CrowdStrike Falcon Spotlight MCP server
CrowdStrike Falcon Spotlight provides real-time vulnerability management without requiring additional scanners or agents. This MCP server enables AI agents to discover CVEs, prioritize risks, track patch progress, and correlate vulnerabilities with active threats to guide remediation decisions.
Setting up an MCP server
This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.
Before you begin
You'll need:
- Access to AI Gateway with permission to create MCP servers
- API credentials for the application you're connecting (see the relevant application page for what to collect)
Create an MCP server
Find the API in the catalog
- Sign in to AI Gateway and select MCP Servers from the left navigation.
- Select New MCP Server.
- Search for the application you want to connect, then select it from the catalog.
Configure the server
- Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
- Enter a Description so your team knows what the server is for.
- Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
- Toggle Production mode on if this server will be used in a live workflow.
- Select Next.
Configure authentication
Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.
Configure security
- Set any Rate limits appropriate for your use case and the API's own limits.
- Enable Logging if you want AI Gateway to record requests and responses for auditing.
- Select Next.
Deploy
Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.
Connect to an AI client
Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:
Tips
- You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
- If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
- You can edit a server's name, description, timeout, and security settings after deployment without redeploying.
Authentication
CrowdStrike Falcon Spotlight uses OAuth 2.0 client credentials flow. Create an API client in Falcon Console at Support > API Clients and Keys and save your Client ID and Client Secret. The token URL is https://api.crowdstrike.com/oauth2/token. Request the spotlight-vulnerabilities:read scope for vulnerability data, hosts:read for asset context, intel:read for threat intelligence correlation, and reports:read for vulnerability reporting and export.
Available tools
These tools enable vulnerability discovery, risk prioritization, patch management, and remediation tracking across your entire environment.
Vulnerability Discovery
| Tool | Description |
|---|---|
| List vulnerabilities | Query CVEs by severity, asset, or affected software |
| Get vulnerability details | Retrieve CVE information, CVSS scores, and exploit data |
| Find actively exploited vulns | Identify vulnerabilities with public exploits or active campaigns |
| Search by asset | Query all vulnerabilities affecting a specific host or application |
Risk Assessment & Prioritization
| Tool | Description |
|---|---|
| Calculate risk score | Score vulnerabilities based on severity, exploitability, and context |
| Get highest risk assets | Identify systems with greatest remediation needs |
| Assess business impact | Evaluate vulnerability context (criticality, exposure, threat intel) |
| Predict exploitation likelihood | Estimate probability of targeted exploitation |
Patch & Remediation Management
| Tool | Description |
|---|---|
| Find available patches | Query patches for vulnerable software and systems |
| Track patch supersedence | Determine which patches update or replace others |
| Check patch compatibility | Verify patch dependencies and compatibility issues |
| Monitor patch releases | Stay informed of newly released patches and critical updates |
Remediation Tracking
| Tool | Description |
|---|---|
| List remediation options | Query patches, workarounds, and compensating controls |
| Monitor fix progress | Track remediation status and SLA compliance |
| Verify remediation | Confirm vulnerabilities resolved after patches deployed |
| Get remediation metrics | Measure MTTR and patch application rates |
Compliance & Reporting
| Tool | Description |
|---|---|
| Generate reports | Create vulnerability reports for PCI, HIPAA, or SOC 2 |
| Check framework alignment | Verify coverage against NIST, ISO 27001, or CIS benchmarks |
| Query audit evidence | Retrieve data supporting compliance attestations |
| Export inventory | Download vulnerability inventory for ITSM or risk tools |
Tips
Prioritize vulnerabilities affecting production systems, publicly disclosed exploits, or systems exposed to the internet rather than applying patches uniformly.
Use threat intelligence correlation to identify which vulnerabilities attackers are actively targeting in your industry.
Schedule patch windows with system owners ahead of time.
Maintain rollback plans in case patches cause stability issues.
Track patching metrics (velocity, coverage, MTTR) to identify bottlenecks and improve remediation efficiency.
Integrate with ticketing systems (Jira, ServiceNow) to automate remediation workflow and maintain audit trails.
Cequence AI Gateway