MSP Claude Plugins
Security MCP Server 🐳 Docker
Source Code MCPB Bundle
Deploy to DigitalOcean Deploy to Cloudflare Workers

Abnormal Security MCP

MCP server for Abnormal Security — AI-powered email threat detection, message analysis, abuse mailbox triage, and security case investigation.

🔗 Companion Plugin

Pair this MCP server with the Abnormal Security plugin for skills, commands, and API knowledge alongside direct API access.

Installation

Run the MCP server with npx:

npx @wyre-technology/abnormal-mcp

Or install the package:

npm install @wyre-technology/abnormal-mcp

MCPB Bundle (Claude Desktop)

Download the .mcpb bundle from GitHub Releases for a zero-config Claude Desktop install. No Node.js or terminal required — just open the bundle in Claude Desktop via Settings → MCP Servers → Install from file. Requires Claude Desktop 0.10+.

Claude Desktop Configuration

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "abnormal": {
      "command": "npx",
      "args": [
        "@wyre-technology/abnormal-mcp"
      ],
      "env": {
        "ABNORMAL_API_TOKEN": "your-abnormal-api-token"
      }
    }
  }
}

Authentication

Variable Required Description
ABNORMAL_API_TOKEN Yes Abnormal Security API token (generate in the Abnormal portal under Settings → API)

Architecture

Decision-tree MCP server — start with abnormal_navigate to select a domain, then call domain-specific tools.

Available Tools (8)

Tools are organized into 5 domains:

Threats

Detected threat cases with full details and AI analysis.

Tool Description
abnormal_threats_list List detected threat cases (paginated)
abnormal_threats_get Get full details of a specific threat by ID

Messages

Per-threat message inspection: headers, URLs, attachments, AI analysis.

Tool Description
abnormal_messages_list List messages within a threat case
abnormal_messages_get Get detailed message analysis (headers, URLs, attachments, AI analysis)

Remediation

Trigger or check remediation actions for messages.

Tool Description
abnormal_remediation_manage Trigger or check remediation actions for a message

Abuse

User-reported phishing via the Abuse Mailbox.

Tool Description
abnormal_abuse_list List phishing emails reported via the Abuse Mailbox

Cases

Active security investigation cases.

Tool Description
abnormal_cases_list List active security investigation cases
abnormal_cases_get Get details of a specific case

Was this page helpful? See our roadmap.

Give Feedback Request a Feature Report a Problem