We're bringing to you another Community challenge and this time it's about Model Context Protocol. MCP is a hot topic in the security world right now. For those just hearing about MCP, it allows AI models to communicate with and leverage the capabilities of diverse security tools. This helps enhance security workflows by ensuring models are contextually aware across multiple downstream services. With the ability to interact with security data in natural language, security teams can produce insights faster and scale their security operations. If you’re just getting started with the SecOps MCP server, check out our SecOps MCPserver content to learn more.
We're excited to launch this new challenge and can't wait to see all the different ways you are using the Google SecOps MCP server to boost your security operations. Knowing our expert Community users, we bet you're doing incredible things. And we want to see what you're up to! This is your chance to contribute to the Community, show off your skills, inspire others and win some awesome Google swag!
Here's How to Participate:
Tell us how you're using the SecOps MCP server. In the comments below, share how you're using the SecOps MCP server in your workflow. Are you using it for automation, data analysis, or something completely new? We want to hear all about it!
Show us a screenshot or video (YouTube videos only please). Post a screenshot or a short video (you can blur out any sensitive info) that shows your SecOps MCP server in action.
Get likes! The posts with the most likes from the Community will win! Make sure to like your favorite responses to help us find our winners.
Duration: Jul 22, 2025 - Aug 29, 2025
Winner Announcement date: Winners will be announced Early-September 2025
Prizes: The top three participants with the most likes will win some cool Google SecOps swag! The contest ends on August 29, 2025, and we'll announce the winners shortly after.
Get Inspired: SecOps MCP Ideas and Examples
Stuck for ideas? The SecOps MCP server is incredibly versatile! Here are some ideas and examples from our engineers to spark your creativity for a winning entry:
Ideas
Automation Master: Show your custom scripts, playbooks, or automated workflows that save time on tasks, incident response, or alert enrichment.
Visibility Guru: Share unique dashboards or reports that provide deep insights, visualize data, identify trends, or track key metrics.
Integration Wizard: Demonstrate how your MCP server connects seamlessly with other security tools, threat intelligence, or ticketing systems for a unified ecosystem.
Efficiency Champion: Tell us how the MCP server has reduced false positives, sped up investigations, or improved overall operational efficiency (a "before and after" can be powerful!)
Examples and Resources
See what’s new on our video AI Runbooks for Google Cloud Security MCP Server, where we demonstrate how AI runbooks can enhance your visibility and automate responses within Google Cloud Security.
Here is how you can use MCP for proactive threat hunting, showcasing how the MCP server integrates with various tools to identify and mitigate threats before they escalate. Take a look at our video demonstrating using MCP Servers with ADK, highlighting how this integration can significantly improve the efficiency of your security operations.
Check out our video on starting to use MCP for Google Cloud Security, which walks you through the initial setup and automation capabilities for your security services in Google Cloud environment.
We're looking for creativity, clarity, and most importantly, how you're making the SecOps MCP server work for you. Don't hold back – even small, clever use cases can make a big impact.
Ready to share? Drop your submission below in the comment section with a screenshot and description, or YouTube video.
Page 1 / 1
Can’t get enough of MCP 😋
**Submission: Sentinel.AI – Rogue AI Detection with MCP**
## In the era of LLMs and AI automation, rogue agents can cause silent but deadly breaches.
Sentinel.AI uses the Google SecOps MCP Server to detect, alert, and respond to unauthorized or misaligned AI agents operating within GCP environments.
/- What It Does:
Monitors API usage, logs, and identity behavior for anomalies
Detects unauthorized AI agents (e.g. shadow GPT bots)
@BrokenText Yes! We are excited to see what you can do with MCP.
@RHYUGEN did you mean to include files in the Google Drive? I don’t see anything.
Just as a friendly reminder, please follow these contest guidelines. Thank you all for your participation!
Here's How to Participate:
Tell us how you're using the SecOps MCP server. In the comments below, share how you're using the SecOps MCP server in your workflow. Are you using it for automation, data analysis, or something completely new? We want to hear all about it!
Show us a screenshot or video (YouTube videos only please). Post a screenshot or a short video (you can blur out any sensitive info) that shows your SecOps MCP server in action.
Get likes! The posts with the most likes from the Community will win! Make sure to like your favorite responses to help us find our winners.
@RHYUGEN did you mean to include files in the Google Drive? I don’t see anything.
Hey could you check again I didn't saw any problem there
Are you ready to enhance your security operations with agentic AI, but finding the setup of Google's Model Context Protocol (MCP) servers a challenge? We've got you covered!
Our latest video demonstrates the fastest and easiest way to set up MCP servers using Firebase Studio and Cline. This streamlined approach will help you quickly harness the power of agentic AI for enhanced security.
For more examples of SecOps MCP in action, explore our blog and video where we showcase MCP Servers integrated with Claude Code subagents. See firsthand how these powerful combinations can boost your security efficiency.
We also highlight new integrations for third-party MCP Servers, demonstrating how you can achieve even greater security efficiency and flexibility within your existing infrastructure in this blog and video.
Participate in Our SecOps MCP Challenge!
Now it's your turn to showcase your innovation! . Share how you're using MCP Servers to transform your security operations. Whether you've developed a unique integration, streamlined a complex workflow, or achieved significant efficiency gains, we want to hear about it!
Submit your MCP Server use case today and demonstrate how you're leveraging this powerful technology. Let's inspire each other and collectively advance the future of SecOps with agentic AI!
Use Case Description:
One of the biggest time sinks for a SOC team is handling phishing emails. Analysts often spend hours extracting indicators, running reputation checks, and coordinating response actions across different tools. I’m proposing an MCP-based workflow that can streamline this process end-to-end.
When a suspicious email is submitted, the MCP server can:
Parse the message to extract URLs, attachments, and sender details. Automatically query threat intel sources (VirusTotal, Safe Browsing, internal IOC feeds) to score the risk. Compare findings against historical phishing attempts to identify patterns. If confirmed malicious, trigger automated actions such as blocking the sender domain, adding firewall rules, or isolating an affected endpoint. The SOC analyst remains in the loop: they receive a concise summary of the analysis, with recommended next steps, and can approve or adjust before actions are applied.
Thanks.
Hi @CyberChamp Great use case and thanks for sharing with the Community. We would love to see how you do this. Add a few screenshots or a video to complete the challenge. Thanks!
It’s the last week to submit your MCP Challenge entries. Challenge ends on August 29! We are excited to see how you’re using MCP Servers.
It’s the last week to submit your MCP Challenge entries. Challenge ends on August 29! We are excited to see how you’re using MCP Servers.
In the last few weeks, I've had to focus on other priorities, so let's see what I can do in a week. Challenge accepted!👾
Customizing runbooks for fun and speed
My context
After discovering SecOps MCPs through DanDye, I was eager to test them in a real-world BEC investigation. I was immediately impressed by their potential and realized I had barely scratched the surface of what's possible. However, it also became clear that the automated analyses weren't always perfectly accurate. This was expected, so I adopted a more hands-on approach: before an agent ran a UDM query on the SIEM, I would review and modify it on the fly to ensure we were getting the best possible results.
The limit
This "on the fly" approach is effective from a tactical point of view because it allows me to slightly model the queries the agent would run at runtime, but strategically speaking, it's rather inefficient because each time I would have to modify the queries and provide specific instructions.
My response to “the limit”
I decided to refine DanDye's agent runbooks (https://github.com/dandye/adk_runbooks/tree/main/rules-bank/run_books) to create a collaborative starting point for our team (I know, nothing extraordinary, sorry). The perfect test bed for this was the recurring issue of inbox rule analysis, which always required manual query modifications. So, I decided to create a dedicated runbook to investigate inbox rules more effectively.
Knock knock, who’s there? My limits
So, I started to browse through the documentation (https://dandye.github.io/adk_runbooks/), but various priorities at work took over and I couldn't dedicate the necessary time to it.
So what?
Here I was, on the evening of August 27, 2025 (though I’m actually writing this at 01:28 AM on the 29th), picking up my notes and ideas again. I spun up the ADK web from my local terminal, ready to have some fun. My goal remained the same: creating a dedicated runbook for searching and analyzing a user's inbox rules.
So, I took inspiration from the base runbook rules-bank/atomic_runbooks/user/rb_user_search_login_activity_chronicle.md. I began to analyze its sections, modifying them to fit my needs. In the meantime, I paused to reflect on whether to create an atomic runbook or a normale one. As I was thinking, I noticed the Type a Message... prompt among my open windows, on the tab pointing to http://127.0.0.1:8000/dev-ui/?app=manager. (For those who haven't figured it out, that's the local ADK web interface).
Seeing that simple prompt sparked an idea. I was deep into a manual, almost tedious process of analyzing sections and modifying text, but the solution for a better workflow was staring me right in the face. Why was I trying to manually build something when I could collaborate with the system to create it? My entire approach shifted in that instant. At this point, I decided to abandon the manual file editing and try creating the base of the runbook by interacting directly with the available agents.
Work smarter, not harder (At least, try to do it)
First of all, I verified that there were no specific runbooks (which I had already confirmed by their absence in the rules-bank folder). The manager confirmed that there was no specific runbook, but since the activity is related to a post-compromise event, it informed me that these types of searches are done in these two interconnected runbooks:
compromised_user_account_response.md.
phishing_response.md.
Despite this, it made itself available to proceed with the creation of a specific runbook:
To allow the agents to use the new runbook, I added the line (BASE_DIR / "../../../adk_runbooks/rules-bank/run_books/hunt_for_malicious_inbox_rules.md").resolve(), to the runbook_files list in the agent.py file for most of the agents (manager, soc_analyst_tier_2,soc_analyst_tier_3,threat_hunter).
This is how soc_analyst_tier_2 looks like right now:
Excerpt of soc_analyst_tier_2’s agent.py
It’s show time
I wasn't able to set up a test environment that I could use for this specific case, so I decided to retrieve the raw logs from a past event, censoring and modifying the data where necessary. After that, I prepared the following prompt to test the runbook:
As you can't do search for a given period, I'll give you some mock data to work on: - A log with the creation of an inbox rule which's nature is to be discovered. Log's information are available within the section ***LOG***. - The enriched source IP which result to be known for being the source of malicious activities. IP's information are available within the secion ***ENRICHED IP***. - Skip any lookup on the SIEM with the given IP as it won't be there.
Follow through the malicious inbox rule runbook and use the case ID 43948 as case of reference.
***BEGINNING OF ENRICHED IP*** ISP Telia Network Services Usage Type Fixed Line ISP ASN AS3301 Hostname(s) 81-235-15-164-no2340.tbcn.telia.com Domain Name telia.net Country Sweden City Angelholm, Skane Bad reputation Source of malicious activities ***ENDING OF ENRICHED IP***
Although I wasn't able to develop a runbook as complete and detailed as I had imagined, I am still quite satisfied with the results obtained. I hope this little post can be an inspiration to others and show how these tools are extremely versatile and supportive.
Thanks for this opportunity to learn and share, thanks to DanDye for the videos and the documentation, thanks to his team and to all the people working on these topics.
Automated Playbook Drift Detection & Dashboard for SecOps MCP
What I wanted to achieve: I wanted to tackle a real-world problem: configuration drift in security playbooks. Using the Google SecOps MCP Server, I built a solution that not only detects drifts but also makes it easy to visualize and respond to changes - helping teams stay sharp and compliant.
What did I end up building: A mock MCP server that serves multiple realistic playbooks (say, like phising, IAM, WAF, cloud storage, etc). Other than this I did build an automated drift detector and dashboard that checks for drift, generates reports and sends alerts. last but not the least, a web dashboard for instant visibility and one-click re-checks
Now, the main question, why? Manual playbook reviews are slow and error-prone. Drift can lead to missed incidents or outdated responses. So, I used a bit of AI to clarify doubts, brainstorm solutions and debug some tricky issues. This helped me iterate faster and reach a robust, creative result. My soluition automates drift detection, making it easy for any team to spot and fix issues before they create an issue. AI guidance was instrumental in shaping the architecture, improving error handling and making the dashboard user-friendly.
Screenshots: 1. When executing the playbook_detector.py file 2. When executing the mock_server.py file 3. How the dashboard looks like in the server created under the playbook_detector.py 4. How the dashboard looks like in the server created under the mock_server.py
@UNKN0WN006 and @masterdisruptor great submissions! and thanks for being a part of this challenge.
Community?! We still have time for more. Drop what you got here so we can see what you’re working on.
Great report @masterdisruptor ! Awesome to see how you built off of @DanDye runbooks.
@UNKN0WN006 very creative and useful example. Nice submission!
Hi Community! We are closing this challenge and will be voting on contest submissions. Be sure to get your thumbs out and start selecting the ones you like best. Look for another post soon that announces our winners!
