Security Engineering with Claude Code

Security engineering is a race against adversaries who move fast. Building detection rules, triaging alerts, investigating incidents, and automating response — every hour saved on tooling is an hour gained for actual security work. Claude Code with the VirusTotal and SIEM MCPs puts threat intelligence and log analysis at your fingertips.

The Challenge

Security engineers and developers deal with:

Alert fatigue — SIEM systems generate thousands of alerts daily. Most are false positives. Building effective triage logic requires deep understanding of normal vs. anomalous behavior
Threat intelligence integration — correlating indicators of compromise (IoCs) across multiple feeds and your internal data requires custom tooling
Detection engineering — writing detection rules (YARA, Sigma, Snort) that catch real threats without generating noise is a specialized skill
Incident response automation — when an incident hits, every minute counts. Automated playbooks for containment, investigation, and recovery can mean the difference between a minor event and a breach

VirusTotal MCP: Threat Intelligence in Your Terminal

The VirusTotal MCP connects Claude Code to the VirusTotal API, letting you look up file hashes, URLs, domains, and IP addresses for threat intelligence without leaving your development workflow.

{
  "mcpServers": {
    "virustotal": {
      "command": "npx",
      "args": ["-y", "@anthropic-community/mcp-virustotal"],
      "env": {
        "VIRUSTOTAL_API_KEY": "<YOUR_API_KEY>"
      }
    }
  }
}

Available Tools

scan_hash — look up a file hash (MD5, SHA-1, SHA-256) for detection results across 70+ antivirus engines
scan_url — check a URL against threat feeds and web scanners
scan_domain — get domain reputation, DNS records, and associated malware
scan_ip — check an IP address for malicious activity and geolocation
get_behavior — retrieve sandbox analysis results for a file

SIEM MCP: Security Log Analysis

The SIEM MCP connects Claude Code to your SIEM platform (Elasticsearch/OpenSearch, Splunk, or compatible), letting you query security logs and build detection rules interactively.

{
  "mcpServers": {
    "siem": {
      "command": "npx",
      "args": ["-y", "@anthropic-community/mcp-siem"],
      "env": {
        "SIEM_URL": "https://your-elasticsearch.example.com:9200",
        "SIEM_API_KEY": "<YOUR_API_KEY>",
        "SIEM_INDEX_PATTERN": "security-*"
      }
    }
  }
}

Available Tools

search_logs — query security logs with full-text search and filters
get_aggregations — run aggregation queries (top talkers, event counts by type, time-series)
get_alert_rules — list active detection rules
create_alert_rule — create a new detection rule with conditions and actions
investigate_entity — pull all logs related to a specific IP, user, or hostname

Workflow: Building a Threat Investigation Pipeline

1. VirusTotal MCP — a suspicious hash appears in your logs. Claude looks it up on VirusTotal, reads the detection results and behavior analysis, and summarizes the threat.

2. SIEM MCP — Claude searches your security logs for all activity related to the compromised host: network connections, process executions, file modifications. It identifies the initial access vector and lateral movement.

3. Slack MCP — alert the incident response team with a structured summary: what happened, what's affected, and recommended containment steps.

4. GitHub MCP — create a detection rule PR that would catch this attack pattern in the future. Claude writes the Sigma rule and corresponding SIEM query.

Detection Engineering Patterns

Claude Code excels at security tasks that are repetitive but require precision:

Sigma rule generation — describe the attack pattern in plain language, get a Sigma rule
Log parser development — build parsers for custom log formats
IoC extraction — pull indicators from threat reports and create detection rules
Playbook automation — turn manual runbooks into automated response scripts

More Resources on claudemcp.io

VirusTotal MCP — file, URL, domain, and IP threat intelligence
SIEM MCP — security log queries and detection rule management
Sentry MCP — application error monitoring
GitHub MCP — detection rule management
Slack MCP — incident communication

Get Started

Browse all security resources at claudemcp.io/browse or read the setup guide.

