Rapid7 MCP Server

Official Rapid7 MCP server that bulk-exports vulnerability and asset data from the Rapid7 Command Platform into a local DuckDB database for SQL and natural language querying.

Security by Rapid7 API Key active

GitHub Docs

Overview

The Rapid7 Bulk Export MCP is an official open-source server from Rapid7 that connects AI assistants to vulnerability and asset data from the Rapid7 Command Platform (including InsightVM). Rather than making per-question API calls, it uses the Rapid7 Bulk Export API to pull a full dataset into a local DuckDB database, then exposes tools for AI agents to run SQL queries, inspect schemas, and compute statistics. This pattern dramatically reduces token cost and latency for repeated questions across large vulnerability datasets.

The server exposes seven tools covering the full export lifecycle: starting non-blocking export jobs, polling status, downloading and loading completed exports, executing SQL, exploring tables, and reading summary stats. It also ships with an optional Agent Skill (rapid7-bulk-export-skill) that teaches the model the bulk export schema, common SQL query patterns, and security analysis best practices. The skill works alongside Kiro, Claude, GitHub Copilot, and Gemini CLI.

Maintained by Rapid7 under the MIT license, the project is Python-based and intended for use with frontier models that have strong tool-calling and reasoning support. It is designed for internal security copilots, private workflow automation, and natural language exploration of vulnerability and exposure data without sending raw security telemetry through repeated remote API calls.

Tools

Tool	Description
`start_rapid7_export`	Initiate a non-blocking bulk export job against the Rapid7 Command Platform.
`check_rapid7_export_status`	Poll the progress of an in-flight export job.
`download_rapid7_export`	Retrieve a completed export and load it into the local DuckDB database.
`query_rapid7`	Execute a SQL query against the locally loaded vulnerability and asset data.
`get_rapid7_schema`	List available tables and columns in the local DuckDB store.
`get_rapid7_stats`	Return summary statistics for loaded exports.
`list_rapid7_exports`	View recent exports cached locally, enabling same-day reuse to minimize API calls.

Setup Guide

Prerequisites

Rapid7 Insight Platform account with API access
A User Key or Organization Key from Administration → API Key Management
Your data storage region code (us, eu, ca, au, or ap)
Python environment with pip or uv
AI client that supports MCP (Claude Desktop, Kiro, etc.) running on a frontier model with tool calling

Install

pip install git+https://github.com/rapid7/rapid7-bulk-export-mcp.git
# or
uv pip install git+https://github.com/rapid7/rapid7-bulk-export-mcp.git

Configure (Claude Desktop)

Edit claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "rapid7-bulk-export": {
      "command": "rapid7-mcp-server",
      "args": [],
      "env": {
        "RAPID7_API_KEY": "your-api-key-here",
        "RAPID7_REGION": "us"
      }
    }
  }
}

Environment variables

RAPID7_API_KEY (required): Rapid7 Insight Platform API key
RAPID7_REGION (required): One of us, eu, ca, au, ap

Optional: Agent Skill

The companion rapid7-bulk-export-skill adds schema knowledge and SQL query patterns. Install it separately via the AgentSkills CLI or your platform's skill directory for better query quality.

Use Cases

Run natural language questions ("which Windows assets have unpatched critical CVEs?") against a full vulnerability export without making fresh API calls each time
Build a private security copilot that can answer compliance and audit questions over Rapid7 InsightVM data on demand
Automate weekly vulnerability reporting by exporting once and querying multiple slices via SQL through an agent
Enrich incident triage by joining asset and vulnerability tables locally with DuckDB SQL
Explore the bulk export schema interactively to draft new dashboards or detections

Example Prompts

"Start a Rapid7 bulk export and tell me when it is ready to query."
"Show the schema of the loaded Rapid7 tables and summary stats per table."
"Query the loaded data for all assets with critical CVEs older than 90 days, grouped by site."
"List the top 20 most prevalent vulnerabilities across our Linux assets."
"Reuse today's export and tell me how many assets are missing the latest Windows patch."

Pros

Official Rapid7 project, MIT licensed and open source
Bulk export plus local DuckDB pattern keeps token usage and latency low even across large vulnerability datasets
Ships with a companion Agent Skill that teaches the model schema and SQL patterns
Works across Claude Desktop, Kiro, GitHub Copilot, and Gemini CLI

Limitations

Requires a Rapid7 Insight Platform account and a paid product (InsightVM) for meaningful data
Recommends frontier models with strong tool calling; smaller local models are explicitly not recommended
Read-oriented: focused on export and query, not on remediation or write-back to Rapid7
Young project with a small community footprint at time of writing

Alternatives

solomonneas/rapid7-mcp: community MCP server focused on Rapid7 InsightIDR (SIEM logs, investigations, alerts, UBA)
el95149/rapid7-mcp-server: community Node.js MCP server that queries the Rapid7 logs REST API
Vendor MCP servers from other security platforms (e.g. Tenable or Qualys community implementations) for similar vulnerability workflows