Summary
Connects Claude to Abnormal Security's threat detection platform via their REST API. You get tools to query detected threats, inspect individual messages with AI analysis breakdowns, trigger email remediation actions, review abuse mailbox reports, and manage security investigation cases. Uses a decision tree pattern where you call abnormal_navigate first to pick a domain (threats, messages, remediation, abuse, or cases), then access domain-specific operations. Supports both standalone mode with direct API token auth and gateway mode for hosted deployments. Reach for this when you need Claude to triage email security incidents, investigate phishing campaigns, or automate response workflows against Abnormal's threat intelligence.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
abnormal-mcp
MCP server for Abnormal Security — AI-powered threat detection, case management, and email remediation.
Tools
This server uses a decision-tree architecture. Start by calling abnormal_navigate to select a domain, then use the domain-specific tools.
Navigation
| Tool | Description |
|---|---|
abnormal_navigate | Navigate to a domain (threats, messages, remediation, abuse, cases) |
abnormal_back | Return to domain selection |
Threats domain
| Tool | Description |
|---|---|
abnormal_threats_list | List detected threat cases (paginated) |
abnormal_threats_get | Get full details of a specific threat by ID |
Messages domain
| Tool | Description |
|---|---|
abnormal_messages_list | List messages within a threat case |
abnormal_messages_get | Get detailed message analysis (headers, URLs, attachments, AI analysis) |
Remediation domain
| Tool | Description |
|---|---|
abnormal_remediation_manage | Trigger or check remediation actions for a message |
Abuse domain
| Tool | Description |
|---|---|
abnormal_abuse_list | List phishing emails reported via the Abuse Mailbox |
Cases domain
| Tool | Description |
|---|---|
abnormal_cases_list | List active security investigation cases |
abnormal_cases_get | Get details of a specific case |
Authentication
Abnormal Security uses Bearer token authentication.
Standalone (env mode)
export ABNORMAL_API_TOKEN=your-api-token
node dist/index.js
Generate your token in the Abnormal portal under Settings > Integrations > API.
Gateway mode
When deployed behind the MCP gateway, set AUTH_MODE=gateway. The gateway injects the Authorization: Bearer {token} header automatically on each request.
Running
stdio (for Claude Desktop)
npm install
npm run build
node dist/index.js
HTTP Streamable (for hosted/gateway deployment)
MCP_TRANSPORT=http AUTH_MODE=gateway node dist/index.js
Docker
docker compose up
Development
npm install
npm run dev # watch mode
npm test # run tests
npm run typecheck # TypeScript type check
License
Apache-2.0
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
ABNORMAL_API_TOKEN*secretAbnormal Security API token (Bearer credential)
MCP_TRANSPORTdefault: stdioTransport mode for the server. Set to 'stdio' for local CLI use; the image defaults to 'http' for gateway hosting.
AUTH_MODEdefault: envCredential source: 'env' reads vars locally, 'gateway' expects header injection from the WYRE MCP Gateway.
LOG_LEVELdefault: infoLog verbosity: debug, info, warn, error
Registryactive
Packageghcr.io/wyre-technology/abnormal-mcp:v1.1.5
TransportSTDIO
AuthRequired
UpdatedMay 22, 2026
