Real-time Intelligence from Cortex XSIAM, XDR and Cloud, Natively in Your LLM of Choice
At Palo Alto Networks, we’re redefining what AI means for security teams. While we embed powerful AI capabilities natively across Cortex, we strongly believe that security operations must be “open by default” to any data source, third-party tool, or capabilities. When we work together as an industry, our customers win, and the adversary loses.
We are excited to announce the launch of the Cortex MCP Server, a significant advancement in our commitment to AI-native security operations. With this release, any AI client that supports MCP can now directly interact with Cortex - empowering customers to seamlessly connect, integrate, and extend our industry-leading capabilities into the AI tools of their choice
At its core is the Model Context Protocol (MCP), a standard introduced by Anthropic in November 2024 that is rapidly gaining traction across the AI industry. MCP acts as a common language, helping AI models work seamlessly with other tools, software, and information sources by reducing the time and effort typically needed for custom integrations.
Currently in open beta, the Cortex MCP Server brings real-time intelligence from Cortex to your preferred LLM application, such as Claude for Desktop. This allows you to leverage Cortex data and insights directly within your existing AI workflows, making it accessible via natural language queries, complementing the native Cortex Agentic Assistant already available within the platform.
This server was built for operational simplicity and flexible customization. You get full control over how and where it runs, with the flexibility to deploy it locally in your preferred environment.
Out of the box, you can immediately use prebuilt tools to query and retrieve key Cortex data, including issues, cases, assets, endpoints, compliance results, and tenant metadata, so you can start building value on day one. As your needs grow, you can add custom tools for specific security processes or new automation scenarios.
A built-in auto-update mechanism ensures you receive the latest Palo Alto Networks releases while preserving your custom configurations, giving you both innovation and stability.
The Cortex MCP Server allows teams to use the platform’s industry-leading capabilities within their LLM or AI workflow of choice, benefiting:
- Case Management
Streamline the handling and prioritization of security incidents, allowing security analysts to use LLM-powered guidance to review, prioritize, and update cases more efficiently. An analyst can ask, “What are my top open cases?” They can manage the severity and status of cases, and add notes, all with the added context, reasoning, and summarization that the LLM provides.
- Investigation
Empowers security teams with enhanced visibility and the ability to query their security data in natural language with their LLM of choice, in addition to Cortex’s native Agentic Assistant. For example, an analyst might want to estimate the blast radius of a specific indicator of compromise (IOC).
- Collaboration
Delivers a flexible orchestration layer for aiding and accelerating complex investigations involving multiple stakeholders and teams, helping analysts capture insights, share updates, and stay coordinated across investigations when using third-party AI workflow solutions.
A Day in the Life: SOC Analyst with Claude for Desktop
While Cortex offers best-in-class native AI for security operations, we recognize that you might wish to use another LLM tool as part of your broader AI ecosystem. Since Cortex is an open platform with industry-leading data, you can engage with it through external tools like Claude for Desktop.
A SOC analyst using Claude for desktop can utilize the Cortex MCP Server to engage with Claude in natural language to conduct investigations.
Case Triage and Prioritization
The analyst starts by asking Claude to query the Cortex MCP Server for high-severity or urgent cases. In seconds, Claude pulls rich context from the Cortex Extended Data Lake (XDL), showing related issues, detailing affected assets and IOCs, showing the case timeline, and noting any automated actions already taken. With this full picture, the analyst can immediately identify which incidents require attention and prioritize them accordingly.
Investigation and Impact Assessment
Next, the analyst prompts Claude to help investigate the most critical case. The MCP Server enables the streamlined extraction of rich data from the Cortex platform, including event timelines, related assets and indicators, and detailed asset context, such as group, cloud account, type, and exposure level. Claude then lets the analyst tailor how that information is displayed, adjusting visualizations and views to fit the investigation. This allows the analyst to quickly gauge the business impact and determine whether escalation is warranted.
Case Enrichment and Collaboration
As the investigation unfolds, the analyst uses Claude to summarize findings, capture notes, and enrich the case - all through simple natural-language prompts. This makes collaboration effortless, keeping the case record clear and up-to-date.
Integrating AI into Your Daily Routine
The Cortex MCP Server represents a significant leap forward in integrating AI into your daily security operations. It simplifies communication between AI models and the Cortex platform, enhancing efficiency, accelerating investigations, and strengthening overall cyber defenses.
Want to see what AI-driven automation can do for your SOC? Schedule your Cortex XSIAM demo now.