For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/mcp_server.md. A documentation index is available at /llms.txt.

Security MCP Tools

This product is not supported for your selected Datadog site. ().

Overview

The Datadog MCP Server lets AI agents query your security data through the Model Context Protocol (MCP). The security toolset gives AI clients like Cursor, Claude Code, and OpenAI Codex access to your security signals and findings, so you can investigate threats and analyze your security posture using natural language.

This page covers the security toolset of the remote Datadog MCP Server. For the Code Security MCP Server, which runs locally and scans source code during development, see Code Security MCP Server.

Use cases

You can use the security toolset to:

  • Triage security signals: Ask your AI agent to surface recent high-severity Cloud SIEM signals, App & API Protection alerts, or Workload Protection threats, and get a summary of patterns and affected resources.
  • Analyze your security posture: Query findings across Cloud Security with SQL to understand the distribution of misconfigurations, vulnerabilities, and identity risks across your environment.
  • Investigate specific findings: Retrieve full details for a set of findings to understand scope, affected resources, and remediation context.
  • Correlate signals and findings: Cross-reference active security signals with open findings to determine whether an alert is tied to a known posture issue.
  • Remediate vulnerabilities with an AI agent: Pull library vulnerability findings, including code location and remediation guidance, and pass them to your AI agent to apply patches directly in your codebase.

Quickstart

The security toolset is not enabled by default. You can enable it by adding a parameter to your URL, which allows security tools to interact with your AI client.

  1. Set up the Datadog MCP Server.
  2. When connecting to the Datadog MCP Server, add security to the toolsets parameter. For example, for your Datadog site (), use:
    https://mcp./api/unstable/mcp-server/mcp?toolsets=core,security
?toolsets=security must be in the URL. Otherwise, security tools are not available to your AI client, even if the MCP Server is otherwise connected and working.

Available tools

The security toolset exposes the following tools to your AI client. Each tool performs a specific action on your security data, such as searching for signals or analyzing findings. When you ask a question in natural language, your AI client calls these tools on your behalf to retrieve the information it needs. For general information on how to use MCP tools, see the Datadog MCP Server Overview.

search_datadog_security_signals
Searches and retrieves security signals from Datadog, including Cloud SIEM signals, App & API Protection signals, and Workload Protection signals. Use this to surface and investigate suspicious activity.
Permissions required: Security Signals Read
analyze_datadog_security_signals
Analyzes security signals using SQL for aggregations, grouping, and trend analysis. Use this for counts, top-N breakdowns, and time-based questions. To list signals or retrieve a single signal, use search_datadog_security_signals or get_datadog_security_signal instead.
Permissions required: Security Signals Read, Timeseries
get_datadog_security_signal
Retrieves the full details of a single security signal by ID, including attributes, rule information, triage state, tags, and case correlations. Use search_datadog_security_signals to find signal IDs first.
Permissions required: Security Signals Read
security_findings_schema
Returns the available fields and their types for security findings. Call this before using analyze_security_findings to discover which fields you can filter and group by. Supports filtering by finding type.
Permissions required: Security Monitoring Findings Read
analyze_security_findings
Primary tool for analyzing security findings using SQL. Queries live data from the last 24 hours with support for aggregations, filtering, and grouping. Call security_findings_schema first to discover available fields.
Permissions required: Security Monitoring Findings Read, Timeseries
search_security_findings
Retrieves full security finding objects. Use this when you need complete finding details or when SQL-based analysis is not sufficient. Prefer analyze_security_findings for most analysis tasks.
Permissions required: Security Monitoring Findings Read

Further reading

Additional helpful documentation, links, and articles:

Set Up the Datadog MCP ServerDOCUMENTATION more more Datadog MCP Server OverviewDOCUMENTATION more more Security SignalsDOCUMENTATION more more Security FindingsDOCUMENTATION more more