Wazuh MCP Server

Wazuh MCP server enabling AI agents to interact with Wazuh SIEM/XDR platform — querying security alerts and events, retrieving agent status and inventory, searching threat intelligence data, accessing compliance reports, and integrating Wazuh's open-source security monitoring into agent-driven threat detection, incident response, and security operations center (SOC) automation workflows.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security wazuh siem security mcp-server threat-detection xdr edr log-analysis
⚙ Agent Friendliness
73
/ 100
Can an agent use this?
🔒 Security
80
/ 100
Is it safe for agents?
⚡ Reliability
71
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
72
Documentation
75
Error Messages
70
Auth Simplicity
75
Rate Limits
75

🔒 Security

TLS Enforcement
88
Auth Strength
80
Scope Granularity
72
Dep. Hygiene
75
Secret Handling
82

API credentials with JWT. TLS. Read-only user for agents. Sensitive security data. SOCFortress MCP. Store creds in env var.

⚡ Reliability

Uptime/SLA
75
Version Stability
72
Breaking Changes
70
Error Recovery
68
AF Security Reliability

Best When

A security operations team running Wazuh SIEM needs AI-assisted alert triage, threat hunting, and incident investigation — combining Wazuh's event data with LLM reasoning for faster SOC workflows.

Avoid When

You use a different SIEM (Splunk, Elastic, Microsoft Sentinel) — or don't have Wazuh deployed.

Use Cases

  • Querying Wazuh security alerts and events from SOC automation agents
  • Checking agent health and inventory from infrastructure security agents
  • Investigating security incidents with Wazuh event data from IR agents
  • Monitoring compliance status and rule violations from compliance agents
  • Correlating Wazuh alerts with threat intelligence from threat hunting agents
  • Generating security reports and summaries from SecOps reporting agents

Not For

  • Teams without Wazuh deployment (requires self-hosted or Wazuh Cloud)
  • Splunk, Elastic SIEM, or other SIEM platforms (use their respective MCPs)
  • Teams needing real-time alert modification (read-heavy tool)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No
OpenAPI Spec ↗

Authentication

Methods: username_password api_key
OAuth: No Scopes: No

Wazuh API credentials (user/password or JWT token) required. Wazuh manager API endpoint URL required. Use read-only Wazuh API user for agent access. JWT tokens expire and require refresh.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

Wazuh open source is completely free. Wazuh Cloud managed service available. MCP from SOCFortress — established security company building Wazuh tooling.

Agent Metadata

Pagination
offset
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Wazuh API JWT tokens expire (typically 15-minute default) — agents must handle token refresh
  • Wazuh API version compatibility — v4 vs v3 API differences
  • Security data is sensitive — ensure agent access is appropriately scoped
  • Large alert volumes can slow queries — use time-bounded queries
  • SOCFortress MCP — respected Wazuh community contributor
  • Wazuh manager URL and port (typically 55000) must be accessible from agent

Alternatives

mcp-server-datadog mcp-prometheus elastic-mcp

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Wazuh MCP Server.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5870
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered