Install the Spyderbat MCP Server

Model Context Protocol (MCP) server for LLMs to interact with Spyderbat's API, enabling AI assistants to search, query, and manage Spyderbat resources.

What is MCP?

The Model Context Protocol (MCP) lets AI assistants interact with external tools and data. The Spyderbat MCP server exposes tools for searching, investigating, and managing your Spyderbat environment through natural language.

Prerequisites

Before configuring the Spyderbat MCP server, you'll need:

A Spyderbat account with API access
A valid API key (How to create one)
An MCP-compatible client (Claude Code, Cursor, Windsurf, or VS Code with Cline/Continue)

API Key Security

The Spyderbat MCP server authenticates via API key in the Authorization header (OAuth is not currently supported). Keep these guidelines in mind:

API keys inherit the permissions of the user who created them — treat them like passwords
Never commit keys to version control — store config files outside your repo or add them to .gitignore
For Claude Code, use -s user to store the configuration in ~/.claude/ rather than the project directory
Rotate keys regularly via the Spyderbat console

Quick Start

Pick your client below, or use one-click install:

Claude Code (one command, no file editing):

claude mcp add --transport http -s user spyderbat https://api.spyderbat.com/mcp/v1/mcp --header "Authorization: Bearer <your-api-key>"

Other clients — see Client Configuration for Cursor, Windsurf, VS Code, and MCP Inspector.

After setup, restart your client and try: "List my Spyderbat organizations"

One-Click Install

Install directly in your editor:

Note: You'll be prompted to enter your Spyderbat API key during installation. Create an API key if you don't have one.

MCP Server Endpoints

The Spyderbat MCP server is deployed at the following endpoints:

US Region: https://api.spyderbat.com/mcp/v1/mcp
Mumbai Region: https://api.mum.prod.spyderbat.com/mcp/v1/mcp

All examples below use the US endpoint. Replace the URL if your organization is in the Mumbai region.

Client Configuration

Run the following command to add the Spyderbat MCP server:

claude mcp add --transport http -s project spyderbat https://api.spyderbat.com/mcp/v1/mcp --header "Authorization: Bearer <your-api-key>"

Use -s project for project-scoped config, or -s user for global config stored in ~/.claude/.

After adding the server, restart Claude Code for the changes to take effect.

Verify the connection:

> List my Spyderbat organizations

Add the following to your Cursor MCP settings (Settings > MCP):

{
  "mcpServers": {
    "spyderbat": {
      "url": "https://api.spyderbat.com/mcp/v1/mcp",
      "transport": "streamable-http",
      "headers": {
        "Authorization": "Bearer <your-api-key>"
      }
    }
  }
}

transport must be "streamable-http".

After saving, restart Cursor for the changes to take effect.

Add the following to ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "spyderbat": {
      "serverUrl": "https://api.spyderbat.com/mcp/v1/mcp",
      "transport": "streamable-http",
      "headers": {
        "Authorization": "Bearer <your-api-key>"
      }
    }
  }
}

Note: Windsurf uses serverUrl instead of url — copy-pasting from Cursor/VS Code configs won't work.

After saving, restart Windsurf for the changes to take effect.

In VS Code, open Cline settings and add the MCP server configuration:

{
  "cline.mcpServers": {
    "spyderbat": {
      "url": "https://api.spyderbat.com/mcp/v1/mcp",
      "transport": "streamable-http",
      "headers": {
        "Authorization": "Bearer <your-api-key>"
      }
    }
  }
}

After saving, reload VS Code for the changes to take effect.

Example Prompts

The AI uses onboard, prime, and search_docs to learn available tools, schemas, and query syntax automatically. You can prompt conversationally and the AI translates your intent into API calls. For search schema and operator details, see the Search Reference.

Here's a realistic triage session:

Orient — "Get up to speed on Spyderbat. What tools do you have?" Calls onboard and prime to learn available tools and investigation workflows.
Check access — "What organizations do I have access to?" Calls list_organizations, returns org names and UIDs.
Triage — "Find the highest-scoring Spydertraces from the last 24 hours." Searches model_spydertrace for score > 50, sorted descending. Traces bundle related processes, connections, and red flags into scored units — your triage queue.
Investigate — "Dig into the top trace. What processes ran, what connections were made, and what triggered it?" Calls get_trace_contents to pull processes, connections, and red flags linked to that trace. Walks the process tree via ppuid to show parent-child relationships.
Attribute — "Where did that external connection come from? What pod and namespace?" Searches model_connection by IP, resolves pod_uid via get_objects to get pod name, namespace, and node.
Resolve — "That's a health probe — suppress it for this cluster." Calls suppress_trace with preview=true to generate a suppression policy, then applies it scoped to the cluster after you confirm.

Example Conversation

User: Find high-severity red flags in the prod-k8s cluster from the last 24 hours

AI: I'll search event_redflag with:
    severity = "high" and cluster_name = "prod-k8s"
    start_time = "-24h"

Found 3 results:
- root_shell (MITRE TA0004.T1548) in namespace "payments" — score 82
- ssh_inside_container_detection (MITRE TA0008.T1021) in namespace "backend" — score 67
- nonk8s_container_detection (MITRE TA0005.T1610) in namespace "monitoring" — score 31

User: The nonk8s_container_detection in monitoring — what's the process tree?

AI: Process lineage via ppuid:
    systemd → containerd-shim → bash → curl 127.0.0.1:8080/healthz
    This is a Kafka health check probe hitting localhost, not a suspicious container.

User: Suppress it for the monitoring namespace.

AI: Previewing suppression policy scoped to namespace "monitoring"...
    [shows policy preview, warnings, and scope]
    Apply? (yes/no)

Context Window Usage

Broad searches can return large result sets that consume context window tokens. To keep responses useful, narrow time ranges, use specific filters, and ask the AI to summarize rather than dump all results.

Troubleshooting

401 Unauthorized

Verify your API key is valid and not expired
Check that the Authorization header format is exactly: Bearer <your-api-key>

Connection Timeout

Check that your network can reach api.spyderbat.com
Verify the endpoint URL matches your organization's region

Tools Not Appearing

Restart your MCP client after configuration changes
For Claude Code: exit and restart the CLI
For Cursor: fully restart the application

Empty Search Results

If searches return no data, walk through this debugging flow:

Verify org access — ask: "List my organizations" and confirm the UID matches
Widen time range — ask: "What is the current time?" (uses get_current_time) and check that your search window includes recent data
Check schema — ask: "List available search schemas for my org" to confirm the schema exists
Check permissions — verify your API key has access to the target organization

Getting Help

If you encounter issues not covered here, check the Spyderbat documentation or contact support.

Video Walkthrough

Watch a demonstration of the Spyderbat MCP server in action: https://www.loom.com/share/1ba8c96999484d20a8f5b831c07cff6a

Last updated 5 days ago

Was this helpful?

hashtagWhat is MCP?

hashtagPrerequisites

hashtagQuick Start

hashtagOne-Click Install

hashtagMCP Server Endpoints

hashtagClient Configuration

hashtagExample Prompts

hashtagExample Conversation

hashtagTroubleshooting

hashtag401 Unauthorized

hashtagConnection Timeout

hashtagTools Not Appearing

hashtagEmpty Search Results

hashtagGetting Help

hashtagVideo Walkthrough