CrowdSec

CrowdSec MCP Connector for Claude

A+

Automate threat intelligence via CrowdSec — query local decisions, stream security updates, and check global IP reputation directly from any AI agent.

3 tools Official Updated Jun 28, 2026 Official Vinkius Partner

Connect your CrowdSec security engine to any AI agent to take full control of your threat intelligence and network defense through natural conversation.

What you can do

  • Local Decisions — Query your Local API (LAPI) for active blocks or decisions on specific IPs, ranges, or scopes to understand current local threats.
  • Decision Streaming — Poll for real-time updates on new and deleted decisions from your local database to keep your security context synchronized.
  • Global CTI Reputation — Fetch global IP reputation data, behaviors, and classifications from the CrowdSec Community Threat Intelligence (CTI) network.
  • Security Auditing — Inspect metadata and classifications for suspicious actors directly from your command interface or code editor.

How it works

  1. Subscribe to this server
  2. Enter your CrowdSec LAPI URL, LAPI Key, and CTI Key
  3. Start managing your security posture from Claude, Cursor, or any MCP-compatible client

No more manual log diving or complex CLI commands to check if an IP is malicious. Your AI acts as a dedicated security analyst.

Who is this for?

  • Security Engineers — instantly retrieve local decision statuses and global reputation metrics without leaving the terminal
  • DevOps Teams — monitor security streams and verify IP behaviors during incident response directly from the IDE
  • System Administrators — automate the auditing of blocked ranges and suspicious network activity through natural language
threat-intelligencefirewall-managementip-reputationnetwork-securityintrusion-prevention

3 tools expose this connector's capabilities to your AI agent.

get_cti_smoke

Get CTI reputation for an IP

get_decisions_stream

Poll for new and deleted decisions from LAPI

get_decisions

Query CrowdSec LAPI for decisions

See how to talk to your AI agent using CrowdSec.

Check if there are any active decisions for IP 1.2.3.4 in our local CrowdSec database.

I've checked the Local API. There is one active decision for 1.2.3.4: a 'ban' applied 2 hours ago due to 'http-backdoor-attempts'. It is set to expire in 22 hours.

Get the latest stream of decisions from CrowdSec to see recent blocks.

Polling the decision stream... I found 3 new bans in the last few minutes involving IPs from the 193.x.x.x range targeting SSH services. No decisions were deleted in this interval.

What is the global reputation of IP 185.220.101.101 according to CrowdSec CTI?

According to CrowdSec CTI, 185.220.101.101 is classified as a 'Tor Exit Node'. It has a high noise score and is frequently reported for scanning activities globally. It is currently flagged in multiple community blocklists.

Yes! Use the `get_decisions` tool providing the IP address. Your agent will query your Local API and return any active decisions, including the reason and duration of the block.

Related Connectors