# Wallarm MCP

> Wallarm MCP connects your AI agent to an enterprise API security platform. Monitor live traffic for attacks like SQLi and XSS, identify vulnerabilities in exposed endpoints, and manage IP allow/denylists—all through natural conversation. This lets you skip the security dashboard deep-dive and get immediate threat intel.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** api-security, waf, threat-detection, forensics, sql-injection, xss-protection, cybersecurity

## Description

Running a modern API means constantly worrying about who's hitting your endpoints and if they're safe. Instead of manually logging into complex security consoles, you just talk to your AI agent. This MCP turns that massive security headache into simple chat commands. You can ask the agent what attacks were detected recently, grouping threats by type like XSS or SQLi. Need to dig deeper? You can search through individual malicious requests, looking at full headers and payloads for forensic details. It also helps you find vulnerabilities—the agent lists them up so you know exactly what needs fixing. Plus, you can check the health of your WAF nodes or instantly block bad actors by managing IP rules. All this deep security data is available in one place via Vinkius, letting your AI client act like a full-time SOC analyst.

## Tools

### create_ip_acl_rule
Adds an IP or CIDR range to either the global allowlist or denylist.

### get_discovered_api_inventory
Retrieves a comprehensive list of all API endpoints and methods automatically found in traffic.

### get_client_info
Pulls details about your Wallarm account, subscription level, and current feature status.

### get_vulnerability_details
Retrieves full diagnostic data and exploit evidence for a specific vulnerability ID.

### list_ip_acl_rules
Displays all currently configured IP allowlist and denylist rules.

### list_filtering_nodes
Shows the deployed status and health of your WAF/API gateway filtering nodes.

### search_security_attacks
Searches for security attack clusters, grouping them by vector type like SQLi or XSS.

### search_security_hits
Shows full request headers and payloads for individual malicious HTTP requests intercepted by WAF nodes.

### search_vulnerabilities
Lists all open security vulnerabilities discovered from analyzing live API traffic.

### update_vulnerability_status
Changes the lifecycle status of a vulnerability, marking it as closed or false positive.

## Prompt Examples

**Prompt:** 
```
List all security attacks detected in the last hour.
```

**Response:** 
```
I've searched the recent security events in Wallarm. I found 12 attacks clusters, including 3 SQL Injections targeting the /api/login endpoint and 5 XSS attempts on /search. Would you like to see the individual hits and payloads for any of these?
```

**Prompt:** 
```
Block the malicious IP address 1.2.3.4 immediately.
```

**Response:** 
```
Understood. I have successfully added 1.2.3.4 to your global denylist (black list) in Wallarm. All traffic from this IP will now be blocked by your filtering nodes. Would you like to see if there are other IPs with similar behavior?
```

**Prompt:** 
```
What vulnerabilities are currently open in our production API?
```

**Response:** 
```
I found 3 open vulnerabilities: 1. Broken Object Level Authorization (BOLA) on /api/user/{id} (Critical), 2. Information Disclosure via verbose error messages (Medium), and 3. Insecure Direct Object Reference (IDOR) on /api/orders (High). I can provide the remediation guidance for any of these.
```

## Capabilities

### Find detected attacks
Search for recent security threats and group them by the attack type (like XSS or SQLi).

### Forensically analyze payloads
Deeply search intercepted traffic to view full headers and payloads from malicious HTTP requests.

### List security vulnerabilities
Get a list of all open vulnerabilities found in the live API traffic, including diagnostic data for remediation.

### Manage IP access rules
Add or remove specific IPs or CIDR ranges to your global allowlist or denylist.

### View API endpoint map
Automatically pull a list of every exposed API endpoint and method found in the traffic.

## Use Cases

### Immediate Threat Triage
A SOC analyst notices unusual traffic spikes. Instead of jumping between the WAF logs and the vulnerability tracker, they ask their agent to 'Search for security attacks.' The MCP responds with grouped threats (e.g., 5 XSS attempts), allowing them to immediately focus on remediation.

### Patching Vulnerabilities
A DevSecOps engineer needs to assess the risk of a recently found vulnerability. They run 'Search for vulnerabilities' and find an IDOR issue. Using `get_vulnerability_details`, they get the full diagnostic data needed to write a fix.

### Onboarding New Services
An API developer launches a new microservice endpoint. They use 'Get discovered API inventory' through their agent, verifying that the MCP has successfully cataloged all exposed methods and endpoints for security review.

### Blocking Malicious Users
During an active breach attempt, the team identifies a bad IP address. They use `create_ip_acl_rule` via chat to instantly add the IP to the global denylist, blocking further access without manual rule deployment.

## Benefits

- Stop manually digging through security dashboards. With this MCP, you simply ask your agent to 'List all open vulnerabilities,' and it pulls the exact report data instantly.
- Manage access rules without logging into a separate console. You can use the `create_ip_acl_rule` tool to add or remove IPs globally via chat.
- Drill down on threats immediately. Instead of wading through logs, you run `search_security_hits` to see full payloads for any malicious request.
- Maintain visibility into your entire attack surface by running `get_discovered_api_inventory` and getting a complete map of exposed endpoints.
- Accelerate incident response time. You can use the agent to search attacks via `search_security_attacks`, which groups threats by vector, saving critical minutes.

## How It Works

The bottom line is you get instant, actionable API threat intelligence without ever leaving your chat window.

1. Subscribe to this MCP, then enter your Wallarm API Token and Client ID into your AI client.
2. Your agent connects using those credentials, granting it read/write access across your security dashboard tools.
3. You simply ask a question—like 'What's the status of our filtering nodes?'—and the agent executes the necessary action.

## Frequently Asked Questions

**How does Wallarm MCP help with finding vulnerabilities?**
The MCP lets you run `search_vulnerabilities` to list all open flaws found in live API traffic. You can then use `get_vulnerability_details` to get full diagnostic data and understand exactly how to fix it.

**Can Wallarm MCP help me block a bad IP?**
Yes, you use the `create_ip_acl_rule` tool. You simply ask your agent to add an IP to the global denylist or allowlist, and it executes the rule change for you.

**What is the purpose of get_discovered_api_inventory?**
This tool automatically gathers a map of every exposed API endpoint and method. It's crucial for auditing your entire attack surface to ensure nothing was accidentally left open.

**Does Wallarm MCP support finding XSS attacks?**
Yes, you can use `search_security_attacks` which groups detected threats by vector. This allows you to specifically find and review XSS or SQLi attempts that were intercepted.

**What if I need to change a vulnerability status?**
You use the `update_vulnerability_status` tool. You can mark vulnerabilities as 'closed' or 'falsepositive' directly through your agent, keeping your security records accurate.