Skip to main content

MCP server for Qualys security APIs - natural language interaction with vulnerability, asset, and cloud security data

Project description

Qualys MCP Server

⚠️ Unofficial project. This is a personal project to showcase the viability of connecting AI assistants to Qualys via the Model Context Protocol. It is not affiliated with, endorsed by, or supported by Qualys, Inc.

An MCP server that connects AI assistants to Qualys security data. 7 workflow tools covering vulnerability management, cloud security, containers, compliance, remediation, and more. Pure Python, zero config beyond credentials.

📖 Full documentation →

What's new in v0.2.9

  • Streamable HTTP + Docker support — run the server as a persistent, network-reachable container instead of stdio-only (see Run with Docker below).
  • Fixed per-asset detections in issue #229.
  • Breaking: now requires Python ≥3.10 and fastmcp ≥2.11 — Python 3.9 installs are no longer supported.

Setup

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "qualys": {
      "command": "uvx",
      "args": ["qualys-mcp"],
      "env": {
        "QUALYS_USERNAME": "your-username",
        "QUALYS_PASSWORD": "your-password",
        "QUALYS_POD": "US2"
      }
    }
  }
}

Set QUALYS_POD to your platform POD — the server derives the correct API and gateway URLs automatically.

Supported pods: US1 US2 US3 US4 EU1 EU2 EU3 IN1 CA1 AE1 UK1 AU1 KSA1

Advanced: If you need to override the auto-derived URLs, set QUALYS_BASE_URL and QUALYS_GATEWAY_URL explicitly instead of QUALYS_POD. Explicit URLs take priority.

Requires uv: brew install uv or curl -LsSf https://astral.sh/uv/install.sh | sh

Updating

uvx caches the resolved build, so a plain uvx qualys-mcp keeps running the version it first downloaded — it does not auto-upgrade when a new release ships. To move to the latest version, clear the cache and restart Claude Desktop:

uv cache clean qualys-mcp

To pin (and control) the version explicitly, set it in your config args:

"args": ["qualys-mcp@0.2.7"]

pip install -U qualys-mcp only updates a pip-installed copy — it has no effect on the uvx-launched server.

Alternative

pip install qualys-mcp
qualys-mcp

Self-Signed Certificates

For environments with self-signed certs, add "QUALYS_SSL_VERIFY": "false" to the env block.

Run with Docker (Streamable HTTP)

Prefer a persistent, network-reachable server over the uvx stdio setup above? Run it as a container instead:

docker build -t qualys-mcp:latest .
cp .env.example .env
$EDITOR .env                      # set your Qualys credentials
docker compose up -d
claude mcp add --transport http qualys http://127.0.0.1:8000/mcp/

See docs/DOCKER.md for the full guide: environment variables, connecting other MCP clients, security notes, and troubleshooting.

Tools

7 workflow tools that intelligently dispatch to 42 internal aggregators across all Qualys modules. Each tool handles routing, concurrent API calls, cross-domain correlation, and response synthesis automatically.

Tool What it answers
investigate Deep-dive any security topic — CVEs, threat actors, assets, EDR/FIM events, KB searches
assess_risk Cross-domain risk — VMs, cloud (AWS/Azure/GCP/OCI), containers, web apps, certificates, assets
check_compliance Compliance posture — PCI, HIPAA, CIS, NIST, SOC2 pass/fail, failing controls, exceptions
plan_remediation Patch priorities, deployment status, mitigation coverage, program gap analysis
security_overview Daily/weekly/monthly briefing — scanner health, scan status, vulnerability findings
reports Generate, list, download, and manage Qualys reports
cache_status View and clear API caches

Key Parameters

investigate

  • target — CVE ID, threat actor, hostname, IP, or free-text topic
  • depthquick (~10s) / standard (~20s) / deep (~45s)
  • scopeall / vulns / threats / assets / edr / fim

assess_risk

  • scopeall / cloud / containers / web / certs / assets
  • tag / asset_group — filter by business group
  • provideraws / azure / gcp (cloud scope)
  • asset_id — single asset deep-dive

check_compliance

  • frameworkPCI / HIPAA / CIS / NIST / SOC2
  • include_exceptions — include risk acceptances

plan_remediation

  • scopeall / patches / mitigations / program
  • severitycritical / high / moderate
  • cves / qids — check mitigation coverage for specific vulns

security_overview

  • periodtoday / week / month
  • quick — fast snapshot (~2s) vs full briefing

Example Conversations

Daily Operations

"Give me a security overview"                  → security_overview(quick=True)
"What happened this week?"                     → security_overview(period="week")
"What should we patch first?"                  → plan_remediation(scope="patches", severity="critical")
"How's our compliance?"                        → check_compliance()

Investigation

"Tell me about CVE-2024-3400"                  → investigate(target="CVE-2024-3400")
"Are we exposed to ransomware?"                → investigate(target="ransomware")
"What do we know about Iranian threats?"        → investigate(target="iran")
"Investigate this host: 10.0.0.1"              → investigate(target="10.0.0.1", scope="edr")

Risk Assessment

"What's our overall risk?"                     → assess_risk(scope="all")
"How's our cloud security?"                    → assess_risk(scope="cloud")
"Any container vulnerabilities?"               → assess_risk(scope="containers")
"Web app security status?"                     → assess_risk(scope="web")
"Show me risk for Production assets"           → assess_risk(tag="Production")

