IT Brief US - Technology news for CIOs & IT decision-makers
United States
Command Zero launches APIs & MCP server for SOC teams
Cloud Security SOCs API

Command Zero launches APIs & MCP server for SOC teams

Thu, 30th Apr 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Command Zero has released application programming interfaces and a Model Context Protocol server for its security operations platform, aimed at security teams and partners that want to connect its investigation tools with existing workflows.

The release adds programmatic access to investigations, business context data, catalog and schema information, remediation actions, and an MCP server that lets compatible artificial intelligence agents query the platform directly. Customers can use these additions to start threat hunts, run investigations, manage context, and trigger remediation from external systems.

Security operations centres often span many separate products, and integration work has become a major challenge for teams trying to automate response and analysis. The new interfaces are intended to help customers connect the platform with security orchestration, automation and response playbooks, internal tools, and orchestration pipelines without waiting for bespoke product integrations.

The new capabilities include investigation interfaces that let users list, start, extend, update, and retrieve investigations based on templates held in the platform. Business context interfaces let customers list, upload, and retrieve data at scale, including information from systems such as ServiceNow, cyber exposure management tools, and human resources platforms.

Another set of interfaces covers catalog and schema data, allowing external systems to query entity types, data sources, and investigation templates. The remediation functions let external systems list remediation templates and execute actions through the platform.

The MCP server sits on top of those interfaces and is designed to work with Claude and other MCP-compatible agents. Analysts can use that layer to run health checks, list investigations, triage open cases, and create dashboards through an artificial intelligence chat interface.

Industry analysts said the move reflects a wider shift in security operations as companies weigh whether to rely on agentic functions added to existing tools or adopt separate autonomous security operations platforms.

"With aggressive growth in the availability of agentic SecOps capabilities, security leaders and architects are at an architectural juncture - facing a decision to either adopt agentic feature sets being added to existing security tools and platforms, or to instead invest in net-new autonomous SOC platforms - further increasing complexity to an already overwhelming SecOps tools environment. Command Zero is solving this architectural challenge, adding APIs and MCP server access to powerful autonomous investigation capabilities that can be woven into existing tools, workflows, and UI," said Dave Gruber, Principal Analyst, Cybersecurity, Omdia.

Richard Stiennon also commented on the release.

"Opening Command Zero's advanced investigation engine to developers changes what's possible. Teams can now use advanced capabilities of the platform as the substrate for custom threat hunting frameworks, CTI-driven analysis, and bespoke tooling. The MCP server extends that to AI agents - which matters as agentic SecOps moves from pitch decks to day-to-day practice," said Stiennon.

Use cases

Command Zero outlined several examples of how customers could use the new tools. A security team could configure a SOAR playbook to trigger a Command Zero investigation as soon as an alert is raised, then return response data to the case as events develop.

Another use case is a custom threat hunting framework that ingests threat intelligence, generates hypotheses, turns them into questions inside the platform, and runs scheduled autonomous hunts. Managed security service providers could also use the interfaces to synchronise client business context across multiple tenants instead of entering data manually in each environment.

Internal security dashboards could also be built in Claude to summarise weekly activity, automation rates, and open investigations in natural language. This points to a focus not only on machine-to-machine integration, but also on user-facing interfaces for analysts and managers.

The current release covers the core elements customers need to begin building integrations, with more endpoints expected to follow based on feedback from customers and partners. Command Zero also plans to publish sample integrations and reference implementations.

Dov Yoran, co-founder and chief executive officer of Command Zero, described the release as a way to make the platform more usable within existing security environments.

"The best security platforms are the ones teams can build on. This release puts Command Zero's investigation engine in the hands of our customers and our technical alliance partners. They can wire us into their pipelines, extend us with their own flows, and connect us to the AI agents working collaboratively with their analysts. That is how a platform earns its place in the SOC. These APIs and MCP servers unlock a new class of joint solutions with our partners," said Yoran.

Related stories
Intruder launches AI pentesting to cut vulnerability triage
Vultr deploys NVIDIA Nemotron 3 Nano Omni in cloud
Virtana adds AWS Bedrock Guardrails support to AI Factory
CSC launches support for companies seeking .BRAND domains
ReliaQuest backs Florida State AI cybersecurity push
Top stories
Google expands AI Max to shopping & travel ad formats
Check Point names Sherif Seddik as Chief Revenue Officer
Panzura launches Nexus to connect CloudFS to Copilot
Black Kite & Sayari unite cyber & supply chain risk
Backblaze maps neocloud traffic hotspots in AI boom