AI & DETECTION · 8 MIN

Model Context Protocol for Security Teams: How AI Agents Ask, Investigate, Summarize, and Spot Trends

How SOC teams use MCP to ask, investigate, summarize, and spot trends across security tools — by QMasters CTO Gregori Nazarovsky.

Gregori Nazarovsky, CTO — QMasters· CTO· 2026-07-14
TL;DR

What is Model Context Protocol and how do security teams use it?

Model Context Protocol (MCP) is an open standard that defines how an AI model connects to external systems — a SIEM, an email-security platform, a ticketing tool — through a common client-server interface. Security teams use it in four ways: (1) Ask — natural-language questions against a SIEM or email platform without writing AQL or KQL; (2) Investigate — multi-step cross-tool pivoting where the model chains tool calls at run time under analyst direction; (3) Summarize — compressing thousands of events or alerts into a shift-handoff paragraph; (4) Trend analysis — the model composes aggregation queries and the tool returns the numbers, surfacing week-over-week patterns. Safety requires that the server — not the model — enforces all guardrails: read-only access by default, least-privilege credentials, deterministic time and result caps, and full audit logging.

Model Context Protocol for Security Teams: How AI Agents Ask, Investigate, Summarize, and Spot Trends

Model Context Protocol (MCP) is an open standard, introduced by Anthropic in November 2024 and since adopted across the major AI vendors, that defines how an AI model connects to external systems — a SIEM, an email-security platform, a ticketing tool — through a common client-server interface. For a security operations center, that plain sentence hides the interesting part. Load a QRadar server and an email-security server into the same AI session, and an analyst can start from a SIEM offense and pivot straight into "did this mailbox receive anything malicious in the hour before the alert?" — in ordinary English, with no point-to-point integration built between the two products. This post breaks down how security teams use MCP to do four things — ask, investigate, summarize, and spot trends — and, just as importantly, how to do it without handing a language model the keys to production.

!An abstract illustration of critical context connecting to a central hub

MCP connects an AI model to the systems that hold your context. Source: Anthropic — Introducing the Model Context Protocol.

What Is the Model Context Protocol (MCP)?

MCP is a protocol, not a product. An MCP server wraps a system and exposes a set of typed, described tools — "search events," "get offense summary," "list quarantined mail." An MCP client (the AI application — Claude, an IDE, a chat surface) discovers those tools and calls them. The model reads each result and decides what to call next.

The origin matters for trust: MCP is open and vendor-neutral. You build one server per security tool, and it works with any MCP-capable client. The integration is portable — not welded to one model, one vendor, or one chat window.

MCP Is Not Just Another API

Every SOC already integrates tools over REST APIs. So why does a protocol change anything?

Because MCP moves the integration boundary from who can call the API to who composes the investigation. With a REST API or a SOAR playbook, a human or a pre-written script decides the call sequence in advance. With MCP, the model plans and chains the calls at run time — query, read the result, refine, pivot. The unit of value is the loop, not a single answer. A chatbot bolted onto a SIEM answers one question. An MCP-connected model conducts a line of inquiry.

There's an economic argument too. Traditional integration is an N×M problem: every model or interface needs a bespoke connector to every tool. MCP collapses that to N+M — one server per system, one client per surface. Put simply:

APIs make systems accessible to programs. MCP makes systems legible to a reasoning engine that decides what to call next.

!Model Context Protocol component diagram showing host, client, and server

The client–server shape of MCP: one host, one client per server, one server per system. Source: Wikimedia Commons (CC BY-SA).

Why This Matters for the SOC

Two things slow a security operations center down. Tools are siloed, and each one speaks its own query language. An analyst who wants to answer a simple question — how many offenses fired overnight, and what drove them? — has to know AQL for QRadar, KQL for the next platform, a search grammar for the email gateway, and a ticketing filter for the queue. Query fluency, not judgment, becomes the bottleneck.

MCP shifts the interaction from dashboards to conversation, and from single queries to agentic access across several tools at once. But the part a CISO should care about is architectural: the reasoning lives in the client, and the policy lives in the server. The model is nondeterministic. The guardrails are not. Time limits, result caps, and read-only surfaces are enforced in code, at the server — the model cannot talk its way past them. That separation is what makes any of this safe enough to consider.

Four Ways Security Teams Use MCP — Ask, Investigate, Summarize, Trend

Think of these four verbs as one loop at increasing depth. Each adds iterations and reach.

