New endpoints let Security Operations teams build their own tools and embed autonomous investigations into existing pipelines.
Command Zero released a broad set of API endpoints and a Model Context Protocol (MCP) server for its Autonomous & AI-Assisted SOC platform. Customers can now drive threat hunts, investigations, manage business context, and trigger remediation programmatically by connecting to Command Zero’s LLM-based agents.
“With aggressive growth in the availability of agentic SecOps capabilities, security leaders and architects are at an architectural juncture โ facing a decision to either adopt agentic feature sets being added to existing security tools and platforms, or to instead invest in net-new autonomous SOC platforms โ further increasing complexity to an already overwhelming SecOps tools environment.ย Command Zero is solving this architectural challenge, adding APIs and MCP server access to powerful autonomous investigation capabilities that can be woven into existing tools, workflows, and UI.”
โ Dave Gruber, Principal Analyst, Cybersecurity, Omdia
Also Read:ย CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
SOCs consist of dozens of separate tools and need seamless connectivity between tools to overcome complexity. With API endpoints and MCP servers, customers can wire the Command Zero platform into their SOAR playbooks, orchestration pipelines, and internal tooling without waiting on vendor roadmaps. Technical alliance partners can build integrations in minutes.
“Opening Command Zero’s advanced investigation engine to developers changes what’s possible. Teams can now use advanced capabilities of the platform as the substrate for custom threat hunting frameworks, CTI-driven analysis, and bespoke tooling. The MCP server extends that to AI agents โ which matters as agentic SecOps moves from pitch decks to day-to-day practice.”
โ Richard Stiennon, Chief Research Analyst at IT-Harvest
What’s in the release
- Investigation APIs.ย List, start, extend, update, and retrieve investigations against any investigation template.
- Business context APIs.ย List, upload, and retrieve context at scale. Pull data in from ServiceNow, CTEM platforms, HR systems, and other sources โ no manual console entry.
- Catalog and schema APIs.ย Query entity types, data sources, and investigation templates to align external systems with the platform’s data model.
- Remediation APIs.ย List remediation templates and execute remediation actions from external systems.
- MCP server.ย A wrapper around the APIs that lets Claude and other MCP-compatible agents query Command Zero directly. Analysts can run health checks, list investigations, triage open cases, and build custom dashboards from an AI chat interface.
What customers can build
- SOAR playbooks that start a Command Zero investigation the moment an alert fires, then feed upstream response data back into the case as it develops.
- Custom threat hunting frameworks that ingest threat intelligence, generate hypotheses, deploy them as questions in Command Zero, and run autonomous hunts on a schedule.
- Internal SOC dashboards built in Claude that summarize weekly activity, automation rates, and open investigations in natural language.
- MSSPs syncing client business context across tenants automatically, instead of populating each environment by hand.
“The best security platforms are the ones teams can build on. This release puts Command Zero’s investigation engine in the hands of our customers and our technical alliance partners. They can wire us into their pipelines, extend us with their own flows, and connect us to the AI agents working collaboratively with their analysts. That is how a platform earns its place in the SOC. These APIs and MCP servers unlock a new class of joint solutions with our partners.”
โ Dov Yoran, Co-founder and CEO, Command Zero
Catch more CIO Insights:ย CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write toย psen@itechseries.com ]
