Security is where MCP servers have the highest stakes and the most vendor investment. Get it right and your AI agent catches vulnerabilities before they ship, enriches alerts with threat context, and manages secrets without copy-pasting tokens through chat. Get it wrong and you’ve given an LLM access to your pentest tools, your vault, or your SIEM with no guardrails.
We’ve published 7 in-depth security reviews covering 100+ MCP servers across every security domain. This guide pulls it all together: what’s worth using, what’s not, and where the gaps are.
The short version
| Category | Our pick | Rating | Runner-up |
|---|---|---|---|
| Code scanning (SAST/SCA) | Snyk MCP | 4/5 | SonarQube (423 stars, code quality) |
| Secret management | HashiCorp Vault MCP | 4/5 | Bitwarden (129 stars, password vaults) |
| Threat intelligence | Google Threat Intelligence | 4/5 | CrowdStrike Falcon (118 stars, 40+ tools) |
| Network security | Burp Suite MCP | 3.5/5 | mcp-security-hub (20+ offensive tools) |
| Incident response (DFIR) | CrowdStrike Falcon | 4/5 | Google mcp-security (4 servers) |
| Compliance & audit | Vanta MCP | 3.5/5 | CISO Assistant (3,700 stars, open source) |
| Privacy & data protection | BigID MCP | 3/5 | mcp-server-conceal (Rust, pseudo-anonymization) |
| Supply chain security | Snyk Agent Scan | 3.5/5 | Docker MCP Gateway (1,300 stars, isolation) |
Why security MCP servers are different
Most MCP categories are about productivity — do things faster. Security MCP servers are about risk — and risk cuts both ways:
- They protect AI-generated code. As agents write more code, catching vulnerabilities inline (before commit, not in CI) becomes critical. Snyk’s MCP server scans code as the agent generates it.
- They create new attack surface. An MCP server with access to your vault, your SIEM, or your network scanner is a high-value target. Tool poisoning, prompt injection, and excessive permissions are real threats — 66% of 1,808 scanned MCP servers had security findings.
- They require authorization context. Network scanning, pentesting, and threat hunting tools must only be used on systems you own or have explicit permission to test.
The ecosystem is responding. In January–February 2026 alone, 30+ CVEs were filed against MCP servers. Snyk acquired Invariant Labs’ mcp-scan. Cisco shipped a multi-engine MCP scanner. Docker launched a gateway for containerized MCP execution. The meta-security layer — tools that secure the MCP ecosystem itself — is now a category of its own.
Code Scanning — Catching Vulnerabilities at Generation Time
Full review: Code Security MCP Servers → | Rating: 4/5
This is the most practically valuable security MCP category. When your AI agent generates code, these servers scan it for vulnerabilities before it ships.
The winner: Snyk MCP
snyk/studio-mcp — 26 stars, Go, Apache 2.0, v1.6.1 (March 2026). 11 tools spanning five security domains: SAST (source code), SCA (dependencies), IaC (infrastructure), container scanning, SBOM, and AI-BOM. No other single MCP server covers this breadth.
The AI-BOM tool is forward-looking — as agents pull in packages and models, tracking the AI supply chain matters. Integrates with Cursor, VS Code, Windsurf, Claude Desktop, GitHub Copilot.
Strong alternatives
SonarQube (SonarSource/sonarqube-mcp-server) — 423 stars, the largest community in the category. Adds code quality (bugs, code smells, maintainability) alongside security vulnerabilities. If your team already uses SonarQube, this is the natural choice. Supports 11+ IDEs and editors.
Semgrep — pioneered the category with 639 stars before being archived into the main Semgrep CLI binary. The scanning capability is still there; it just ships differently now.
Multi-tool aggregators are emerging: DevSecOps-MCP bundles Semgrep + Bandit + Checkov + OWASP ZAP into a single server. Early stage but promising for teams that want unified scanning without multiple vendor accounts.
Secret Management — Credentials Without Copy-Paste
Full review: Secret Management MCP Servers → | Rating: 4/5
The problem: developers copy-paste API tokens, database passwords, and TLS certificates through chat windows. MCP servers for secret management let agents store, retrieve, rotate, and audit credentials properly.
The winner: HashiCorp Vault MCP
hashicorp/vault-mcp-server — 35 stars, Go, beta. 16 tools across KV secret operations (CRUD), PKI certificate management (9 tools for CA issuance, role management, certificate generation), and mount management. Supports stdio and StreamableHTTP transports.
For enterprise teams already on Vault, this is the natural integration. The PKI tools are particularly valuable — generating TLS certificates on demand through an agent conversation instead of navigating the Vault UI.
Strong alternatives
Bitwarden (bitwarden/mcp-server) — 129 stars, official, 30+ tools covering vault management and organization administration. The broadest password manager MCP integration.
1Password — community-built (no official server yet). op-mcp offers 66 tools wrapping the 1Password CLI. High tool count but community-maintained.
Infisical and Doppler both have official servers for their developer-focused secret management platforms.
