In today's rapidly evolving digital landscape, large language models (LLMs) are transforming how we interact with data and perform tasks. But what if you could extend the power of these LLMs to directly interact with your Netskope security platform to integrate with your existing workflows?
Netskope is releasing a preview of the Model Context Protocol (MCP) server for demonstration purposes! Once released as part of Netskope One Platform, the Netskope MCS server will allow popular LLMs, such as Anthropic Claude Models, Microsoft Azure Foundation Models, Amazon Bedrock Foundation Models, and Google Foundation (Gemini) Models, to leverage Netskope platform tools and combine your vital Netskope security data and controls with your other security data and controls.
What is the Netskope MCP server?
The Netskope MCP server acts as a bridge, connecting your LLMs to Netskope Management APIs. Whether running locally on your desktop or in the cloud, this server empowers your LLMs to gain context from your Netskope environment, leading to more insightful analysis and automated workflows.
The self-hosted preview of Netskope MCP server provides the default ability to query the following Netskope data collections:
-
Data Search API Collection
- Application events, including CASB, SWG, NPA, DLP, and more
- Page events, including secure web gateway and risk insights
- Network events, including Network Private Access and Cloud Firewall
- Client events, or device data collection
- Alerts
- DLP Incidents
-
CCI: Cloud Confident Index API collection
-
Incidents API Collection, to read and manipulate incidents
Transform your security operations with example prompts
This preview of the Netskope MCP server comes equipped with several example prompts to get you started, which you can easily modify to suit your specific needs:
- Client version analysis: Helps corporate device/desktop management teams identify non-compliant clients and plan necessary updates.
- Incident analysis: Assists in incident investigations and DLP practitioners in performing deep analysis of DLP incidents, providing executive summaries, and recommending further investigation or improvements.
- Incident status analysis: Enables incident managers to pinpoint bottlenecks and optimize incident resolution performance.
- Insider risk analysis: Helps security administrators prioritize users exhibiting Insider Risk patterns for expedited investigation.
- User Activity Analysis: Helps to deep dive into your users’ various types of risky activities that was identified by Netskope Platform
- Application Activity Analysis: Helps to deep dive into various risky cloud applications and risky websites identified by Netskope in your environment.
You can further experiment with it in a demo environment and configure the MCP Server for other API collections as well, e.g. platform, policies, etc. For more information, refer to the command line arguments to the docker image given below.
See the Netskope MCP server in action
- Perform user risk investigation to prioritize alerts
- Investigate a DLP incident and generate an executive summary
- Perform client version analysis to inform remediation
The Evolving Landscape of LLM Integrations
As large language models (LLMs) continue to gain popularity and become adopted in enterprise settings, there's a growing demand for standardized and secure ways to leverage them for optimizing corporate workflows. Model Context Protocol (MCP), while still in its early stages, is emerging to address this need. LLM providers and standards bodies are actively working to formalize how to safely and effectively employ MCP technology. Industry leaders such as Amazon and Microsoft are already paving the way with architectural recommendations for augmenting their LLMs with custom MCP servers. We encourage you to monitor this space closely as it evolves and consider how this technology can be securely incorporated into your operations. For more guidance on how to run an MCP server securely, please refer to the “What is MCP Server?” article.
Claude Desktop Proof of Concept Instructions:
Ready to kick the tires with this technology? Here’s how to quickly set up and connect the preview Netskope MCP Server from your computer with Claude Desktop:
- Fetch Netskope API Credentials:
From your Netskope Admin Console, obtain an API V2 Token. Ensure it has access to all six datasearch APIs: Application, Page, Alert, Incident, Client, and Network, plus CCI and Incidents.
Set these credentials as environment variables in a .env file or pass through command line or credential vaults:
API_TOKEN=api-token-goes-here
BASE_URL=https://your-tenant-name-goes-here.goskope.com
- Optionally, you can also set:
ROW_LIMIT=50 #(default is to pull 50 rows at a time)
TIMEOUT=180 #(default is 180 seconds before timeout)
- Run the Netskope MCP Server Docker Container:
- Pull the Netskope MCP Server Docker Container from Docker Hub. To get access to the docker image, please contact Netskope Support or your Netskope Account Representative. If you need Docker and Docker Desktop, get it here. Also, you can run this in an isolated containerized environment for additional security.
docker pull notifyanand/netskope_mcp_server:v0.6_multiplatform
- Run it locally on port 8888 or any port of your choice
docker run -p 8888:8888 --env-file .env notifyanand/netskope_mcp_server:v0.6_multiplatform
- Optionally you can control what API sets to load to the MCP server using the below command line option. By default “events, incidents, cci” gets loaded to the MCP server. For optimal results, load only a few required API sets at a time that is required for your experimentation.
--api-specs "adem, atp, casbapi, cci, dem, drm, enrollment, events, forwardproxy, incidents, infrastructure, nsbrowser, nsiq, platform, policy, profiles, rbac, scim, services, spm, steering, ubadatasvc, uebabreach, users"
Use this command to find out the latest supported API sets:
docker run -p 8888:8888 --env-file .env notifyanand/netskope_mcp_server:v0.6_multiplatform python src/NetskopeToolsFromOpenAPI.py --help
- Connect Netskope MCP Server to Claude Desktop:
- Install Claude Desktop for your operating system. We recommend using Claude 4.0 Pro or Enterprise Edition for a larger context window and enhanced data privacy controls. The free version of Claude does not support MCP Servers.
- Install the “npx” command from npmjs.
- Insert the MCP Server configuration into the Claude Desktop Configuration file (create this file if it does not exist). For Mac you can find this file here `$HOME/Library/Application Support/Claude/claude_desktop_config.json` (instructions for other OS):
{
"mcpServers": {
"NetskopeTools": {
"command":"npx",
"args":a
"-y",
"mcp-remote",
"http://127.0.0.1:8888/mcp",
"--allow-http",
"--transport http-first",
"--debug"
]
}
}
}
- Now, simply open or restart Claude Desktop. You should see the Netskope Tools and Prompts listed under the 'Search and tools' icon, right below the Prompt Box.
| Tools | Prompts |
Troubleshooting Tip: If you encounter any issues, check the Claude Desktop logs here for Mac `$HOME/Library/Logs/Claude` or refer troubleshooting tips.
Once set up, you can start using the provided example prompts or modify them to fit your specific needs.
Connecting to Other LLMs
The Netskope MCP Server isn't limited to Claude Desktop. You may be able to connect it to:
- Microsoft Copilot Studio: Check Microsoft instructions: https://learn.microsoft.com/en-us/microsoft-copilot-studio/agent-extend-action-mcp
- Amazon Bedrock: Check Amazon instructions: https://aws.amazon.com/blogs/machine-learning/unlocking-the-power-of-model-context-protocol-mcp-on-aws/
The Netskope MCP server is a powerful tool designed to bring context and deeper insights from your security data directly into your LLM workflows. This preview version of it is not meant for production use, but will allow you to experiment some of the capabilities in a demo environment. Give it a try and experience the future of security analysis and management.
