MCP for Cyber Incident Response
Model Context Protocol (MCP) is the open standard, published by Anthropic in November 2024, that lets AI assistants connect to external tools and data through a common interface. In cyber incident response, an MCP server exposes incident-handling capabilities (read the ledger, draft a notification, query the holding statement library) to any MCP-compliant AI client under capability scoping. This page covers the IR-OS MCP server design and why MCP matters for defensible AI-augmented incident response.
What MCP is
MCP defines three primitives. Tools are actions an AI client can request (read the incident ledger, draft a regulator notification). Resources are data the AI client can subscribe to (the live incident state, the regulatory clock countdowns). Prompts are reusable templates the server exposes for common workflows. An MCP server publishes these primitives; an MCP client discovers and uses them.
The protocol carries the request-response pattern over stdio (for local processes) or HTTP with Streamable HTTP transport (for remote services). Authentication, capability negotiation, and discovery are part of the protocol. The result: an AI assistant connecting to a new MCP server can introspect capabilities and use them under capability scoping, without the assistant author having written code for that specific server.
The IR-OS MCP server
The IR-OS MCP server exposes incident-handling capabilities to AI clients under three control layers: tenant isolation, role-based access, and incident-scoped capability boundaries. Every MCP credential carries the user identity, the role assigned in the current incident, and the incident scope. The server enforces the boundaries at the tool layer.
| Tool | Type | Purpose |
|---|---|---|
| incident.get | Read | Return current incident metadata |
| ledger.read | Read | Return ledger entries scoped to incident and role |
| plan.read | Read | Return the IR plan applicable to the incident |
| template.list | Read | Return holding statement and notification templates |
| clock.status | Read | Return current state of the 8 regulatory clocks |
| notification.draft | Draft | Produce a draft regulator notification from a template |
| statement.draft | Draft | Produce a draft public or customer statement |
| brief.draft | Draft | Produce a draft executive or board brief |
| approval.request | Approval | Request human approval on a draft output |
| approval.status | Read | Check approval state on a previously requested draft |
Note what is not on the list: send_email, post_to_social, file_regulator_notification, authorize_payment, close_incident. None of these tools are exposed by the MCP server. They cannot be called by any AI client under any circumstance. External actions are always human-only and bound to the approval ledger.
Prompt injection defense
An AI assistant that ingests untrusted content (incoming emails, supplier disclosures, attacker-controlled documents) faces the risk that injected instructions hijack the AI's behavior. The IR-OS MCP server treats this as a tool-layer problem, not a prompt-layer problem, because prompt-layer defenses are bypassable.
Three defenses operate in parallel. Input segregation: every retrieved content has a source tag (trusted-internal, untrusted-external, attacker-controlled). The AI client must respect the tag, but even if it does not, the server is protected. Capability scoping at the tool layer: even if injected instructions tell the AI to send an email or file with a regulator, the MCP server does not expose those tools. The action cannot happen. Approval bindings: every release-level draft requires a named human approver. A compromised AI client cannot bypass the approval step.
An MCP session in practice
A representative incident-response interaction looks like this. The analyst opens an AI assistant that supports MCP. The assistant connects to the IR-OS MCP server with the analyst's scoped credential. The assistant calls incident.get and ledger.read to load context. The analyst asks "draft the GDPR 33 notification." The assistant calls notification.draft with template id "gdpr-art33." The server returns a draft. The assistant displays the draft. The analyst reviews and asks the assistant to call approval.request. Counsel receives the approval request via the platform. Counsel approves. The approval is recorded in the ledger and bound to the draft hash. The draft is ready for transmission to the supervisory authority through a separate, human-only channel.
At no point in this flow does the AI assistant transmit anything to a regulator. The AI drafts. Humans approve. Humans transmit. The MCP server is the mediation layer.
Multi-assistant cyber-IR
A real incident response team uses more than one AI assistant. The analyst has a personal assistant for daily work. The platform runs its own agents (see the 7-agent architecture). Counsel has a legal research assistant. The board liaison has an executive briefing tool. Each of them needs to read the same incident facts and produce drafts.
Without MCP, each integration is bespoke. With MCP, every assistant connects to the same IR-OS MCP server with a scoped credential. The incident record is the single source of truth. Every AI assistant's tool calls are recorded in the same hash-chained ledger. The defensible record is complete regardless of how many AI tools touched the incident.
Provenance for every MCP call
Every MCP tool call against the IR-OS server is recorded in the ledger as an entry with: the calling identity (user, role, AI client identifier), the tool name, the input hash, the output hash, the timestamp, and any associated approval signature. Read calls are recorded for completeness. Draft calls produce ledger entries that link to the draft text. Approval calls bind a named human signature to an output hash.
The result is a complete provenance record. When a regulator, counsel, or insurer asks "which AI tools touched this incident, what did they read, what did they produce, who approved each draft" the answer is in the ledger. The ledger is hash-chained at SHA-256 granularity. The chain root is published to app.ir-os.com/verify so the AI activity record is independently verifiable.