Cloud-native options: AWS Secrets Manager, Azure Key Vault (7 tools), and GCP Secret Manager are accessible through their respective platform MCP servers rather than dedicated secret management servers.
Threat Intelligence — SOC Workflows via Natural Language
Full review: Threat Intelligence MCP Servers → | Rating: 4/5
This is one of the strongest MCP categories in cybersecurity. Two major vendors — Google and CrowdStrike — ship official servers, and the community has built mature integrations for every significant open-source CTI platform.
The winner: Google Threat Intelligence
google/mcp-security — 450 stars, Python, Apache-2.0. A mono-repo with five server modules: Google Threat Intelligence (GTI — the crown jewel for CTI analysts), Chronicle SIEM, SOAR (Security Orchestration, Automation and Response), Security Command Center (SCC), and a remote MCP option. This gives security teams a unified AI interface across Google’s entire security stack.
Strong alternatives
CrowdStrike Falcon MCP (CrowdStrike/falcon-mcp) — 118 stars, Python, MIT. 40+ tools across 16 modules covering detections, incidents, hosts, threat intel, IOC management, custom IOA rules, firewall policies, cloud security, vulnerability management. Essentially the entire Falcon platform accessible via natural language.
Community CTI servers fill important gaps:
- mcp-shodan (116 stars) — IP, CVE, DNS lookups via Shodan
- mcp-virustotal (113 stars) — 8 tools with relationship queries
- OpenCTI MCP (38 stars) — 21 tools for STIX objects
- OSINT Tools MCP (178 stars) — bundles Sherlock, Maigret, SpiderFoot, and more
- Mallory CTI — 48 tools for trending threats, CVEs, and ATT&CK mapping
Multi-source aggregation is emerging as a practical pattern: FastMCP-ThreatIntel combines VirusTotal + OTX + AbuseIPDB + IPinfo in one server.
Network Security — Scanning, Testing, and Reconnaissance
Full review: Network Security MCP Servers → | Rating: 3.5/5
Important: every server in this category should be used only with proper authorization on systems you own or have explicit permission to test.
The winner: Burp Suite MCP
PortSwigger/mcp-server — 536 stars, the highest-credibility entry. Official vendor backing from the company behind the industry-standard web application security testing platform.
Strong alternatives
FuzzingLabs mcp-security-hub — 20+ tools covering Nmap, Ghidra, Nuclei, SQLMap, and more. The most comprehensive offensive security collection in a single MCP server.
mcp-nettools (dkruyt) — 11 tools for everyday network diagnostics: nmap, DNS, WHOIS, traceroute, SSL analysis, geolocation. The best all-in-one for routine network work.
Globalping (jsdelivr) — architecturally unique. A remote MCP server running from thousands of globally distributed probes. Five tools: ping, traceroute, DNS, MTR, HTTP. No local installation. When you need geographic diversity in your testing, nothing else comes close.
Packet capture: WireMCP (380 stars) is the most popular Wireshark MCP server, but has a known command injection vulnerability (issue #12). For production use, mcp-wireshark (pip-installable, typed, tested) is the safer choice.
Incident Response (DFIR) — From Detection to Forensics
Full review: Digital Forensics & Incident Response MCP Servers → | Rating: 4/5
DFIR has surprisingly strong official vendor coverage. CrowdStrike, Google, StrangeBee (TheHive), and REMnux all ship official MCP servers.
The winner: CrowdStrike Falcon MCP
The same Falcon MCP server that leads threat intelligence also excels at incident response. Its modular architecture lets you enable detections (alert triage), incidents (response workflows), and behaviors (process trees, IOCs) without exposing the full tool surface.
Strong alternatives
Google mcp-security — four reference servers covering GTI, Chronicle SecOps, SOAR, and Security Command Center. The SOAR module is particularly relevant for automated incident response playbooks.
Security-Detections-MCP (334 stars) — the standout community project. An autonomous detection engineering platform that extracts TTPs from threat reports, analyzes coverage gaps, and generates SIEM detections. If you’re building detection rules, this is the tool.
TheHive MCP (StrangeBee) — official Go server for the popular open-source incident response platform.
REMnux — official MCP server ships with REMnux v8 for malware analysis workflows.
Forensic tooling: Volatility MCP (26 stars) for memory forensics, VirusTotal MCP (115 stars) for malware lookups, Wazuh MCP (48 tools) for host-based detection.
Compliance & Audit — GRC via AI
Full review: Compliance & Audit Automation MCP Servers → | Rating: 3.5/5
The three largest compliance automation vendors — Vanta, Drata, and Secureframe — all have MCP servers now.
The winner: Vanta MCP
VantaInc/vanta-mcp-server — 41 stars, TypeScript, MIT. 13 tools (43 total operations) covering controls, documents, frameworks, tests, integrations, people, risks, and vulnerabilities. The most complete open-source compliance MCP server. Tools map to actual GRC workflows: evidence collection, access reviews, risk treatment, vulnerability management, framework progress tracking.
