[alerts]
Alerts & Triage
Summaries, MITRE mapping, IoC pivots, brute-force detection, anomaly baselining.
Chronikos MCP / for Wazuh
Run your SIEM in plain language.
Chronikos MCP connects Wazuh to your AI assistant through the Model Context Protocol — 87 security tools across 21 domains: alerts, vulnerabilities, threat hunting, compliance, MITRE ATT&CK, active response and more. Triage, hunt and report without leaving the chat. Your credentials never leave your environment.
SOC tools
21
Domain modules
8
Guided workflows
100%
On-prem · BYO creds
// Coverage
One assistant. Your entire Wazuh stack.
Every module maps to real SOC work — read-only visibility to start, full remediation and automation when you're ready.
[vuln]
Vulnerabilities
Fleet-wide CVE posture, per-agent detail, patch queues ranked by exposure.
[hunt]
Threat Hunting
Lateral movement, persistence, and data-exfiltration hunts across agents.
[ir]
Incident Response
Kill-chain timelines, blast-radius analysis, structured incident reports.
[comp]
Compliance
PCI-DSS, HIPAA, GDPR, NIST 800-53 and TSC posture, drill-down and reports.
[fim]
File Integrity
FIM events, critical-path monitoring, aggregated change summaries.
[fleet]
Fleet Inventory
Packages, processes, ports and hardware across every agent in seconds.
[detect]
Detection Engineering
Rule search, coverage testing, MITRE gap analysis, noise scoring.
[respond]
Active Response
Block IPs, isolate agents, verify automated containment actually worked.
[soar]
SOAR & Ticketing
Jira and TheHive cases, Slack notifications, email reports — on autopilot.
[intel]
Threat Intel
VirusTotal and AbuseIPDB enrichment, GeoIP, file-hash reputation.
[health]
Cluster Health
Node and indexer health, silent event-loss detection from queue pressure.
// Plans
Start free. Scale when it earns its keep.
Free tier is full read-only monitoring. Pro unlocks the work a SOC team won't do by hand — actions, automation, hunting and reporting. Team adds multi-tenant control for MSSPs.
Community
Free
For analysts and homelabs putting AI on top of Wazuh.
- Alert search, summaries & MITRE mapping
- Vulnerability & CVE visibility
- FIM, SCA & fleet inventory
- Rule & decoder search
- Cluster & indexer health
- Single Wazuh instance
- Write actions & automation
- Threat hunting & intel
- SOAR / ticketing integrations
Pro
$29 / user · mo
For SOC teams that want AI to act, not just observe.
- Everything in Community
- Active response — block IPs, isolate agents
- Threat hunting & IoC enrichment
- Full compliance reporting (PCI/HIPAA/GDPR/NIST)
- Detection engineering & rule testing
- Incident response & archive forensics
- SOAR: Jira, TheHive, Slack, email
- 8 guided one-command workflows
- Email support · 48h
Team / MSSP
$249 / mo
For providers running many client environments.
- Everything in Pro
- Multi-tenant — unlimited Wazuh instances
- Role-based access control (RBAC)
- SSO & full audit logging
- On-prem / air-gapped licensing
- White-label option
- Priority SLA & guided onboarding
// Deploy
Live in minutes. Yours to keep.
Ships as a hardened Docker container. Runs beside your Wazuh manager on your own network — your API credentials stay in your environment and never touch ours.
# 1 — configure your Wazuh connection cp env.example .env # set WAZUH_HOST, indexer creds # 2 — launch docker compose up -d # 3 — verify the MCP endpoint curl -si http://localhost:8000/sse | head -3 HTTP/1.1 200 OK # 4 — connect your AI client and start asking: › "Give me a 24-hour alert summary and flag anything tied to MITRE T1110."
Security first
Dedicated read-only API accounts. Write actions are disabled by default and gated behind an explicit flag. TLS-ready with no inbound internet exposure. Built by practitioners who run Wazuh in production every day.