Summary
Connects to RocketCyber's Managed SOC platform with read-only access to security telemetry. You get 10 tools covering incidents, alerts, agents, events, firewalls, and Windows Defender status, plus three MCP resources for quick data queries. The server lazy-loads the SDK on first call and routes all logging to stderr to keep Claude's stdio transport clean. Use it when you need Claude to query security events, triage incidents, or pull endpoint data from RocketCyber without building custom API clients. Ships with both stdio and HTTP transports, though stdio is the default for Claude Desktop integration.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
rocketcyber-mcp
MCP (Model Context Protocol) server for the RocketCyber Managed SOC platform. Provides read-only access to RocketCyber security data through 10 tools and 3 resources.
Features
- 10 read-only tools covering all RocketCyber API resources
- 3 MCP resources for quick data access
- Dual transport: stdio (default) and HTTP Streamable
- Lazy SDK initialization on first tool call
- Winston logger with all output routed to stderr
- Connection test tool for validating credentials
One-Click Deployment
[!IMPORTANT] Before you click: this server depends on
@wyre-technology/node-rocketcyber, which is hosted on the GitHub Packages npm registry. GitHub Packages has no anonymous access — even though the package is public, everynpm installneeds a token. The cloud builder runsnpm installfor you, so you must give it one, or the build fails withnpm error 401 Unauthorized ... npm.pkg.github.com.
- Create a GitHub Personal Access Token with the
read:packagesscope (classic token). Any GitHub account works — you do not need to be a member of thewyre-technologyorg to read its public packages.- Add it as a build variable when prompted by the deploy flow:
- Cloudflare Workers → set a build variable named
NODE_AUTH_TOKENto your PAT (Workers → Settings → Build → Variables and Secrets).- DigitalOcean App Platform → set an encrypted env var named
GITHUB_TOKENwith scope Build Time to your PAT (the Dockerfile reads it for the install).
Installation
This project depends on @wyre-technology/node-rocketcyber, published to the
GitHub Packages npm registry, which requires a token even for public packages.
Authenticate once, then install:
# Authenticate npm to GitHub Packages (token needs the read:packages scope)
export NODE_AUTH_TOKEN=$(gh auth token) # or a PAT with read:packages
npm install
npm run build
The repo's .npmrc already points the @wyre-technology scope at GitHub Packages and
reads the token from NODE_AUTH_TOKEN, so no further config is needed.
Configuration
| Environment Variable | Required | Default | Description |
|---|---|---|---|
ROCKETCYBER_API_KEY | Yes | - | RocketCyber API key |
ROCKETCYBER_REGION | No | us | API region: us or eu |
MCP_TRANSPORT | No | stdio | Transport type: stdio or http |
MCP_HTTP_PORT | No | 8080 | HTTP port (when using http transport) |
MCP_HTTP_HOST | No | 0.0.0.0 | HTTP host (when using http transport) |
LOG_LEVEL | No | info | Log level: error, warn, info, debug |
LOG_FORMAT | No | simple | Log format: json or simple |
Usage
Claude Desktop (stdio)
Add to your Claude Desktop configuration (claude_desktop_config.json):
{
"mcpServers": {
"rocketcyber": {
"command": "node",
"args": ["/path/to/rocketcyber-mcp/dist/entry.js"],
"env": {
"ROCKETCYBER_API_KEY": "your-api-key"
}
}
}
}
HTTP Transport
ROCKETCYBER_API_KEY=your-api-key MCP_TRANSPORT=http npm start
Tools
| Tool | Description |
|---|---|
rocketcyber_test_connection | Test the connection to RocketCyber API |
rocketcyber_get_account | Get account information |
rocketcyber_list_agents | List monitored agents/endpoints |
rocketcyber_list_incidents | List security incidents |
rocketcyber_list_events | List security events |
rocketcyber_get_event_summary | Get event summary/statistics |
rocketcyber_list_firewalls | List firewall devices |
rocketcyber_list_apps | List managed apps |
rocketcyber_get_defender | Get Windows Defender status |
rocketcyber_get_office | Get Office 365 status |
Resources
| URI | Description |
|---|---|
rocketcyber://account | Account information |
rocketcyber://incidents | Security incidents |
rocketcyber://agents | Monitored agents/endpoints |
Development
# Install dependencies
npm install
# Run in development mode
npm run dev
# Build
npm run build
# Start production server
npm start
License
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Configuration
ROCKETCYBER_API_KEY*secretRocketCyber API key for authenticating to the Managed SOC API
ROCKETCYBER_CUSTOMER_ID*RocketCyber customer (tenant) identifier
ROCKETCYBER_API_URLRocketCyber API base URL — override only if using a non-default region
MCP_TRANSPORTdefault: stdioTransport mode for the server. Set to 'stdio' for local CLI use; the image defaults to 'http' for gateway hosting.
AUTH_MODEdefault: envCredential source: 'env' reads vars locally, 'gateway' expects header injection from the WYRE MCP Gateway.
LOG_LEVELdefault: infoLog verbosity: debug, info, warn, error
Registryactive
Packageghcr.io/wyre-technology/rocketcyber-mcp:v1.3.1
TransportSTDIO
AuthRequired
UpdatedJun 3, 2026