playbooks
Learn Cursor Rules Windsurf Rules MCPs Modes
Log in

Panther Labs MCP server

Integrates with Panther Labs' cybersecurity platform to enable security alert triage, data lake querying, detection rule management, and log source analysis for incident response and threat hunting workflows.
Back to servers
Setup instructions
Provider
Panther Labs Inc
Release date
May 31, 2025
Stats
20 stars
View on GitHub

Panther's Model Context Protocol (MCP) server enhances security workflows by enabling you to write and tune detections from your IDE, interactively query security logs using natural language, and manage alerts efficiently. This integration brings Panther's powerful security capabilities directly into your development environment.

Available Tools

The Panther MCP server provides several tool categories to help with your security operations:

Alerts

  • Add comments to alerts
  • Get alert details
  • View alert events
  • List and filter alerts
  • Assign alerts to team members
  • Update alert status
  • View alert comments

Data

  • Run SQL queries against Panther's data lake
  • Retrieve query results
  • Manage data lake queries
  • Get table schemas
  • List databases and tables
  • View log sources
  • Analyze patterns across multiple alerts

Rules

  • Manage detection rules
  • Work with policies and helpers
  • View and modify data models

Schemas, Metrics, and User Management

  • Access log type schemas
  • View alert and ingestion metrics
  • Manage users and permissions

Panther Configuration

Before installing the MCP server, you need to configure your API credentials:

  1. Create an API token in Panther:

    • Navigate to Settings (gear icon) → API Tokens
    • Create a new token with the appropriate permissions

  2. Store the generated token securely

  3. Copy your Panther instance URL from your browser (e.g., https://YOUR-PANTHER-INSTANCE.domain)

    • Make sure to include https://

MCP Server Installation

Docker (Recommended)

The easiest way to get started is using the pre-built Docker image:

{
  "mcpServers": {
    "mcp-panther": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "-e", "PANTHER_INSTANCE_URL",
        "-e", "PANTHER_API_TOKEN",
        "--rm",
        "ghcr.io/panther-labs/mcp-panther"
      ],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-API-KEY"
      }
    }
  }
}

UVX

For Python users, you can run directly from PyPI using uvx:

  1. Install UV from the official documentation

  2. Configure your MCP client:

{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}

MCP Client Setup

Cursor

Follow the instructions at Cursor's MCP documentation to configure your project or global MCP configuration. It's VERY IMPORTANT that you do not check this file into version control.

Once configured, navigate to Cursor Settings > MCP to view the running server.

Tips:

  • Be specific about where you want to generate new rules by using the @ symbol and then typing a specific directory.
  • For more reliability during tool use, try selecting a specific model, like Claude 3.7 Sonnet.
  • If your MCP Client is failing to find any tools from the Panther MCP Server, try restarting the Client and ensuring the MCP server is running.

Claude Desktop

To use with Claude Desktop:

  1. Open the Claude Desktop settings and navigate to the Developer tab
  2. Click "Edit Config" to open the configuration file
  3. Add the following configuration:
{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}
  1. Save the file and restart Claude Desktop

Goose

Use with Goose, Block's open-source AI agent:

# Start Goose with the MCP server
goose session --with-extension "uvx mcp-panther --compat-mode"

The --compat-mode flag enables compatibility mode for broader MCP client support.

Security Best Practices

For optimal security:

  • Apply strict least-privilege to Panther API tokens
  • Host the MCP server in a locked-down sandbox with read-only mounts
  • Monitor credential access to Panther and watch for anomalies
  • Run only trusted, officially signed MCP servers

Troubleshooting

Check the server logs for detailed error messages: tail -n 20 -F ~/Library/Logs/Claude/mcp*.log

Common issues:

  • HTTP 403 errors usually indicate missing permissions for your API token
  • Ensure your Panther Instance URL is correctly set

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "mcp-panther" '{"command":"docker","args":["run","-i","-e","PANTHER_INSTANCE_URL","-e","PANTHER_API_TOKEN","--rm","ghcr.io/panther-labs/mcp-panther"],"env":{"PANTHER_INSTANCE_URL":"https://YOUR-PANTHER-INSTANCE.domain","PANTHER_API_TOKEN":"YOUR-API-KEY"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "mcp-panther": {
            "command": "docker",
            "args": [
                "run",
                "-i",
                "-e",
                "PANTHER_INSTANCE_URL",
                "-e",
                "PANTHER_API_TOKEN",
                "--rm",
                "ghcr.io/panther-labs/mcp-panther"
            ],
            "env": {
                "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
                "PANTHER_API_TOKEN": "YOUR-API-KEY"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "mcp-panther": {
            "command": "docker",
            "args": [
                "run",
                "-i",
                "-e",
                "PANTHER_INSTANCE_URL",
                "-e",
                "PANTHER_API_TOKEN",
                "--rm",
                "ghcr.io/panther-labs/mcp-panther"
            ],
            "env": {
                "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
                "PANTHER_API_TOKEN": "YOUR-API-KEY"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later