Summary
Turns 323 structured cybersecurity prompts and 7 chained workflows into MCP tools that Claude can call directly. Instead of copy-pasting IR playbooks or pentest methodologies, you ask Claude to run an incident response for a Splunk alert or audit your AWS IAM, and it walks through detection, containment, eradication with concrete commands at each step. Covers red team AD attacks, blue team detection engineering, SOC queries for Splunk/Sentinel/Elastic, cloud audits across AWS/Azure/GCP, OSINT footprinting, GRC frameworks like ISO 27001, CVE triage, and LLM red teaming. Prompts are tagged to MITRE ATT&CK tactics. Useful when you want repeatable security operations without maintaining your own prompt library, or when running purple team exercises that need coverage across the kill chain.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
cybersec-mcp
MCP server with 323 cybersecurity prompts and 7 chained workflows. Install it and Claude (or any MCP-compatible client) can run an incident-response plan, a cloud audit, or a pentest by calling tools instead of you copy-pasting prompts.
Live demo · MIT License · Model Context Protocol
Install
npx -y @xu-c0/cybersec-mcp
Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):
{
"mcpServers": {
"cybersec": {
"command": "npx",
"args": ["-y", "@xu-c0/cybersec-mcp"]
}
}
}
Then:
Use cybersec to plan an incident response for unusual outbound traffic from a SIEM-flagged host. SIEM is Splunk, EDR is CrowdStrike.
The agent picks the incident-response scenario, fills your variables in, and walks through detection, triage, containment, eradication, and post-mortem with concrete commands at each step.
Tools
323 prompts across 8 categories. Every prompt takes typed variables and returns output in a defined shape (steps, tables, SIEM queries, MITRE tags).
| Category | Prompts | Covers |
|---|---|---|
| Red Team | 45 | Pentest methodology, AD attack paths, C2 infra, social engineering |
| Blue Team | 42 | Log analysis, IR playbooks, detection engineering, deception |
| SOC Operations | 42 | Splunk/Sentinel/Elastic queries, alert triage, runbooks, shift handover |
| Cloud Security | 38 | AWS/Azure/GCP audits, IAM, container security, CSPM |
| OSINT | 38 | Domain intel, threat actor profiling, footprinting, attribution |
| GRC | 38 | ISO 27001, SOC 2, NIST CSF, risk assessment, policy generation |
| Vulnerability Analysis | 42 | CVE triage, CVSS 4.0, patch prioritization, pentest reports |
| AI Agent Security | 38 | LLM red teaming, prompt injection, agent guardrails, supply chain |
Source: content/prompts-master.md → generated web-app/js/data.js.
Scenarios
Seven end-to-end workflows that chain prompts and pass variables between steps:
- Web App Penetration Test — recon → mapping → fingerprinting → API testing → exploitation → post-exploit → reporting
- Incident Response — detection → log investigation → severity → containment → eradication → comms → lessons learned
- Cloud Security Audit — IAM → network → storage → database → logging → compliance
- Bug Bounty Recon — subdomains → ports → tech → OSINT → surface → vuln assessment
- Compliance Audit (ISO 27001) — scoping → risk → controls → evidence → gaps → docs
- Threat Hunting — hypothesis → query design → pivot → validation → response
- AI Security Assessment — inventory → access control → red team → prompt injection → supply chain → monitoring
Definitions live in web-app/js/scenarios.js.
Web demo
cybersec-mcp.vercel.app — browse every prompt, fill in variables, copy the rendered text into any LLM. Dark mode, English / 한국어 / 日本語, no signup. Same data as the MCP server, different interface.
Useful when you want to inspect what a tool will send before wiring up the server, or hand a teammate a one-off prompt.
ATT&CK mapping
Red team, blue team, and SOC prompts are tagged to MITRE ATT&CK tactics. The full mapping is in ATTACK_MATRIX.md — useful for purple-team exercises and detection-coverage reviews.
Layout
mcp/ MCP server (TypeScript, in progress)
web-app/ Static demo deployed to Vercel
content/ prompts-master.md — prompt source of truth
examples/ Client configs (Claude Desktop, Cursor, Claude Code)
parse_prompts.py regenerates web-app/js/data.js from content/prompts-master.md.
Contributing
PRs welcome — new prompts, MITRE tags, scenario workflows, translations, MCP tool fixes. Schema and quality bar in CONTRIBUTING.md.
This project is for authorized security testing, defensive operations, security research, and education. PRs promoting unauthorized access will be rejected. See CODE_OF_CONDUCT.md.
License
MIT — see LICENSE. MITRE ATT&CK® is a registered trademark of The MITRE Corporation; this project is not affiliated with MITRE.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →