* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [AI and Cybersecurity](https://www2.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/) * Introducing the Cortex MC... # Introducing the Cortex MCP Server [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-cortex-mcp-server%2F) [](https://twitter.com/share?text=Introducing+the+Cortex+MCP+Server&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-cortex-mcp-server%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-cortex-mcp-server%2F&title=Introducing+the+Cortex+MCP+Server&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/introducing-the-cortex-mcp-server/&ts=markdown) \[\](mailto:?subject=Introducing the Cortex MCP Server) Link copied By [Abigael Levy](https://www.paloaltonetworks.com/blog/author/abigal-levy/?ts=markdown "Posts by Abigael Levy") and [Tarin Waizman](https://www.paloaltonetworks.com/blog/author/tarin-waizman/?ts=markdown "Posts by Tarin Waizman") Dec 04, 2025 5 minutes [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown) [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown) [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Agentic AI](https://www.paloaltonetworks.com/blog/tag/agentic-ai/?ts=markdown) [AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown) [Claude for Desktop](https://www.paloaltonetworks.com/blog/tag/claude-for-desktop/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [MCP](https://www.paloaltonetworks.com/blog/tag/mcp/?ts=markdown) [Model Context Protocol](https://www.paloaltonetworks.com/blog/tag/model-context-protocol/?ts=markdown) [Security Automation](https://www.paloaltonetworks.com/blog/tag/security-automation/?ts=markdown) [security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown) [XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown) ## **Real-time Intelligence from Cortex XSIAM, XDR and Cloud, Natively in Your LLM of Choice** At Palo Alto Networks, we're redefining what AI means for security teams. While we embed powerful AI capabilities natively across Cortex, we strongly believe that security operations must be "open by default" to any trusted data source, third-party tool, or capabilities. When we work together as an industry, our customers win, and the adversary loses. We are excited to announce the launch of the Cortex MCP Server, a significant advancement in our commitment to AI-native security operations. With this [release](https://www.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/), any AI client that supports MCP can now directly interact with Cortex - empowering customers to seamlessly connect, integrate, and extend our industry-leading capabilities into the AI tools of their choice At its core is the Model Context Protocol (MCP), a standard introduced by Anthropic in November 2024 that is rapidly gaining traction across the AI industry. MCP acts as a common language, helping AI models work seamlessly with other tools, software, and information sources by reducing the time and effort typically needed for custom integrations. Currently in open beta, the Cortex MCP Server brings real-time intelligence from Cortex to your preferred LLM application, such as Claude for Desktop. This allows you to leverage Cortex data and insights directly within your existing AI workflows, making it accessible via natural language queries, complementing the native Cortex Agentic Assistant already available within the platform. This server was built for operational simplicity and flexible customization. You get full control over how and where it runs, with the flexibility to deploy it locally in your preferred environment. Out of the box, you can immediately use prebuilt tools to query and retrieve key Cortex data, including issues, cases, assets, endpoints, compliance results, and tenant metadata, so you can start building value on day one. As your needs grow, you can add custom tools for specific security processes or new automation scenarios. A built-in auto-update mechanism ensures you receive the latest Palo Alto Networks releases while preserving your custom configurations, giving you both innovation and stability. The Cortex MCP Server allows teams to use the platform's industry-leading capabilities within their LLM or AI workflow of choice, benefiting: * **Case Management** Streamline the handling and prioritization of security incidents, allowing security analysts to use LLM-powered guidance to review, prioritize, and update cases more efficiently. An analyst can ask, "What are my top open cases?" They can manage the severity and status of cases, and add notes, all with the added context, reasoning, and summarization that the LLM provides. * **Investigation** Empowers security teams with enhanced visibility and the ability to query their security data in natural language with their LLM of choice, in addition to Cortex's native Agentic Assistant. For example, an analyst might want to estimate the blast radius of a specific indicator of compromise (IOC). * **Collaboration** Delivers a flexible orchestration layer for aiding and accelerating complex investigations involving multiple stakeholders and teams, helping analysts capture insights, share updates, and stay coordinated across investigations when using third-party AI workflow solutions. **A Day in the Life: SOC Analyst with Claude for Desktop** While Cortex offers best-in-class native AI for security operations, we recognize that you might wish to use another LLM tool as part of your broader AI ecosystem. Since Cortex is an open platform with industry-leading data, you can engage with it through external tools like Claude for Desktop. A SOC analyst using Claude for desktop can utilize the Cortex MCP Server to engage with Claude in natural language to conduct investigations. ### **Case Triage and Prioritization** The analyst starts by asking Claude to query the Cortex MCP Server for high-severity or urgent cases. In seconds, Claude pulls rich context from the [Cortex Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl), showing related issues, detailing affected assets and IOCs, showing the case timeline, and noting any automated actions already taken. With this full picture, the analyst can immediately identify which incidents require attention and prioritize them accordingly. **Investigation and Impact Assessment** Next, the analyst prompts Claude to help investigate the most critical case. The MCP Server enables the streamlined extraction of rich data from the Cortex platform, including event timelines, related assets and indicators, and detailed asset context, such as group, cloud account, type, and exposure level. Claude then lets the analyst tailor how that information is displayed, adjusting visualizations and views to fit the investigation. This allows the analyst to quickly gauge the business impact and determine whether escalation is warranted. **Case Enrichment and Collaboration** As the investigation unfolds, the analyst uses Claude to summarize findings, capture notes, and enrich the case - all through simple natural-language prompts. This makes collaboration effortless, keeping the case record clear and up-to-date. **Integrating AI into Your Daily Routine** The Cortex MCP Server represents a significant leap forward in integrating AI into your daily security operations. It simplifies communication between AI models and the Cortex platform, enhancing efficiency, accelerating investigations, and strengthening overall cyber defenses. ​​Want to see what AI-driven automation can do for your SOC? Schedule your [Cortex XSIAM demo](https://www.paloaltonetworks.com/cortex/request-demo) now. *** ** * ** *** ## Related Blogs ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### A Day in the Life with Your AgentiX Automation Engineer Agent](https://www2.paloaltonetworks.com/blog/security-operations/a-day-in-the-life-with-your-agentix-automation-engineer-agent/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Automation of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/automation-of-the-week/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Cortex AgentiX: A Behind-the-Scenes Perspective](https://www2.paloaltonetworks.com/blog/security-operations/cortex-agentix-a-behind-the-scenes-perspective/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Protected: What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-2/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying](https://www2.paloaltonetworks.com/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### 2025: The Year of the Autonomous SOC. The Year of XSIAM.](https://www2.paloaltonetworks.com/blog/security-operations/2025-the-year-of-the-autonomous-soc-the-year-of-xsiam/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language