Panther MCP Server

Panther's Model Context Protocol (MCP) server provides functionality to:

1. Write and tune detections from your IDE
2. Interactively query security logs using natural language
3. Triage, comment, and resolve one or many alerts

Available Tools

Panther Configuration

Follow these steps to configure your API credentials and environment.

1. Create an API token in Panther:

   • Navigate to Settings (gear icon) → API Tokens

   • Create a new token with the following permissions (recommended read-only approach to start):

   • 

2. Store the generated token securely (e.g., 1Password)

3. Copy the Panther instance URL from your browser (e.g., https://YOUR-PANTHER-INSTANCE.domain)

   • Note: This must include https://

MCP Server Installation

Choose one of the following installation methods:

Docker (Recommended)

The easiest way to get started is using our pre-built Docker image:

{
  "mcpServers": {
    "mcp-panther": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "-e", "PANTHER_INSTANCE_URL",
        "-e", "PANTHER_API_TOKEN",
        "--rm",
        "ghcr.io/panther-labs/mcp-panther"
      ],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-API-KEY"
      }
    }
  }
}

UVX

For Python users, you can run directly from PyPI using uvx:

1. Install UV

2. Configure your MCP client:

{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}

MCP Client Setup

Cursor

Follow the instructions here to configure your project or global MCP configuration. It's VERY IMPORTANT that you do not check this file into version control.

Once configured, navigate to Cursor Settings > MCP to view the running server:

Tips:

• Be specific about where you want to generate new rules by using the @ symbol and then typing a specific directory.
• For more reliability during tool use, try selecting a specific model, like Claude 3.7 Sonnet.
• If your MCP Client is failing to find any tools from the Panther MCP Server, try restarting the Client and ensuring the MCP server is running. In Cursor, refresh the MCP Server and start a new chat.

Claude Desktop

To use with Claude Desktop, manually configure your claude_desktop_config.json:

1. Open the Claude Desktop settings and navigate to the Developer tab
2. Click "Edit Config" to open the configuration file
3. Add the following configuration:

{
  "mcpServers": {
    "mcp-panther": {
      "command": "uvx",
      "args": ["mcp-panther"],
      "env": {
        "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
        "PANTHER_API_TOKEN": "YOUR-PANTHER-API-TOKEN"
      }
    }
  }
}

4. Save the file and restart Claude Desktop

If you run into any issues, try the troubleshooting steps here.

Goose CLI

Use with Goose CLI, Block's open-source AI agent:

# Start Goose with the MCP server
goose session --with-extension "uvx mcp-panther"

Goose Desktop

Use with Goose Desktop, Block's open-source AI agent:

From 'Extensions' -> 'Add custom extension' provide your configuration information.

Running the Server

The MCP Panther server supports multiple transport protocols:

STDIO (Default)

For local development and MCP client integration:

uv run python -m mcp_panther.server

Streamable HTTP

For running as a persistent web service:

docker run \
  -e PANTHER_INSTANCE_URL=https://instance.domain/ \
  -e PANTHER_API_TOKEN= \
  -e MCP_TRANSPORT=streamable-http \
  -e MCP_HOST=0.0.0.0 \
  -e MCP_PORT=8000 \
  --rm -i -p 8000:8000 \
  ghcr.io/panther-labs/mcp-panther

You can then connect to the server at http://localhost:8000/mcp.

To test the connection using FastMCP client:

import asyncio
from fastmcp import Client

async def test_connection():
    async with Client("http://localhost:8000/mcp") as client:
        tools = await client.list_tools()
        print(f"Available tools: {len(tools)}")

asyncio.run(test_connection())

Environment Variables

• MCP_TRANSPORT: Set transport type (stdio or streamable-http)
• MCP_PORT: Port for HTTP transport (default: 3000)
• MCP_HOST: Host for HTTP transport (default: 127.0.0.1)
• MCP_LOG_FILE: Log file path (optional)

Security Best Practices

We highly recommends the following MCP security best practices:

• Apply strict least-privilege to Panther API tokens. Scope tokens to the minimal permissions required and bind them to an IP allow-list or CIDR range so they're useless if exfiltrated. Rotate credentials on a preferred interval (e.g., every 30d).
• Host the MCP server in a locked-down sandbox (e.g., Docker) with read-only mounts. This confines any compromise to a minimal blast radius.
• Monitor credential access to Panther and monitor for anomalies. Write a Panther rule!
• Run only trusted, officially signed MCP servers. Verify digital signatures or checksums before running, audit the tool code, and avoid community tools from unofficial publishers.

Troubleshooting

Check the server logs for detailed error messages: tail -n 20 -F ~/Library/Logs/Claude/mcp*.log. Common issues and solutions are listed below.

Running tools

• If you get a {"success": false, "message": "Failed to [action]: Request failed (HTTP 403): {\"error\": \"forbidden\"}"} error, it likely means your API token lacks the particular permission needed by the tool.
• Ensure your Panther Instance URL is correctly set. You can view this in the config://panther resource from your MCP Client.

Contributing

We welcome contributions to improve MCP-Panther! Here's how you can help:

1. Report Issues: Open an issue for any bugs or feature requests
2. Submit Pull Requests: Fork the repository and submit PRs for bug fixes or new features
3. Improve Documentation: Help us make the documentation clearer and more comprehensive
4. Share Use Cases: Let us know how you're using MCP-Panther and what could make it better

Please ensure your contributions follow our coding standards and include appropriate tests and documentation.

Contributors

This project exists thanks to all the people who contribute. Special thanks to Tomasz Tchorz and Glenn Edwards from Block, who played a core role in launching MCP-Panther as a joint open-source effort with Panther.

See our CONTRIBUTORS.md for a complete list of contributors.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.