Introducing TheHive MCP Server, a modern bridge between SOC workflows and LLMs

If you’re new to MCPs or simply wondering what you can do with TheHive MCP, you’re in the right place.

In this article, we’ll walk through what MCPs are, how TheHive MCP Server works and most importantly, how it can help SOC teams in their day-to-day operations.

From reducing repetitive work to enabling smarter analyst assistance, TheHive MCP opens up a new way to interact with our incident response platform.

(Already familiar with MCPs? Feel free to skip this section.)

You might already know what Software Development Kits (SDKs) are. If so, Model Context Protocols (MCPs) follow a very similar idea, but they are designed specifically for Large Language Models (LLMs).

If not, here is a simple way to think about it!

Imagine a toolbox that allows an application to interact with an Application Programming Interface (API). An MCP is the same toolbox made accessible to an LLM.

Now imagine giving this toolbox to an AI model such as ChatGPT. Suddenly, the model is no longer limited to generic answers. It can interact with TheHive cases, create and update observables, retrieve case context and generate activity summaries and reports. Magic? No, it’s TheHive MCP!

There is also a critical point worth highlighting.

If you self-host both your LLM and TheHive MCP, your data never leaves your environment. You retain full control and ownership of your sensitive security data, which is a core requirement for most SOCs.

From automating repetitive tasks to intelligently assisting analysts, TheHive MCP unlocks a wide range of capabilities.

On its own, TheHive MCP already brings value. Though combined with an orchestrator, it unleashes its full potential by enabling more advanced workflows, smarter interactions and deeper automation. The result is less manual effort, better context and more time for analysts to focus on what really matters.

Let’s go step by step, from the simplest use cases to more advanced scenarios, and see how TheHive MCP can fit into real SOC operations.

Need to perform actions across a large number of cases? Easy—no scripts, no API calls, no context switching.

With TheHive MCP, you can simply describe what you want to do in natural language, and your AI assistant will take care of the rest. Whether it is updating cases, adding observables or applying changes at scale, the MCP can process multiple instructions in a single prompt. This makes it a powerful productivity booster for analysts and SOC leads alike.

Sometimes, you don’t want a full report or a long-term dashboard. You just need a quick and clear answer to support a decision.

With TheHive MCP, you can ask questions directly against your operational data and get the result almost instantly, presented in a format that actually helps. This can include charts and visual summaries, tables and structured views, or exportable formats such as CSV or PDF.

Because some LLM environments, such as Claude Desktop, can render HTML or React components, the output can be displayed immediately with no manual export or spreadsheet work.

We know the feeling: you are reading a CTI report, a blog post or a disclosure about a new threat actor, and you start wondering whether this is already happening in your environment.

Instead of wondering, act immediately.

With TheHive MCP, you can turn a report into an investigation entry point in seconds. Simply provide the report link and your instructions, and the MCP will create a new case, extract relevant IOCs, add them as observables and preserve the report as investigation context.

Example:

Based on the threat it represents, can you create my incident response playbook as tasks? Provide clear instructions on how to complete the task in the description.

A report is just the beginning. The real question is, how to investigate and respond?

This is where TheHive MCP really shines.

You can ask it to generate a tailored incident response playbook directly as tasks in TheHive, based on the threat described in the report.

Each task comes with clear and actionable guidance. This can include Windows Event Log IDs to search for, YARA rules to deploy, IPTables commands to block IOCs, Microsoft 365 PowerShell query examples, persistence mechanisms to inspect, investigation checklists and more.

The result is a ready-to-run, threat-specific playbook, grounded in your CTI source and embedded directly into your workflow.

Combining multiple analyzers is a great way to build confidence in an assessment, but reviewing fourteen separate reports for a single observable is not exactly efficient.

With TheHive MCP, you can ask the assistant to run all available analyzers on an observable, read and correlate their outputs, produce a concise summary and store it directly in the observable description.

You keep access to every individual analyzer report if you need them, but the key takeaways are immediately visible in one place.

Example:

On the observable 66[.]98[.]127[.]105[.]16clouds[.]com, run all available analyzers, use the analyzers’ reports to make a summary and put the summary as an observable description.

As you can see, TheHive MCP has summarized all 14 analyzer reports in one place, allowing you to get the key information at a glance. If you want to see the full report for any of them, it’s still available directly in TheHive.

TheHive MCP brings cybersecurity analysts one step closer to a future where AI genuinely augments human expertise, not by replacing it, but by removing friction.

You remain fully in control of every action taken while gaining faster execution of repetitive tasks, smarter and context-aware assistance and clearer insights for confident decision-making.

Think of it as your SOC assistant, always available, always contextual and always under your control. (Some of us at StrangeBee call it Jarvis :D)

As TheHive MCP is currently in beta, your feedback is especially valuable. Don’t hesitate to share your experience, ideas or pain points—your input directly helps shape how the MCP evolves!