Introducing Velociraptor MCP Server: Bringing DFIR and AI Together for Smarter Investigations

https://github.com/socfortress/velociraptor-mcp-server

Why We Built This

Digital forensics and incident response (DFIR) teams rely on tools like Velociraptor for deep visibility across endpoints. Velociraptor is incredibly powerful, but leveraging its data often requires knowledge of complex VQL queries, scripting, or direct API calls.

At the same time, Large Language Models (LLMs) like GPT-4 have shown that natural language can be a transformative interface for exploring and analyzing data. The challenge is securely and reliably bridging the gap between DFIR data and conversational AI.

That’s why we built the Velociraptor MCP Server.

What Is the Velociraptor MCP Server?

The Velociraptor MCP Server is a Model Context Protocol (MCP) server that acts as a secure bridge between Velociraptor and LLMs. It exposes Velociraptor’s API capabilities as “tools” that an AI model can call, enabling natural language interactions with endpoint and DFIR data.

Instead of writing raw API requests or crafting SQL-like VQL queries, analysts can now simply ask questions like:

“Show me the active network connections of the endpoint ag
ent..”

…and get structured, actionable data back from Velociraptor, ready for further analysis or automated workflows.

How It Works

Under the hood, the Velociraptor MCP Server provides:

• Production-Ready Deployment

Built for real-world use cases and security operations.

• Pip-installable

Quick and easy installation into Python environments.

• LLM Integration

Works seamlessly with frameworks like LangChain, enabling AI-driven workflows.

Exposes Tools for Common Velociraptor Operations

• Listing clients/endpoints
• Running hunts or artifacts
• Retrieving process lists
• Accessing collected artifact data
• And more

Example Use Case

Imagine a DFIR analyst working alongside GPT-4 integrated through LangChain. Instead of writing VQL queries or Python scripts to gather process data, the analyst could simply say:

“Show me all running processes on endpoint WIN-1234.”

Behind the scenes, the LLM calls the MCP tool, communicates securely with Velociraptor’s API, and returns the results — all without the analyst ever leaving a natural language interface.

This dramatically reduces friction during incident response, threat hunting, and investigations.

Quick Start

You can install the server directly from GitHub:

python -m venv .venv && source .venv/bin/activate
pip install git+https://github.com/socfortress/velociraptor-mcp-server.git

Configure your environment:

# Velociraptor Server Configuration
VELOCIRAPTOR_API_KEY=/path/to/api.config.yaml
VELOCIRAPTOR_SSL_VERIFY=false
VELOCIRAPTOR_TIMEOUT=30

# MCP Server Configuration
MCP_SERVER_HOST=127.0.0.1
MCP_SERVER_PORT=8000

# Logging Configuration
LOG_LEVEL=INFO

# Tool Filtering (optional)
# VELOCIRAPTOR_DISABLED_TOOLS=CollectArtifactTool,RunVQLQueryTool

Then run the server:

python -m velociraptor_mcp_server

By default, the server listens on http://127.0.0.1:8000 and is ready to handle requests from your LLM integrations.

Benefits for DFIR Teams

Here’s why this matters:

✅ Natural Language Operations

Empower analysts to query Velociraptor using plain English, reducing barriers and speeding up investigations.

✅ Faster Incident Response

Eliminate manual steps and coding for many common tasks.

✅ AI-Driven DFIR

Integrate LLMs into your DFIR workflows safely, without sacrificing security or control.

✅ Open Source and Extensible

Freely available for the community, with room for custom integrations and contributions.

Get Started

If you’re interested in exploring how AI can elevate your DFIR operations: https://github.com/socfortress/velociraptor-mcp-server

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html