Meta

• License: Apache Software License (Apache-2.0)
• Author: Panther Labs Inc
• Tags ai , mcp , mcp-server , panther , security
• Requires: Python >=3.12

Classifiers

• Development Status
  • 4 - Beta
• Intended Audience
  • Developers
  • Information Technology
  • System Administrators
• License
  • OSI Approved :: Apache Software License
• Programming Language
  • Python :: 3.12
• Topic
  • Scientific/Engineering :: Artificial Intelligence
  • Security
  • Software Development :: Libraries :: Python Modules
  • System :: Systems Administration
  • Utilities
• Typing
  • Typed

Panther MCP Server

👁 Ruff

Panther's Model Context Protocol (MCP) server provides functionality to:

1. Write and tune detections from your IDE
2. Interactively query security logs using natural language
3. Triage, comment, and resolve one or many alerts

👁 Panther Server MCP server

Available Tools

Panther Configuration

Follow these steps to configure your API credentials and environment.

1. Create an API token in Panther:

   • Navigate to Settings (gear icon) → API Tokens

   • Create a new token with the following permissions (recommended read-only approach to start):

2. Store the generated token securely (e.g., 1Password)

3. Copy the Panther instance URL from your browser (e.g., https://YOUR-PANTHER-INSTANCE.domain)

   • Note: This must include https://

MCP Server Installation

Choose one of the following installation methods:

Docker (Recommended)

The easiest way to get started is using our pre-built Docker image:

{
"mcpServers":{
"mcp-panther":{
"command":"docker",
"args":[
"run",
"-i",
"-e","PANTHER_INSTANCE_URL",
"-e","PANTHER_API_TOKEN",
"--rm",
"ghcr.io/panther-labs/mcp-panther"
],
"env":{
"PANTHER_INSTANCE_URL":"https://YOUR-PANTHER-INSTANCE.domain",
"PANTHER_API_TOKEN":"YOUR-API-KEY"
}
}
}
}

Version Pinning: For production stability, pin to a specific version tag:

"ghcr.io/panther-labs/mcp-panther:v2.2.0"

Available tags can be found on the GitHub Container Registry.

UVX

For Python users, you can run directly from PyPI using uvx:

1. Install UV

2. Configure your MCP client:

{
"mcpServers":{
"mcp-panther":{
"command":"uvx",
"args":["mcp-panther"],
"env":{
"PANTHER_INSTANCE_URL":"https://YOUR-PANTHER-INSTANCE.domain",
"PANTHER_API_TOKEN":"YOUR-PANTHER-API-TOKEN"
}
}
}
}

Version Pinning: For production stability, pin to a specific version:

"args":["mcp-panther==2.2.0"]

Available versions can be found on PyPI.

MCP Client Setup

Cursor

Follow the instructions here to configure your project or global MCP configuration. It's VERY IMPORTANT that you do not check this file into version control.

Once configured, navigate to Cursor Settings > MCP to view the running server:

👁 Cursor MCP Configuration Screenshot

Tips:

• Be specific about where you want to generate new rules by using the @ symbol and then typing a specific directory.
• For more reliability during tool use, try selecting a specific model, like Claude 3.7 Sonnet.
• If your MCP Client is failing to find any tools from the Panther MCP Server, try restarting the Client and ensuring the MCP server is running. In Cursor, refresh the MCP Server and start a new chat.

Claude Code

Claude Code is Anthropic's official CLI tool. Add the Panther MCP server using Docker:

claudemcpadd-jsonpanther'{
 "command": "docker",
 "args": [
 "run",
 "-i",
 "-e", "PANTHER_INSTANCE_URL",
 "-e", "PANTHER_API_TOKEN",
 "--rm",
 "ghcr.io/panther-labs/mcp-panther"
 ],
 "env": {
 "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
 "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
 }
}'

Alternatively, using UVX:

claudemcpadd-jsonpanther'{
 "command": "uvx",
 "args": ["mcp-panther"],
 "env": {
 "PANTHER_INSTANCE_URL": "https://YOUR-PANTHER-INSTANCE.domain",
 "PANTHER_API_TOKEN": "YOUR-API-TOKEN"
 }
}'