1. Ask — Natural-Language Questions Against Your Tools

The entry point is a single question that becomes one or two tool calls.

Against a SIEM: "How many offenses fired overnight, and which log sources drove them?" becomes an AQL query the analyst never had to write. Against an email-security platform: "What's the verdict mix for our domain over the last seven days?" returns counts by verdict — clean, spam, malicious, blocked, suspicious — computed inside the tool and handed back as a summary.

That last detail is the discipline that makes "ask" viable: the aggregation happens in the security platform, and only the summary crosses the wire. It's good for latency, and it's good for data minimization — the raw events never leave the tenant.

2. Investigate — Multi-Step, Cross-Tool Pivoting

Investigation is where the loop earns its keep. Start from an offense. Pull the underlying events. Notice a user and a time window. Refine the query. Then pivot to a different tool entirely: did that user receive anything flagged suspicious or malicious in the window before the alert?

No one wrote that sequence in advance. The analyst directs; the model does the iteration legwork across two systems that were never integrated with each other — only with MCP. This is the swivel-chair problem dissolving in real time.

3. Summarize — Compression for Humans

Alerts are verbose; humans are not. MCP is very good at turning volume into a paragraph: a shift-handoff digest of open offenses, a noisy offense with thousands of events reduced to time bounds and notable sources, or a domain-level email-posture report.

To keep this honest with a real, non-fabricated number from our own environment: in one of our demonstrations, a single domain's posture report drew on roughly 184,000 email scans for one week — collapsed into a short read an analyst could act on in seconds. The rule we hold: every summary must be traceable back to the query that produced it, so a human can verify rather than trust.

4. Trend Analysis — Patterns Across Time

The deepest use of the loop is aggregation over time. Is the malicious-and-blocked share of email drifting up week over week? Which log source's offense volume is climbing month over month? Where's the spike against the baseline?

Be precise about the mechanics here, because it's easy to overclaim: the model writes and interprets the aggregation queries; the numbers come from the tool. A GROUP BY in AQL, a server-side aggregation on the email platform — the model composes them and reads the result. It does not "detect trends" by magic. It removes the friction between an analyst's question and the data that answers it.

Grounded in Tools We Actually Built

None of the above is hypothetical for us. At QMasters we built two MCP servers to run exactly these workflows.

The first wraps IBM QRadar. It exposes read-only tools — offense summaries, a guided event search that turns questions into AQL, log-source and rule inspection — and it enforces a hard limit on any single query so an over-eager hunt can never degrade the SIEM. Every QRadar admin knows the pain of a runaway search; the guardrail is in the server, not left to good intentions.

The second wraps our email-security platform. It ships with a read surface — search, verdict-mix aggregation, quarantine review, and an account-posture report — and a small set of state-changing tools (release from quarantine, change a verdict) that are gated off by default. They exist. They stay dark until they're verified, because releasing a blocked email is the single highest-blast-radius action in the whole system.

Both were adversarially reviewed before we connected them to anything. That's the house pattern: read-only first, dangerous actions gated, server threat-modeled like any exposed service.

The Trust Question: Is It Safe to Connect AI to Production Security Data?

This is the question every CISO asks, and it deserves a direct answer rather than a reassuring one. Here's the doctrine we operate by.

  • Read-only first, as doctrine — not as a limitation. Both of our servers shipped read-only. Anything that mutates state is a separate class of tool, default-deny, off until explicitly enabled. If a mutation tool hasn't been verified, it stays off. That's a strength, and we say so out loud.
  • The server is the security boundary — not the model's good behavior. The server's credential carries only the scopes its tools need. The model can never do more than the server can do. Policy is never left to prompting.
  • Guardrails are deterministic and live in code. Query time limits, result-size and token caps, allowlisted operations — enforced server-side, unbypassable by any clever prompt.
  • Prompt injection from untrusted telemetry is real, and we plan for it. A SIEM is, by definition, full of attacker-authored text: log lines, email subjects, filenames, user-agents. All of it flows into the model's context as tool output. We treat every tool result as untrusted input. Read-only surfaces bound the blast radius — at worst an injected instruction yields a bad read or a skewed summary, never an action. Nothing consequential auto-executes off the back of telemetry content.
  • Audit parity, or better. Every tool call is logged — who asked, what query ran, what came back. An MCP session is at least as auditable as an analyst at a console, and arguably more, because the tool layer is a natural chokepoint.

