# CrowdSec MCP for AI Agents MCP

> CrowdSec connects your network defense to any AI agent, letting you manage threat intelligence directly through conversation. Query active local firewall decisions, monitor real-time security updates, and check global IP reputation data without logging into a command line.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** threat-intelligence, firewall-management, ip-reputation, network-security, intrusion-prevention

## Description

This MCP gives your AI client full control over your threat intelligence pipeline and network monitoring. You can query the local decision API to see if an IP or range is currently blocked by your firewall. The agent also polls for real-time updates on any new bans or deleted decisions, keeping you instantly aware of changes in your security posture. Need to know if a source is malicious? Use the global Community Threat Intelligence data to fetch reputation scores and behavioral classifications for any IP address. Instead of digging through complex logs, your AI acts like a dedicated security analyst, summarizing suspicious activity right where you're working. Getting this connected via Vinkius means you can access all these tools from Claude, Cursor, or any other MCP-compatible client.

## Tools

### get_cti_smoke
Retrieves the global threat intelligence reputation data for a specified IP address.

### get_decisions_stream
Polls the local API to fetch real-time updates regarding new and deleted firewall decisions.

### get_decisions
Queries the local decision API to list all current active blocks or policy decisions for an IP range.

## Prompt Examples

**Prompt:** 
```
Check if there are any active decisions for IP 192.0.2.5 in our local CrowdSec database.
```

**Response:** 
```
**Local Decision Status Check:**

*   **IP:** 192.0.2.5
*   **Status:** Active Ban (Confirmed)
*   **Reason:** Port scan attempt (Nmap signature)
*   **Applied:** 20 minutes ago
*   **Expires:** In 4 hours and 10 minutes

This decision was made by the 'Firewall Policy Group' and is set to automatically lift at the specified time.
```

**Prompt:** 
```
What's the global reputation of IP 203.0.113.99 according to CrowdSec CTI?
```

**Response:** 
```
**CrowdSec Global Threat Intelligence Report**

| Metric | Value |
| :--- | :--- |
| **Classification** | Tor Exit Node |
| **Noise Score** | High (85/100) |
| **Activity Flagged** | Scanning, Botnet Communication |
| **Community Status** | Multiple Blocklists Hit |

The IP shows clear indicators of compromise and is frequently associated with automated attacks.
```

**Prompt:** 
```
Get the latest stream of decisions from CrowdSec to see recent blocks.
```

**Response:** 
```
**Decision Stream Update (Last 5 Minutes)**

*   ✅ **NEW BAN:** IP `193.20.1.1` blocked for SSH brute force.
*   ⚠️ **UPDATE:** Decision on `172.16.0.5` changed from 'Monitor' to 'Block'.
*   ❌ **DELETED:** Ban on `10.0.0.2` lifted automatically (Expired).

Three new blocks occurred in the last interval, primarily targeting web services.
```

## Capabilities

### Querying Local Decisions
Use the agent to ask about existing network blocks, policy decisions, or ranges configured in your local firewall.

### Streaming Decision Updates
The agent polls for real-time notifications on any new block or deletion event, keeping you instantly updated on changes.

### Checking Global CTI Reputation
You can fetch external threat data to assess an IP address's reputation and behavioral risk score worldwide.

## Use Cases

### Investigating a Sudden Traffic Spike
A system administrator suspects an IP is malicious but doesn't know why. They ask the agent to check its global reputation using `get_cti_smoke`. The agent returns that the IP is flagged as a 'Tor Exit Node', allowing the admin to immediately block it.

### Reviewing Blocked Ranges After an Incident
A DevOps team member needs to know exactly which IPs were blocked in the last hour. They use `get_decisions` and get a list of all decisions, confirming that the suspicious range was correctly covered by policy.

### Monitoring Firewall Changes During Maintenance
A security engineer needs to track if any blocks or policies change while they are working late. They set up a stream query using `get_decisions_stream` and get instant alerts on every single decision made.

### Pre-deployment Vulnerability Check
Before deploying new services, the team uses the agent to check known bad IPs. They run `get_cti_smoke` against a list of potential endpoints and flag any that have high noise scores.

## Benefits

- You get instant visibility into your local network state. Use the `get_decisions` tool to query all active blocks or policy decisions for specific IP ranges in plain English.
- Stay updated on security changes without manually checking logs. The agent polls for new and deleted decisions using `get_decisions_stream`, providing a continuous, real-time context stream.
- Stop guessing about malicious IPs. Run the `get_cti_smoke` tool to fetch global reputation data and threat classifications from the community network.
- The MCP streamlines security auditing. Instead of complex CLI commands, your agent handles checking suspicious actors' metadata and classifications instantly.
- It integrates directly into your existing workflow. You pull threat intelligence straight from your IDE or terminal, eliminating context switching.

## How It Works

The bottom line is that your AI client handles all the complex API calls and log parsing, letting you talk to your firewall like it’s a person.

1. Subscribe to this MCP and provide your CrowdSec LAPI URL, along with both the Local API Key and the Community Threat Intelligence (CTI) Key.
2. Your AI client uses these credentials to establish a connection to your local firewall system and the global threat intelligence network.
3. You prompt the agent with natural language—for example, 'What's the reputation of this IP?' or 'Are there active blocks for this range?'—and get immediate data back.

## Frequently Asked Questions

**How do I check if an IP is banned locally using the CrowdSec MCP for AI Agents?**
You can ask the agent to query your local decision API. It will tell you immediately if a block exists, why it was applied (e.g., 'port scan'), and when that ban automatically expires.

**Does the CrowdSec MCP for AI Agents track changes in my firewall policies?**
Yes, the agent polls the decision stream so you get real-time updates on any new blocks or any decisions that are lifted. You never have to manually check if your security context is synchronized.

**What kind of reputation data can I get with the CrowdSec MCP for AI Agents?**
You fetch global IP reputation scores and classifications from the Community Threat Intelligence network. This tells you how many other systems globally have flagged that IP as suspicious or malicious.

**Is the CrowdSec MCP for AI Agents useful for DevOps teams during an incident?**
Absolutely. During an active breach, you can use the agent to check both local blocks and global reputation scores simultaneously, speeding up containment decisions by hours.

**Does this tool require me to be a security expert?**
No. The MCP is designed for natural conversation. You talk to your AI client like you're talking to a colleague; the agent handles all the technical API calls and data parsing.