Compliance & Remediation

"Are we PCI compliant?"                        → check_compliance(framework="PCI")
"What's our patch coverage?"                   → plan_remediation(scope="patches")
"Is there a mitigation for CVE-2024-3400?"     → plan_remediation(cves=["CVE-2024-3400"])
"What security gaps do we have?"               → plan_remediation(scope="program")

Multi-Step Workflows

"New critical CVE dropped — what do I need to know?"
→ investigate(target="CVE-...") → plan_remediation(cves=["CVE-..."]) → check_compliance()

"Prepare me for the weekly security standup"
→ security_overview(period="week") → assess_risk(scope="all") → plan_remediation(scope="patches")

"PCI audit prep"
→ check_compliance(framework="PCI", include_exceptions=True) → assess_risk(scope="all") → plan_remediation()

Architecture

AI Assistant → qualys_mcp.py (7 tools) → workflows/ (dispatch + synthesis) → aggregators.py (42 functions) → api.py (HTTP + caching) → Qualys APIs

Each workflow tool:

  1. Builds a dispatch plan based on parameters
  2. Runs selected aggregators concurrently
  3. Merges results into a unified response envelope
  4. Applies cross-domain correlation
  5. Returns prioritized findings and recommended actions

Performance

Tested on an 89,000-asset environment (US2 POD):

Workflow Time
security_overview(quick=True) 1.7s
assess_risk(scope="cloud") 1.3s
assess_risk(scope="containers") 3.1s
check_compliance() <1ms (cached)
plan_remediation(scope="patches") 2.6s
investigate(target="CVE-2024-3400") ~33s
assess_risk(scope="all") 4.9s

Cold start: The first query after launching takes 2-10s longer while the bearer token is acquired and caches warm up. A background thread pre-fetches VMDR detections on startup. After the first query, responses are significantly faster. Ask security_overview(quick=True) first to warm caches.

Eval Harness

300 routing test questions + 900 variants + 30 multi-turn conversation workflows for automated evaluation.

# Install eval dependencies
pip install anthropic mcp python-dotenv pyyaml

# Run eval
python -m eval --quick

Testing

# Unit tests (282 tests)
pip install pytest
pytest tests/ --ignore=tests/conversations -q

# Smoke test
bash test_tools.sh fast

Qualys PODs

POD BASE_URL GATEWAY_URL
US1 qualysapi.qualys.com gateway.qg1.apps.qualys.com
US2 qualysapi.qg2.apps.qualys.com gateway.qg2.apps.qualys.com
US3 qualysapi.qg3.apps.qualys.com gateway.qg3.apps.qualys.com
US4 qualysapi.qg4.apps.qualys.com gateway.qg4.apps.qualys.com
EU1 qualysapi.qualys.eu gateway.qg1.apps.qualys.eu
EU2 qualysapi.qg2.apps.qualys.eu gateway.qg2.apps.qualys.eu
EU3 qualysapi.qg3.apps.qualys.eu gateway.qg3.apps.qualys.eu
IN1 qualysapi.qg1.apps.qualys.in gateway.qg1.apps.qualys.in
CA1 qualysapi.qg1.apps.qualys.ca gateway.qg1.apps.qualys.ca
AE1 qualysapi.qg1.apps.qualys.ae gateway.qg1.apps.qualys.ae
UK1 qualysapi.qg1.apps.qualys.co.uk gateway.qg1.apps.qualys.co.uk
AU1 qualysapi.qg1.apps.qualys.com.au gateway.qg1.apps.qualys.com.au
KSA1 qualysapi.qg1.apps.qualysksa.com gateway.qg1.apps.qualysksa.com

License

MIT - Copyright (c) 2026 Andrew Nelson

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

qualys_mcp-0.2.9.tar.gz (121.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

qualys_mcp-0.2.9-py3-none-any.whl (128.0 kB view details)

Uploaded Python 3

File details

Details for the file qualys_mcp-0.2.9.tar.gz.

File metadata

  • Download URL: qualys_mcp-0.2.9.tar.gz
  • Upload date:
  • Size: 121.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for qualys_mcp-0.2.9.tar.gz
Algorithm Hash digest
SHA256 5cf1295f234d93c5a4450155ec15bf778aab5f6925d2c27e8ff11f10e214a13f
MD5 b4af5f86bf412aaa04e0616fe238c99a
BLAKE2b-256 40f235ecb9e874472567f7ea33e430b62fded127c9158411edfabaa5e559baf6

See more details on using hashes here.

File details

Details for the file qualys_mcp-0.2.9-py3-none-any.whl.

File metadata

  • Download URL: qualys_mcp-0.2.9-py3-none-any.whl
  • Upload date:
  • Size: 128.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for qualys_mcp-0.2.9-py3-none-any.whl
Algorithm Hash digest
SHA256 3970e8d5ec641d1613d956efe3fafdc5820042ae683bded3efce30a91271b7a5
MD5 49ce2a7cfb0fdbeef41c22dd2f310b52
BLAKE2b-256 56bc2ee000d53d11e7f91bd01622cb3de4614353d87dd8ae4d936edd3bca52a7

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page