Intezer launches MCP server for security AI agents

Intezer has launched a revamped Model Context Protocol server for security operations, designed to connect AI agents such as Claude, Codex and Cursor to its security investigations platform.

The launch centres on what Intezer describes as an operating layer for security operations, sitting between detection tools and the AI agents used by security teams. The system gives those agents access to case histories, workflows, triage logic and prior investigation records held in the Intezer platform.

Security teams are increasingly testing generative AI tools for incident handling, case review and threat hunting. But suppliers and users are still working out how those systems should connect to existing detection and response software. Intezer is positioning its revised MCP server as the layer through which those models can draw on an organisation's existing security data and investigation history.

The platform ingests alerts from tools such as EDR, NDR, SIEM, identity, cloud security and email security systems. It then applies automated forensic investigation to all alerts, stores verdicts and case records, and makes that context available to connected AI agents.

Intezer said its system investigates 100% of alerts and reaches a verdict with 98% accuracy in under two minutes, with less than 2% of alerts escalated for human review. It argued that this reduces the need for organisations to build custom pipelines linking multiple tools and data feeds for AI assistants.

The pitch reflects a wider debate in cyber security over whether businesses should rely on managed detection and response providers or keep alert investigation in-house. Intezer argued that organisations which outsource investigation may not retain the case history, rule tuning and operational knowledge that could later help AI agents make better decisions.

That question matters as more companies look for ways to use large language models in security work without giving them unstructured access to multiple raw systems. Intezer's argument is that AI tools are more useful when they start with a completed investigation record rather than a set of disconnected alerts and telemetry.

Itai Tevet, Chief Executive Officer and Co-Founder of Intezer, said the new release is intended to provide that foundation for AI systems used by security teams.

"An AI platform does its best work standing on a real foundation of security knowledge, not on a dozen raw feeds it has to assemble itself," said Tevet. "This release gives Claude and Codex that foundation with all your cases, your workflows, your triage logic, your institutional memory. AI executes. Humans supervise. And now the supervising got a lot faster too."

How it fits

Intezer set out a three-part structure for security operations. At the base are detection systems that generate alerts from different parts of an organisation's environment. In the middle sits Intezer's platform, which investigates and records those alerts. At the top are AI agents that connect through MCP and carry out response actions using the evidence and context assembled by the platform.

Intezer said this arrangement is intended to avoid the burden of connecting an AI tool directly to many separate products, each with its own query language and data format. It also argued that direct access to raw tool outputs does not amount to a full investigation, because an AI model still needs evidence collection, forensic analysis and cross-tool correlation before reaching a conclusion.

Intezer also tied the launch to its research on missed threats in lower-priority alerts. The company said analysis of more than 25 million alerts found that enterprises miss 54 real threats a year because low-severity or informational alerts are not investigated. It added that custom AI agents can reproduce the same gap if high processing costs or workflow limits lead teams to focus only on a subset of alerts.

Use cases

Examples cited by Intezer include reviewing the oldest open escalated case, drafting a tuning rule to suppress repeated false positives, generating an incident report from forensic evidence and searching for indicators tied to a newly reported campaign. In each case, the AI system would work from investigation data already assembled in the platform rather than collecting all the underlying material itself.

The MCP server is available now to Intezer customers. The company counts NVIDIA, MGM Resorts, Equifax, Salesforce and Ferguson among them.

Intezer said every alert investigated, every case resolved and every tuning rule written remains inside the organisation's own environment, allowing an AI agent connecting through MCP to draw on months or years of accumulated forensic history.