MCP server for Abnormal Security — AI-powered threat detection, case management, and email remediation.
This server uses a decision-tree architecture. Start by calling abnormal_navigate to select a domain, then use the domain-specific tools.
| Tool | Description |
|---|---|
abnormal_navigate |
Navigate to a domain (threats, messages, remediation, abuse, cases) |
abnormal_back |
Return to domain selection |
| Tool | Description |
|---|---|
abnormal_threats_list |
List detected threat cases (paginated) |
abnormal_threats_get |
Get full details of a specific threat by ID |
| Tool | Description |
|---|---|
abnormal_messages_list |
List messages within a threat case |
abnormal_messages_get |
Get detailed message analysis (headers, URLs, attachments, AI analysis) |
| Tool | Description |
|---|---|
abnormal_remediation_manage |
Trigger or check remediation actions for a message |
| Tool | Description |
|---|---|
abnormal_abuse_list |
List phishing emails reported via the Abuse Mailbox |
| Tool | Description |
|---|---|
abnormal_cases_list |
List active security investigation cases |
abnormal_cases_get |
Get details of a specific case |
Abnormal Security uses Bearer token authentication.
export ABNORMAL_API_TOKEN=your-api-token
node dist/index.jsGenerate your token in the Abnormal portal under Settings > Integrations > API.
When deployed behind the MCP gateway, set AUTH_MODE=gateway. The gateway injects the Authorization: Bearer {token} header automatically on each request.
npm install
npm run build
node dist/index.jsMCP_TRANSPORT=http AUTH_MODE=gateway node dist/index.jsdocker compose upnpm install
npm run dev # watch mode
npm test # run tests
npm run typecheck # TypeScript type checkApache-2.0