into natural conversation. It changes how fast you can contain damage—from minutes of clicking through dashboards to seconds of chat.
Common Questions About Wallarm MCP
How do I find out what APIs are exposed using get_discovered_api_inventory? +
The agent runs get_discovered_api_inventory and provides a list of every endpoint it found through passive traffic analysis. This shows you the full scope of your API surface area.
What is the best way to check for XSS attacks using search_security_attacks? +
You ask the agent to 'Search for XSS attacks.' The tool runs search_security_attacks and reports back on the cluster count, which tells you how many distinct attempts were made against your APIs.
Can I block an IP address using create_ip_acl_rule? +
Yes. You simply tell the agent to block it, specifying if it's a 'white' (allow) or 'black' (deny) rule. The tool executes create_ip_acl_rule instantly.
I found an old vulnerability; how do I mark it as falsepositive using update_vulnerability_status? +
Ask the agent to change the status of the specific ID. It runs update_vulnerability_status, and you can select 'falsepositive' from the valid statuses.
What does search_security_hits show me? +
search_security_hits shows granular details for blocked traffic. You get full request headers and payloads, which is critical forensic data you can't get anywhere else.
How do I check if my WAF filtering nodes are operational using list_filtering_nodes? +
It lists all deployed Wallarm WAF and API gateway filtering nodes. This tool confirms their status, letting you verify the health and heartbeat of your entire security infrastructure.
Where can I find detailed exploit evidence for a specific issue using get_vulnerability_details? +
The tool retrieves comprehensive diagnostic data and explicit exploit evidence tied to a particular vulnerability ID. This gives you the technical details needed to understand exactly how an attack works.
How do I audit all currently configured IP allowlist and denylist rules with list_ip_acl_rules? +
It pulls a full report of every active IP rule. You can check both the global allowlist and denylist to ensure only authorized traffic has access.
Can I block a malicious IP address directly from my agent? +
Yes. Using the create_ip_acl_rule tool, you can immediately add an IP or CIDR range to your global denylist (black list) to mitigate threats as soon as they are identified during your security audit.
How can I see all the API endpoints Wallarm has discovered? +
The get_discovered_api_inventory tool provides you with the full API inventory automatically discovered through passive traffic analysis, showing exposed endpoints, methods, and parameters without requiring manual specifications.
Is it possible to triage vulnerabilities and change their status via chat? +
Absolutely. You can use update_vulnerability_status to change a vulnerability's lifecycle status (e.g., to closed or false positive) once you have investigated it or applied remediation steps.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Google Firestore Collection
This MCP does exactly one thing: it manages documents in a single Google Firestore Collection. That's its only function, and nothing else. Incredible for giving your AI a secure NoSQL database.
Authing
Cloud-native identity and access management platform — manage users, roles, and security logs via AI.
DataDome
Equip your AI agent to monitor bot protection, track threats, and audit protected endpoints directly via the DataDome API.
You might also like
Billplz
Manage your payment collections via Billplz — list collections, bills, and transactions directly from any AI agent.
Parsio
Extract structured data from emails and PDFs automatically with AI-powered parsing templates that learn from your documents.
Kitsu
Search and manage your anime and manga collections via Kitsu — browse titles, check user profiles, and update your library directly from any AI agent.