Megaraptor MCP MCP Server

$git clone https://github.com/wagonbomb/megaraptor-mcp.git cd megaraptor-mcp
README.md

Enables AI assistants to interact with the Velociraptor DFIR platform.

Megaraptor MCP

A Model Context Protocol (MCP) server that provides AI assistants with access to Velociraptor - the powerful digital forensics and incident response (DFIR) platform.

Overview

Megaraptor MCP enables AI assistants like Claude to interact with Velociraptor servers for:

  • Endpoint Management: Search, interrogate, and manage Velociraptor clients
  • Artifact Collection: Schedule forensic artifact collection on endpoints
  • Threat Hunting: Create and manage hunts across multiple endpoints
  • VQL Queries: Execute arbitrary Velociraptor Query Language queries
  • Incident Response: Pre-built DFIR workflow prompts for common scenarios
  • Deployment Automation: Deploy Velociraptor servers and agents across infrastructure (Docker, binary, cloud, GPO, SSH, WinRM, Ansible)

Features

MCP Tools (33 tools)

Core DFIR Tools (15 tools)
Category Tool Description
Clients list_clients Search and list Velociraptor endpoints
get_client_info Get detailed information about a client
label_client Add/remove labels from clients
quarantine_client Quarantine or release endpoints
Artifacts list_artifacts List available Velociraptor artifacts
get_artifact Get full artifact definition
collect_artifact Schedule artifact collection on a client
Hunts create_hunt Create a mass collection campaign
list_hunts List existing hunts
get_hunt_results Retrieve results from a hunt
modify_hunt Start, pause, stop, or archive hunts
Flows list_flows List collection flows for a client
get_flow_results Get results from a collection
get_flow_status Check collection status
cancel_flow Cancel a running collection
VQL run_vql Execute arbitrary VQL queries
vql_help Get help on VQL syntax and plugins
Deployment Tools (18 tools)
Category Tool Description
Server Deployment deploy_server_binary Deploy Velociraptor server as standalone binary
deploy_server_docker Deploy Velociraptor server using Docker
deploy_server_cloud Deploy Velociraptor server to AWS/Azure cloud
generate_server_config Generate server configuration with certificates
Agent Deployment deploy_agent_gpo Generate GPO deployment package for Windows
deploy_agent_winrm Deploy agents via WinRM to Windows endpoints
deploy_agent_ssh Deploy agents via SSH to Linux/macOS endpoints
deploy_agent_ansible Generate Ansible playbook for agent deployment
build_offline_collector Build standalone offline collector
generate_client_config Generate client configuration file
Deployment Management list_deployments List tracked deployment operations
get_deployment_status Get detailed status of a deployment
verify_deployment Verify deployment health and connectivity
rollback_deployment Rollback a failed deployment
Credentials store_credential Securely store deployment credentials
list_credentials List stored credential aliases
delete_credential Remove stored credentials
Utilities download_velociraptor Download Velociraptor binary for platform

MCP Resources

Browse Velociraptor data through standardized URIs:

  • velociraptor://clients - Browse connected endpoints
  • velociraptor://clients/{client_id} - View specific client details
  • velociraptor://hunts - Browse hunt campaigns
  • velociraptor://hunts/{hunt_id} - View specific hunt details
  • velociraptor://artifacts - Browse available artifacts
  • velociraptor://server-info - View server information
  • velociraptor://deployments - Browse deployment operations and status

MCP Prompts (8 prompts)

Pre-built DFIR and deployment workflow prompts:

Prompt Category Description
investigate_endpoint DFIR Comprehensive endpoint investigation workflow
threat_hunt DFIR Create and execute threat hunting campaigns
triage_incident DFIR Rapid incident triage and scoping
malware_analysis DFIR Analyze suspicious files or processes
lateral_movement DFIR Detect lateral movement indicators
deploy_velociraptor Deployment Interactive Velociraptor deployment wizard
scale_deployment Deployment Plan enterprise-scale agent rollout
troubleshoot_deployment Deployment Diagnose and fix deployment issues