After adding, verify the server is configured:

claudemcplist

Claude Desktop

To use with Claude Desktop, manually configure your claude_desktop_config.json:

1. Open the Claude Desktop settings and navigate to the Developer tab
2. Click "Edit Config" to open the configuration file
3. Add the following configuration:

{
"mcpServers":{
"mcp-panther":{
"command":"uvx",
"args":["mcp-panther"],
"env":{
"PANTHER_INSTANCE_URL":"https://YOUR-PANTHER-INSTANCE.domain",
"PANTHER_API_TOKEN":"YOUR-PANTHER-API-TOKEN"
}
}
}
}

4. Save the file and restart Claude Desktop

If you run into any issues, try the troubleshooting steps here.

Goose CLI

Use with Goose CLI, Block's open-source AI agent:

# Start Goose with the MCP server
goosesession--with-extension"uvx mcp-panther"

Goose Desktop

Use with Goose Desktop, Block's open-source AI agent:

From 'Extensions' -> 'Add custom extension' provide your configuration information.

👁 Image

Running the Server

The MCP Panther server supports multiple transport protocols:

STDIO (Default)

For local development and MCP client integration:

uvrunpython-mmcp_panther.server

Streamable HTTP

For running as a persistent web service, use the HTTP transport. This is ideal for:

• Long-running server deployments
• Multiple clients connecting to the same server
• Testing and debugging with continuous log monitoring

Using Docker Run (Detached)

dockerrun-d\
--namepanther-mcp-server\
-p8000:8000\
-ePANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain\
-ePANTHER_API_TOKEN=YOUR-API-TOKEN\
-eMCP_TRANSPORT=streamable-http\
-eMCP_HOST=0.0.0.0\
-eMCP_PORT=8000\
-eLOG_LEVEL=INFO\
--restartunless-stopped\
ghcr.io/panther-labs/mcp-panther:latest

Using Docker Compose (Recommended)

Create a docker-compose.yml file:

services:
panther-mcp:
image:ghcr.io/panther-labs/mcp-panther:latest
container_name:panther-mcp-server
ports:
-"8000:8000"
environment:
-PANTHER_INSTANCE_URL=https://YOUR-PANTHER-INSTANCE.domain
-PANTHER_API_TOKEN=YOUR-API-TOKEN
-MCP_TRANSPORT=streamable-http
-MCP_HOST=0.0.0.0
-MCP_PORT=8000
-LOG_LEVEL=INFO
restart:unless-stopped

Start the server:

# Start in detached mode
docker-composeup-d

# View logs
docker-composelogs-f

# Stop the server
docker-composedown

Connecting Claude Code to HTTP Server

Important: The server runs on HTTP (not HTTPS). Configure Claude Code with the http:// URL:

# Add the HTTP endpoint (note: http:// not https://)
claudemcpadd-jsonpanther-http'{
 "url": "http://localhost:8000/mcp"
}'

# Verify configuration
claudemcplist

Testing the Connection

# Test the HTTP endpoint
curlhttp://localhost:8000/mcp

# View server logs
dockerlogs-fpanther-mcp-server
# Or with docker-compose:
docker-composelogs-f

You can also test using the FastMCP client:

importasyncio
fromfastmcpimport Client

async deftest_connection():
 async with Client("http://localhost:8000/mcp") as client:
 tools = await client.list_tools()
 print(f"Available tools: {len(tools)}")

asyncio.run(test_connection())

Troubleshooting Streamable HTTP

Port Already in Use

If you see Bind for 0.0.0.0:8000 failed: port is already allocated:

# Check what's using the port
lsof-i:8000

# Stop conflicting containers
dockerps|greppanther
dockerstop<container-id>

# Or use a different port via MCP_PORT environment variable:
-eMCP_PORT=8080
# Then connect to: http://localhost:8080/mcp