MCP and NIST AI Risk Management Framework
MCP supports NIST AI Risk Management Framework 1.0 (AI 100-1, January 2023) by making AI tool use visible and bounded. GOVERN is supported by the capability scoping policy enforced by the server. MAP is supported by the tool catalog and source-tagging of inputs. MEASURE is supported by ledger-recorded tool call rates and approval times. MANAGE is supported by the hash-chained provenance and the public verifier.
The Generative AI Profile (NIST AI 600-1, July 2024) raises specific concerns about generative AI: confabulation, data privacy, content integrity. The IR-OS MCP design responds to each: confabulation is mitigated by source-grounded retrieval and approval-bound outputs; data privacy is enforced by tenant isolation and incident scoping; content integrity is preserved by the hash-chained ledger.
Frequently Asked Questions
What is MCP for cyber incident response?
MCP (Model Context Protocol) is an open standard published by Anthropic in November 2024 that lets AI assistants connect to external tools, data sources, and APIs through a common interface. In cyber incident response, an MCP server exposes incident-handling capabilities (read the incident ledger, draft a regulator notification, query the holding statement library) to AI assistants under capability scoping and human approval. MCP separates the AI model from the tools it uses.
Why does MCP matter for cyber-IR?
MCP matters because cyber-IR teams use multiple AI assistants (the analyst's personal assistant, the platform's agents, the counsel's research tool) and need a consistent interface for all of them to read the incident record and draft outputs. An MCP server in IR-OS exposes the incident ledger, the holding statement library, the regulatory clocks, and approved templates to any MCP-compliant client under capability scoping. This means the analyst's preferred AI assistant can read incident facts without reimplementing the integration.
How does an MCP server handle prompt injection?
Prompt injection is mitigated at three layers in an IR-OS MCP server. (1) Input segregation: untrusted content (incoming emails, supplier disclosures) is tagged at retrieval time so the AI assistant knows the source class. (2) Capability scoping at the tool layer, not the prompt layer: even if injected instructions tell the AI to file with a regulator, the MCP server tool refuses calls that require human approval. (3) Output approval bindings: every release-level action requires a named human signature bound to the output hash.
What tools does the IR-OS MCP server expose?
The IR-OS MCP server exposes read tools (incident.get, ledger.read, template.list, clock.status, plan.read), draft tools (notification.draft, statement.draft, brief.draft), and approval tools (approval.request, approval.status). All tools are scoped to the current incident and the user's role. The MCP server does not expose write-to-external tools like send_email or file_regulator. External actions are always human-only and bound to the approval ledger.
Can my own AI assistant connect to the IR-OS MCP server?
Yes. Any MCP-compliant client can connect to the IR-OS MCP server with a scoped credential issued from the IR-OS settings. The credential carries the user identity, role, and incident scope. The MCP server enforces the same capability boundaries regardless of which client is calling. This is the value of MCP being an open standard: customers are not locked into a single AI assistant choice for incident-handling work.
How is the AI assistant's MCP activity recorded?
Every MCP tool call against the IR-OS server is recorded in the hash-chained ledger as an entry with the calling identity, the tool name, the input hash, the output hash, the timestamp, and the user role. Read calls are recorded for completeness. Draft calls produce ledger entries that link to the draft text. Approval calls bind a named human signature to an output hash. The complete MCP activity record is part of the defensible incident record.
Does MCP require Anthropic Claude?
No. MCP is an open standard. Any AI assistant or platform that implements the MCP client side can connect to an MCP server. IR-OS itself routes AI agents through OpenRouter to multiple frontier models. The MCP server is independent of model choice. Customers can use Claude, GPT-class models, Gemini, or open-source models through any MCP-compliant client.
What data does the IR-OS MCP server return?
The MCP server returns incident-scoped data only: the incident ledger entries, the IR plan applicable to that incident, the templates available to the calling user's role, the current regulatory clock state, and the draft outputs the user has rights to read. Cross-incident data is not exposed. Other-tenant data is never exposed. Capability scoping is enforced at the tool layer.
How is MCP different from a normal REST API for AI?
A REST API exposes resources and HTTP verbs. MCP defines a consistent set of primitives (tools, resources, prompts) and a discovery mechanism so AI assistants can introspect capabilities without bespoke integration. An AI assistant can connect to a new MCP server, discover available tools, and use them under capability scoping, without the assistant author having written code for that specific server. This is what makes MCP an enabler for the multi-assistant cyber-IR workflow.
When did MCP launch and what is its status?
Anthropic published MCP as an open standard in November 2024. The specification is maintained at the Model Context Protocol GitHub organization and has implementations in TypeScript, Python, and other languages. By 2026, multiple AI platforms and security vendors support MCP. The protocol is still evolving (transports, authentication, streaming), but the core primitives (tools, resources, prompts) are stable enough for production use in cyber-IR.
Connect your AI assistant to IR-OS via MCP
The IR-OS MCP server exposes read, draft, and approval tools under capability scoping with a hash-chained provenance ledger. Plug in your preferred AI assistant. Keep the defensible record intact.
Start your 7-day free trial