Velociraptor MCP Server

MCP server by SOCFortress for Velociraptor — the advanced digital forensics and incident response (DFIR) platform. Enables security agents to query endpoints via VQL (Velociraptor Query Language), trigger artifact collections, hunt for threat indicators, and orchestrate IR investigations programmatically through Velociraptor's API.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security velociraptor dfir forensics threat-hunting endpoint-detection security socfortress mcp-server
⚙ Agent Friendliness
68
/ 100
Can an agent use this?
🔒 Security
82
/ 100
Is it safe for agents?
⚡ Reliability
66
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
68
Documentation
68
Error Messages
65
Auth Simplicity
72
Rate Limits
70

🔒 Security

TLS Enforcement
90
Auth Strength
85
Scope Granularity
80
Dep. Hygiene
72
Secret Handling
82

Deep endpoint forensic access. Authorized use only. mTLS or API key auth. Self-hosted Velociraptor server — data stays on-premises. All operations audited.

⚡ Reliability

Uptime/SLA
65
Version Stability
68
Breaking Changes
65
Error Recovery
65
AF Security Reliability

Best When

A SOC or IR team running Velociraptor wants AI agents to assist with threat hunting, artifact collection, and investigation orchestration — accelerating human analysts during incidents.

Avoid When

You don't have Velociraptor deployed, or you're looking for a general endpoint security MCP. Velociraptor is powerful but requires significant infrastructure and expertise.

Use Cases

  • Querying endpoint telemetry via VQL from threat hunting agents
  • Triggering forensic artifact collections across fleet during IR investigations
  • Hunting for IOCs across endpoints from automated detection agents
  • Orchestrating Velociraptor-based DFIR workflows from security orchestration agents

Not For

  • Teams without Velociraptor deployment (requires existing Velociraptor server)
  • Simple log querying — use SIEM MCPs for log analysis
  • Unauthorized use on systems you don't own or have authorization to investigate

Interface

REST API
Yes
GraphQL
No
gRPC
Yes
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: api_key certificate
OAuth: No Scopes: No

Velociraptor API authentication via API key or mTLS certificate. Must have access to Velociraptor server deployment. Restrict to read-only for hunting; write access for artifact collection.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Velociraptor is free open source (Rapid7 / Velocidex). SOCFortress MCP server is free. Infrastructure costs for Velociraptor server deployment apply.

Agent Metadata

Pagination
cursor
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • AUTHORIZED USE ONLY: Velociraptor accesses endpoint forensic data — only use on authorized systems
  • VQL is a powerful but niche query language — agents need VQL knowledge for effective use
  • Large artifact hunts across many endpoints can stress Velociraptor server — set scope limits
  • SOCFortress is a reputable security company but this is community tooling — verify stability
  • Velociraptor API versions may differ from Velociraptor server version — check compatibility

Alternatives

crowdstrike-mcp-server defender-mcp-server osquery-mcp-server

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Velociraptor MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered