Command Zero introduced a wide range of APIs and an MCP server for its Autonomous and AI-assisted SOC platform, enabling customers to run threat hunts, conduct investigations, manage business context, and initiate remediation programmatically through its LLM-powered agents.
“With aggressive growth in the availability of agentic SecOps capabilities, security leaders and architects are at an architectural juncture – facing a decision to either adopt agentic feature sets being added to existing security tools and platforms, or to instead invest in net-new autonomous SOC platforms – further increasing complexity to an already overwhelming SecOps tools environment. Command Zero is solving this architectural challenge, adding APIs and MCP server access to powerful autonomous investigation capabilities that can be woven into existing tools, workflows, and UI.”
— Dave Gruber, Principal Analyst, Cybersecurity, Omdia
SOCs consist of dozens of separate tools and need seamless connectivity between tools to overcome complexity. With API endpoints and MCP servers, customers can wire the Command Zero platform into their SOAR playbooks, orchestration pipelines, and internal tooling without waiting on vendor roadmaps. Technical alliance partners can build integrations in minutes.
What’s in the release
- Investigation APIs. List, start, extend, update, and retrieve investigations against any investigation template.
- Business context APIs. List, upload, and retrieve context at scale. Pull data in from ServiceNow, CTEM platforms, HR systems, and other sources — no manual console entry.
- Catalog and schema APIs. Query entity types, data sources, and investigation templates to align external systems with the platform’s data model.
- Remediation APIs. List remediation templates and execute remediation actions from external systems.
- MCP server. A wrapper around the APIs that lets Claude and other MCP-compatible agents query Command Zero directly. Analysts can run health checks, list investigations, triage open cases, and build custom dashboards from an AI chat interface.
What customers can build
- SOAR playbooks that start a Command Zero investigation the moment an alert fires, then feed upstream response data back into the case as it develops.
- Custom threat hunting frameworks that ingest threat intelligence, generate hypotheses, deploy them as questions in Command Zero, and run autonomous hunts on a schedule.
- Internal SOC dashboards built in Claude that summarize weekly activity, automation rates, and open investigations in natural language.
- MSSPs syncing client business context across tenants automatically, instead of populating each environment by hand.
“The best security platforms are the ones teams can build on. This release puts Command Zero’s investigation engine in the hands of our customers and our technical alliance partners. They can wire us into their pipelines, extend us with their own flows, and connect us to the AI agents working collaboratively with their analysts. That is how a platform earns its place in the SOC. The APIs and MCP server unlock a new class of joint solutions with our partners.”
— Dov Yoran, Co-founder and CEO, Command Zero
What’s next
The current release covers the core surface customers need to start building. More API endpoints will follow, shaped by anchor customers’ and partners’ feedback. Command Zero will also publish sample integrations and reference implementations in the weeks following the launch.
To learn more about Command Zero’s APIs and MCP Server, explore how they enable SecOps teams to build tools and automate investigations within existing pipelines, visit the website here.
Related News:
Black Duck Boosts DevSecOps with New SCM Integrations for Polaris
Preparing for the Next Wave in Cybersecurity White Paper Released