The Challenge

Security engineers and developers deal with:

Alert fatigue — SIEM systems generate thousands of alerts daily. Most are false positives. Building effective triage logic requires deep understanding of normal vs. anomalous behavior
Threat intelligence integration — correlating indicators of compromise (IoCs) across multiple feeds and your internal data requires custom tooling
Detection engineering — writing detection rules (YARA, Sigma, Snort) that catch real threats without generating noise is a specialized skill
Incident response automation — when an incident hits, every minute counts. Automated playbooks for containment, investigation, and recovery can mean the difference between a minor event and a breach

VirusTotal MCP: Threat Intelligence in Your Terminal

The VirusTotal MCP connects Claude Code to the VirusTotal API, letting you look up file hashes, URLs, domains, and IP addresses for threat intelligence without leaving your development workflow.

{
  "mcpServers": {
    "virustotal": {
      "command": "npx",
      "args": ["-y", "@anthropic-community/mcp-virustotal"],
      "env": {
        "VIRUSTOTAL_API_KEY": "<YOUR_API_KEY>"
      }
    }
  }
}

Available Tools

scan_hash — look up a file hash (MD5, SHA-1, SHA-256) for detection results across 70+ antivirus engines
scan_url — check a URL against threat feeds and web scanners
scan_domain — get domain reputation, DNS records, and associated malware
scan_ip — check an IP address for malicious activity and geolocation
get_behavior — retrieve sandbox analysis results for a file

SIEM MCP: Security Log Analysis

The SIEM MCP connects Claude Code to your SIEM platform (Elasticsearch/OpenSearch, Splunk, or compatible), letting you query security logs and build detection rules interactively.

{
  "mcpServers": {
    "siem": {
      "command": "npx",
      "args": ["-y", "@anthropic-community/mcp-siem"],
      "env": {
        "SIEM_URL": "https://your-elasticsearch.example.com:9200",
        "SIEM_API_KEY": "<YOUR_API_KEY>",
        "SIEM_INDEX_PATTERN": "security-*"
      }
    }
  }
}

Available Tools

search_logs — query security logs with full-text search and filters
get_aggregations — run aggregation queries (top talkers, event counts by type, time-series)
get_alert_rules — list active detection rules
create_alert_rule — create a new detection rule with conditions and actions
investigate_entity — pull all logs related to a specific IP, user, or hostname

Workflow: Building a Threat Investigation Pipeline

1. VirusTotal MCP — a suspicious hash appears in your logs. Claude looks it up on VirusTotal, reads the detection results and behavior analysis, and summarizes the threat.

3. Slack MCP — alert the incident response team with a structured summary: what happened, what's affected, and recommended containment steps.

4. GitHub MCP — create a detection rule PR that would catch this attack pattern in the future. Claude writes the Sigma rule and corresponding SIEM query.

Detection Engineering Patterns

Claude Code excels at security tasks that are repetitive but require precision:

Sigma rule generation — describe the attack pattern in plain language, get a Sigma rule
Log parser development — build parsers for custom log formats
IoC extraction — pull indicators from threat reports and create detection rules
Playbook automation — turn manual runbooks into automated response scripts

More Resources on claudemcp.io

VirusTotal MCP — file, URL, domain, and IP threat intelligence
SIEM MCP — security log queries and detection rule management
Sentry MCP — application error monitoring
GitHub MCP — detection rule management
Slack MCP — incident communication

Get Started

Browse all security resources at claudemcp.io/browse or read the setup guide.

Security Engineering with Claude Code

The Challenge

VirusTotal MCP: Threat Intelligence in Your Terminal

Available Tools

SIEM MCP: Security Log Analysis

Available Tools

Workflow: Building a Threat Investigation Pipeline

Detection Engineering Patterns

More Resources on claudemcp.io

Get Started

Related resources on claudemcp.io

Security Engineering with Claude Code

The Challenge

VirusTotal MCP: Threat Intelligence in Your Terminal

Available Tools

SIEM MCP: Security Log Analysis

Available Tools

Workflow: Building a Threat Investigation Pipeline

Detection Engineering Patterns

More Resources on claudemcp.io

Get Started

Related resources on claudemcp.io