Invalid HTTP Request Warnings

If you see WARNING: Invalid HTTP request received in the logs, this usually means:

• Claude Code is trying to connect via HTTPS instead of HTTP
• Check your configuration uses http:// not https://
• Verify with: claude mcp list

Environment Variables

• MCP_TRANSPORT: Set transport type (stdio or streamable-http)
• MCP_PORT: Port for HTTP transport (default: 3000)
• MCP_HOST: Host for HTTP transport (default: 127.0.0.1)
• MCP_LOG_FILE: Log file path (optional)

Security Best Practices

We highly recommends the following MCP security best practices:

• Apply strict least-privilege to Panther API tokens. Scope tokens to the minimal permissions required and bind them to an IP allow-list or CIDR range so they're useless if exfiltrated. Rotate credentials on a preferred interval (e.g., every 30d).
• Host the MCP server in a locked-down sandbox (e.g., Docker) with read-only mounts. This confines any compromise to a minimal blast radius.
• Monitor credential access to Panther and monitor for anomalies. Write a Panther rule!
• Run only trusted, officially signed MCP servers. Verify digital signatures or checksums before running, audit the tool code, and avoid community tools from unofficial publishers.

Troubleshooting

Check the server logs for detailed error messages: tail -n 20 -F ~/Library/Logs/Claude/mcp*.log. Common issues and solutions are listed below.

Running tools

• If you get a {"success": false, "message": "Failed to [action]: Request failed (HTTP 403): {\"error\": \"forbidden\"}"} error, it likely means your API token lacks the particular permission needed by the tool.
• Ensure your Panther Instance URL is correctly set. You can view this in the config://panther resource from your MCP Client.

Contributing

We welcome contributions to improve MCP-Panther! Here's how you can help:

1. Report Issues: Open an issue for any bugs or feature requests
2. Submit Pull Requests: Fork the repository and submit PRs for bug fixes or new features
3. Improve Documentation: Help us make the documentation clearer and more comprehensive
4. Share Use Cases: Let us know how you're using MCP-Panther and what could make it better

Please ensure your contributions follow our coding standards and include appropriate tests and documentation.

Contributors

This project exists thanks to all the people who contribute. Special thanks to Tomasz Tchorz and Glenn Edwards from Block, who played a core role in launching MCP-Panther as a joint open-source effort with Panther.

See our CONTRIBUTORS.md for a complete list of contributors.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Verified details

These details have been verified by PyPI

Maintainers

👁 Avatar for panther from gravatar.com
panther

Unverified details

These details have not been verified by PyPI

Project links

• Homepage
• Repository

• Download URL: mcp_panther-2.3.1.tar.gz
• Upload date: Mar 5, 2026
• Size: 561.5 kB
• Tags: Source
• Uploaded using Trusted Publishing? No
• Uploaded via: twine/6.2.0 CPython/3.12.12

Hashes for mcp_panther-2.3.1.tar.gz

Algorithm	Hash digest
SHA256	5192d99fa31dab1cefab0d7e86c36034a377f3241f004476827c3969c5455984
MD5	c2aabff635e6a2cbce8a4f615a9641c0
BLAKE2b-256	d6d3753efdc64e56ba6f7c10ed48f0441435fb02d8fb85b9140b51fe88fa20a7

See more details on using hashes here.

• Download URL: mcp_panther-2.3.1-py3-none-any.whl
• Upload date: Mar 5, 2026
• Size: 72.6 kB
• Tags: Python 3
• Uploaded using Trusted Publishing? No
• Uploaded via: twine/6.2.0 CPython/3.12.12

Hashes for mcp_panther-2.3.1-py3-none-any.whl

Algorithm	Hash digest
SHA256	ce39dff7ed195d0e3efcfb9bd84db03ae3850344a22451581184c72f893f8429
MD5	66e7452d7609ed46559d50b40e3fa107
BLAKE2b-256	5d0b75df0070a26a53fee5806a203a81a62e06803e771444c86803df4cf59383

See more details on using hashes here.