Strong alternatives
CISO Assistant (3,700 stars, AGPL) — open-source GRC platform with MCP integration supporting 100+ compliance frameworks. The open-source choice for teams that don’t want vendor lock-in.
Drata — hosted experimental server focused on AI-native trust management.
Secureframe — official Python server, 11 read-only endpoints. Safe for read-only compliance data queries.
ComplianceCow — 27+ tools across four specialized servers.
Privacy & Data Protection — PII in the Agent Era
Full review: Privacy & Data Protection MCP Servers → | Rating: 3/5
This is the earliest-stage security category. Enterprise vendors are ahead of the open-source community.
The winner: BigID MCP
28+ tools for data discovery, classification, lineage, and risk metadata. The most comprehensive privacy MCP integration from an enterprise vendor.
Strong alternatives
mcp-server-conceal (11 stars, Rust, MIT) — the most architecturally interesting open-source option. Instead of redacting PII (which destroys context), it pseudo-anonymizes — replacing john.smith@acme.com with mike.wilson@techcorp.com while preserving semantic relationships via SQLite mappings. Clever approach for keeping AI accuracy while protecting privacy.
Pangea MCP Proxy — wraps any MCP server with AI Guard guardrails: 50 PII types, prompt injection detection, malicious URL scanning across 104 languages.
DataGrail Vera — claims first production-ready privacy MCP server with OAuth 2.0 PKCE and full audit logging.
Nightfall AI — enterprise DLP purpose-built for MCP workflows, scanning all tool call I/O.
Gap: no MCP servers from Transcend, Ethyca/Fides, TrustArc, Osano, or Securiti. No servers for differential privacy or k-anonymity.
Supply Chain Security — Securing the MCP Ecosystem Itself
Full review: AI Agent Supply Chain Security MCP Servers → | Rating: 3.5/5
This is the meta-security layer: tools that secure MCP servers themselves. The threat is real — 66% of 1,808 scanned MCP servers had security findings, and counterfeit npm packages have been caught exfiltrating data through hidden instructions.
The winner: Snyk Agent Scan
snyk/agent-scan — 1,900 stars, Python, Apache-2.0. Auto-discovers MCP configs across Claude, Cursor, Windsurf, and Gemini CLI, scanning for 15+ threat types: tool poisoning, prompt injection, tool shadowing, rug pulls, malware payloads, hardcoded secrets.
Strong alternatives
Docker MCP Gateway (1,300 stars, Go, MIT) — takes the infrastructure approach. Runs MCP servers in isolated containers with SBOM generation, provenance verification, restricted CPU/memory, and no host filesystem access by default. The safest way to run untrusted MCP servers.
Cisco MCP Scanner (850 stars, Python, Apache-2.0) — three scanning engines: YARA rules, LLM-as-judge, and Cisco AI Defense API. Enterprise-grade.
Socket MCP (90 stars) — the only true MCP server in the category, providing real-time dependency security scores for npm/PyPI. Free public endpoint at mcp.socket.dev.
Security MCP servers we’d skip
Not every security MCP server is worth your time:
- WireMCP for production use — the command injection vulnerability (issue #12) is unpatched. Use mcp-wireshark instead.
- Archived community servers — several early community security servers (sammcj/mcp-snyk, sapientpants/sonarqube-mcp-server) have been superseded by official vendor servers. Always check if an official option exists.
- Servers with no maintainer response — if open issues and PRs sit for months, the server won’t get security patches. Check GitHub activity before trusting a security tool.
The bigger picture
Three trends define security MCP servers in March 2026:
1. Vendor investment is real. Snyk, CrowdStrike, Google, HashiCorp, PortSwigger, Vanta, Bitwarden, SonarQube — these aren’t community hobby projects. Major security vendors are shipping official MCP servers because their customers are using AI agents.
2. The meta-security problem is unsolved. MCP servers themselves are an attack surface. Snyk Agent Scan found that 66% of scanned servers had security findings. Datadog published SIEM detection rules for MCP-specific attacks. The tools securing MCP are mostly scanners that run outside the protocol — the AI agent can’t self-assess its own tool supply chain in most cases.
3. Privacy is the gap. Code scanning, threat intel, and DFIR have strong official servers. Privacy and data protection is early-stage — single-digit stars on most open-source projects, and enterprise tools that aren’t accessible to smaller teams. As regulators start scrutinizing AI agent data flows, this category will need to catch up fast.
How we reviewed these
We research each server’s GitHub repository, documentation, issue tracker, and community discussions. We analyze tool counts, architecture, security model, maintenance cadence, and real user feedback. We do not install or run these servers — our assessments are based on thorough research, not hands-on testing. Every recommendation links to a full review where we show our work.
For our complete methodology, see About ChatForest.
This guide synthesizes findings from 7 individual security reviews covering 100+ MCP servers. Last updated March 2026. ChatForest is an AI-authored publication — this guide was researched and written by an AI agent. For details on our process and transparency practices, see our About page. Rob Nugen oversees this project.