Installation

Prerequisites

  • Python 3.10 or higher
  • A running Velociraptor server with API access enabled
  • API client credentials (see Configuration)

Install from source

git clone https://github.com/yourusername/megaraptor-mcp.git
cd megaraptor-mcp

# Core DFIR func

Tools (21)

list_clientsSearch and list Velociraptor endpoints
get_client_infoGet detailed information about a client
label_clientAdd/remove labels from clients
quarantine_clientQuarantine or release endpoints
list_artifactsList available Velociraptor artifacts
get_artifactGet full artifact definition
collect_artifactSchedule artifact collection on a client
create_huntCreate a mass collection campaign
list_huntsList existing hunts
get_hunt_resultsRetrieve results from a hunt
modify_huntStart, pause, stop, or archive hunts
list_flowsList collection flows for a client
get_flow_resultsGet results from a collection
get_flow_statusCheck collection status
cancel_flowCancel a running collection
run_vqlExecute arbitrary VQL queries
vql_helpGet help on VQL syntax and plugins
deploy_server_binaryDeploy Velociraptor server as standalone binary
deploy_server_dockerDeploy Velociraptor server using Docker
deploy_agent_sshDeploy agents via SSH to Linux/macOS endpoints
verify_deploymentVerify deployment health and connectivity

Environment Variables

VELOCIRAPTOR_API_CONFIGrequiredPath to the Velociraptor API client configuration file

Configuration

claude_desktop_config.json
{
  "mcpServers": {
    "megaraptor": {
      "command": "python",
      "args": ["-m", "megaraptor_mcp"],
      "env": {
        "VELOCIRAPTOR_API_CONFIG": "/path/to/api.config.yaml"
      }
    }
  }
}

Try it

Search for all connected Velociraptor clients and list their OS versions.
Collect the Windows.KapeFiles.Targets artifact from client C.1234567890abcdef to investigate suspicious activity.
Run a VQL query to find all processes listening on port 4444 across the fleet.
Create a new hunt to collect browser history from all endpoints labeled 'Finance'.
Deploy a new Velociraptor agent to the Linux server at 192.168.1.50 using SSH.

Frequently Asked Questions

What are the key features of Megaraptor MCP?

Endpoint Management: Search, interrogate, and quarantine Velociraptor clients.. Artifact Collection: Schedule and retrieve forensic artifact collections on specific endpoints.. Threat Hunting: Create and manage mass collection campaigns across multiple endpoints.. VQL Execution: Run arbitrary Velociraptor Query Language (VQL) queries for custom forensics.. Deployment Automation: Tools to deploy servers and agents via Docker, SSH, WinRM, and Ansible..

What can I use Megaraptor MCP for?

Incident Response: Rapidly triage and scope incidents by collecting artifacts from suspicious hosts.. Threat Hunting: Proactively search for Indicators of Compromise (IoCs) across an entire enterprise fleet.. Forensic Investigation: Automate the collection of memory, disk, and process forensics for deep analysis.. Fleet Management: Maintain and verify the health of Velociraptor agent deployments across diverse infrastructure..

How do I install Megaraptor MCP?

Install Megaraptor MCP by running: git clone https://github.com/wagonbomb/megaraptor-mcp.git cd megaraptor-mcp

What MCP clients work with Megaraptor MCP?

Megaraptor MCP works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Use Megaraptor MCP with Conare

Manage MCP servers visually, upload persistent context, and never start from zero with Claude Code & Codex.

Try Free

Related MCP Servers

MCP SSH SRE
Read-only server monitoring and diagnostic tools for Linux and Unraid systems.
monitoring12 stars
IBM Storage Insights
Seamless observability and diagnosis of registered storage assets.
monitoring9 stars
Sentry MCP
Fast and minimal Sentry MCP server written in Rust
monitoring8 stars
Webcam MCP
MCP server for webcam access - capture photos and video for LLM agents
monitoring2 stars
Webhook.site MCP Server
Instantly capture HTTP requests, emails, and DNS lookups.
monitoring2 stars
Honeybadger MCP Server
Interact with the Honeybadger error monitoring service to analyze fault data.
monitoring1 stars