mcp-panther and Wazuh-MCP-Server

The two tools are complements: Wazuh-MCP-Server provides an AI-powered security operations layer for Wazuh SIEM that can be queried by any MCP-compatible client, while panther-labs/mcp-panther offers a platform to write detections, investigate alerts, and query logs using AI agents, implying it could be an MCP-compatible client or integrate with such systems.

mcp-panther

Established

Wazuh-MCP-Server

Established

Maintenance 10/25

Adoption 14/25

Maturity 25/25

Community 18/25

Maintenance 13/25

Adoption 10/25

Maturity 16/25

Community 21/25

Stars: 41

Forks: 16

Downloads: 862

Commits (30d): 0

Language: Python

License: Apache-2.0

Stars: 137

Forks: 39

Downloads: —

Commits (30d): 0

Language: Python

License: MIT

No risk flags

No Package No Dependents

About mcp-panther

panther-labs/mcp-panther

Write detections, investigate alerts, and query logs from your favorite AI agents

Implements the Model Context Protocol (MCP) to expose Panther's detection, alerting, and data lake capabilities as AI agent tools—enabling natural language SQL queries against security logs, AI-powered alert triage with intelligent recommendations, and detection authoring directly from IDE-integrated agents. Provides 50+ specialized tools covering alert management (bulk operations, comments, status updates), data lake schema exploration and querying, detection lifecycle management across rules/policies, and operational metrics and access controls.

About Wazuh-MCP-Server

gensecaihq/Wazuh-MCP-Server

AI-powered security operations for Wazuh SIEM—use any MCP-compatible client to ask security questions in plain English. Faster threat detection, incident triage, and compliance checks with real-time monitoring and anomaly spotting. Production-ready MCP server for conversational SOC workflows.

Exposes 48 validated security tools via MCP protocol that span alert querying, agent monitoring, vulnerability scanning, active response (IP blocking, host isolation, process termination), and compliance checking—all with per-tool RBAC, audit logging, input validation, and credential sanitization to prevent LLM-side data leakage. Implements a dual-mode architecture supporting both cloud LLMs (Claude, GPT) and fully air-gapped local deployments via Ollama, with a standard HTTP `/mcp` endpoint compatible with Claude Desktop, Open WebUI, mcphost, and any MCP 2025-11-25 client. Built on Python 3.11+ with Docker containerization, Elasticsearch query integration for alert search, Redis-backed multi-instance session storage, rate limiting, and circuit breakers against Wazuh API 4.8.0–4.14.4.

Related comparisons

mcp-panther and falcon-mcp mcp-panther and mcp-audit mcp-panther and mcp-shodan mcp-panther and mcp-for-security mcp-panther and mcp-armor mcp-panther and mcp-checkpoint

Scores updated daily from GitHub, PyPI, and npm data. How scores work