And the honest boundary: the model proposes; the analyst disposes. Declaring an incident real, closing an offense, quarantining or releasing mail, anything reported to a customer or a regulator — a human owns that call. MCP removes the query-language barrier. It does not remove the analyst. One more thing worth stating plainly, because vendors gloss over it: MCP is a protocol, not a security control. Every safety property in this story comes from how the server is built, not from MCP itself.

Where to Start

If you run a SOC and want to try this without betting the store on it:

  1. Pick one tool and wrap it read-only. Your SIEM is the natural first choice — it's where the questions start.
  2. Give the server a least-privilege credential. Only the scopes its read tools need.
  3. Put the guardrails in code before you connect a model. Time limits, result caps, audit logging.
  4. Keep a human on every consequential decision. Let the model handle the asking and summarizing; keep disposition with the analyst.
  5. Add the second tool only once the first is trusted. The cross-tool pivot is the payoff — but it's earned, not assumed.

This is the thinking behind how QMasters runs managed detection and response and SOC operations: AI as leverage for senior judgment, on top of a SIEM and cyber threat intelligence foundation — with the guardrails built in, not bolted on. It's also the foundation of QMasters Agentic SOC. If you're weighing where AI fits in your own operation, that's a conversation we're happy to have as peers.

Frequently Asked Questions

What is Model Context Protocol (MCP)?

Model Context Protocol (MCP) is an open standard introduced by Anthropic in November 2024 that defines how an AI model connects to external systems through a common client-server interface. A server wraps a system — a SIEM, an email gateway, a ticketing tool — and exposes typed tools that any MCP-compatible AI client can discover, call, and chain. It has since been adopted across the major AI vendors.

How does MCP work with security tools like SIEM and EDR?

An MCP server sits in front of the security platform and exposes its capabilities as structured tools — for example, "search events" or "get offense summary." The AI client calls those tools, reads the results, and decides what to do next. The security tool does the heavy lifting (search, correlation, aggregation); the model composes the questions and interprets the answers.

Can AI agents actually investigate security incidents, or just summarize them?

Both, but they're different capabilities. Summarizing compresses one dataset into a readable form. Investigating means multi-step reasoning — pulling events, refining a query, and pivoting across tools to follow a lead. MCP enables the second by letting the model chain tool calls at run time, under an analyst's direction.

Is it safe to connect AI models directly to production security data via MCP?

It can be, if the server enforces the guarantees rather than trusting the model. The practical controls are: read-only access by default, least-privilege credentials, deterministic guardrails in code (time and result limits), treating all tool output as untrusted to contain prompt injection, full audit logging, and a human in the loop for any state-changing action.

What's the difference between MCP and traditional SOAR playbook automation?

SOAR runs pre-defined playbooks — a human decides the steps in advance. MCP lets the model decide the steps at run time based on what it finds. They're complementary: SOAR is deterministic automation for known workflows; MCP is flexible, analyst-supervised investigation for open-ended questions.

Does the AI make the security decisions?

No. The model proposes leads, drafts summaries, and runs read-only queries. Declaring an incident, closing an offense, quarantining or releasing mail, and anything reported to a customer or regulator stays with a human analyst. MCP removes the query-language bottleneck, not the judgment.

---

Gregori Nazarovsky is CTO of QMasters, where he leads the engineering behind the company's SOC, MDR, and detection platforms. The MCP servers described here were built and hardened in-house.

References

FAQ

Frequently asked questions.

  • Model Context Protocol (MCP) is an open standard introduced by Anthropic in November 2024 that defines how an AI model connects to external systems through a common client-server interface. A server wraps a system — a SIEM, an email gateway, a ticketing tool — and exposes typed tools that any MCP-compatible AI client can discover, call, and chain. It has since been adopted across the major AI vendors.

ABOUT THE AUTHOR

Gregori Nazarovsky, CTO — QMasters
CTO

Practitioners from the QMasters Security Operations Center. We run 24/7 monitoring, detection engineering, and incident response for organisations across regulated industries — and write here from the offense and defense work in front of us.

READY TO TUNE YOUR SIEM?

Tighter detections, fewer false positives.

Book a working session with a senior detection engineer. Bring a sample of your noisiest alerts and we will rebuild the rule with you.

Explore Managed Detection & Response

F-003 · CONSULTATION

Book 30 minutes. No slides.

A real working session with a SOC engineer — bring your alerts.