--- title: Security MCP Tools description: >- Use AI agents to investigate security signals and analyze security findings with the Datadog MCP Server's security toolset. breadcrumbs: Docs > Datadog Security > Security MCP Tools --- # Security MCP Tools {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Overview{% #overview %} The [Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server.md) lets AI agents query your security data through the [Model Context Protocol (MCP)](https://modelcontextprotocol.io/). The `security` toolset gives AI clients like Cursor, Claude Code, and OpenAI Codex access to your security signals and findings, so you can investigate threats and analyze your security posture using natural language. {% alert level="info" %} This page covers the `security` toolset of the remote Datadog MCP Server. For the Code Security MCP Server, which runs locally and scans source code during development, see [Code Security MCP Server](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server.md). {% /alert %} ### Use cases{% #use-cases %} You can use the `security` toolset to: - **Triage security signals**: Ask your AI agent to surface recent high-severity Cloud SIEM signals, App & API Protection alerts, or Workload Protection threats, and get a summary of patterns and affected resources. - **Analyze your security posture**: Query findings across Cloud Security with SQL to understand the distribution of misconfigurations, vulnerabilities, and identity risks across your environment. - **Investigate specific findings**: Retrieve full details for a set of findings to understand scope, affected resources, and remediation context. - **Correlate signals and findings**: Cross-reference active security signals with open findings to determine whether an alert is tied to a known posture issue. - **Remediate vulnerabilities with an AI agent**: Pull library vulnerability findings, including code location and remediation guidance, and pass them to your AI agent to apply patches directly in your codebase. ## Quickstart{% #quickstart %} The `security` toolset is not enabled by default. You can enable it by adding a parameter to your URL, which allows security tools to interact with your AI client. 1. [Set up the Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server/setup.md). 1. When connecting to the Datadog MCP Server, add `security` to the `toolsets` parameter. For example, for your [Datadog site](https://docs.datadoghq.com/getting_started/site.md) (), use: ```text https://mcp./api/unstable/mcp-server/mcp?toolsets=core,security ``` {% alert level="warning" %} `?toolsets=security` must be in the URL. Otherwise, security tools are not available to your AI client, even if the MCP Server is otherwise connected and working. {% /alert %} ## Available tools{% #available-tools %} The `security` toolset exposes the following tools to your AI client. Each tool performs a specific action on your security data, such as searching for signals or analyzing findings. When you ask a question in natural language, your AI client calls these tools on your behalf to retrieve the information it needs. For general information on how to use MCP tools, see the [Datadog MCP Server Overview](https://docs.datadoghq.com/bits_ai/mcp_server.md). {% dl %} {% dt %} `search_datadog_security_signals` {% /dt %} {% dd %} Searches and retrieves security signals from Datadog, including Cloud SIEM signals, App & API Protection signals, and Workload Protection signals. Use this to surface and investigate suspicious activity. {% /dd %} {% dd %} *Permissions required: `Security Signals Read`* {% /dd %} {% dt %} `security_findings_schema` {% /dt %} {% dd %} Returns the available fields and their types for security findings. Call this before using `analyze_security_findings` to discover which fields you can filter and group by. Supports filtering by finding type. {% /dd %} {% dd %} *Permissions required: `Security Monitoring Findings Read`* {% /dd %} {% dt %} `analyze_security_findings` {% /dt %} {% dd %} Primary tool for analyzing security findings using SQL. Queries live data from the last 24 hours with support for aggregations, filtering, and grouping. Call `security_findings_schema` first to discover available fields. {% /dd %} {% dd %} *Permissions required: `Security Monitoring Findings Read`, `Timeseries`* {% /dd %} {% dt %} `search_security_findings` {% /dt %} {% dd %} Retrieves full security finding objects. Use this when you need complete finding details or when SQL-based analysis is not sufficient. Prefer `analyze_security_findings` for most analysis tasks. {% /dd %} {% dd %} *Permissions required: `Security Monitoring Findings Read`* {% /dd %} {% /dl %} ## Further reading{% #further-reading %} - [Set Up the Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server/setup.md) - [Datadog MCP Server Overview](https://docs.datadoghq.com/bits_ai/mcp_server.md) - [Security Signals](https://docs.datadoghq.com/security/threats/security_signals.md) - [Security Findings](https://docs.datadoghq.com/security/guide/findings-schema.md?tab=library_vulnerability)