Starting today all RunReveal customers can use our Model Context Protocol (MCP) server to explore their log data with the full power of their LLMs and MCP clients!

This integration represents a significant advancement in how security teams can leverage AI capabilities while maintaining strict data security standards and investigate their logs at speeds never seen before.

Since the computer was first invented we've collectively spent millions of hours squinting at data in our log files. We think that LLMs could save us tens of millions of hours in the future and RunReveal is excited to be the first security data platform with this functionality!

What's Model Context Protocol?

Model Context Protocol (MCP) is an open standard that is rapidly becoming the de-facto method for providing contextual resources, tools, and prompts to Large Language Models (LLMs). RunReveal implemented an MCP server which informs MCP clients (Claude, Cursor, etc) of RunReveal's capabilities and allows those clients to interface with it.

We opted to support MCP using our existing CLI because the RunReveal CLI already exposes all of our existing functionality. We made a new subcommand in our CLI, runreveal mcp, which runs a daemon that reads jsonrpc messages from stdin, and outputs jsonrpc messages to stdout.

Most MCP implementations you see today are opting for a local MCP server. The reason for this is MCP is only a few months old and MCP client support for remote MCP servers is still pretty early.

We expect support for remote MCP servers to improve over the next year and the future architecture to make more use of remote MCP servers.

Why is this important to security teams?

The benefits of MCP with security logs are immediately obvious. Humans can take a lot of time to learn about the structure of the data and formulate syntactically correct queries. LLMs can do exactly the same log exploration process that we do, except significantly faster.

This video is sped up but the total time of recording was just a couple minutes, without needing to know the structure of the logs or what data had been collected. These same questions might take an analyst an entire afternoon or longer to answer.

All RunReveal functionality will be supported by the MCP server in the near future but search and a few other platform basics seemed like the most obvious place to start. Making new detections, managing resources, and creating new dashboards from an MCP client will be supported very soon.

RunReveal is the ideal solution for the future of security data

RunReveal stands out as the most efficient and most powerful platform for making use of LLMs and MCP clients alongside your logs.

We currently use ClickHouse as our underlying database and allow our customers to use our datastore, host their own ClickHouse cluster, or bring their own from ClickHouse cloud. The speed and scalability of ClickHouse makes querying your logs incredibly fast at any scale, and the ability to self-host your own ClickHouse cluster means that you can keep tight controls over your cluster's compute and search costs, even when running tons of additional queries.

The data pipeline features that RunReveal provides means that the data the LLM can search is fully enriched, normalized, and can be sorted into high-signal and low-signal log streams prior to being saved. The data we store is good clean data that LLMs and analysts alike can easily understand when they look at it.

Lastly, RunReveal's setup only takes 10-15 minutes so there's no reason you can't have this capability today or use it for just a subset of your logs!

What's next

At RunReveal, we believe that as AI technology matures, the most valuable security products will be those with the best data models and cleanest data. That's why we're betting big on the future of SIEM having all the components you need in one simple package.

This approach prioritizes data quality, accessibility, and security and we have a ton more to announce over the next 30 days related to these three topics! You'll want to stay tuned to see what we announce next week!

Want to get in touch with us? Fill out this form if you'd like to see a demo from one of our founders. If you'd like to keep up with what RunReveal releases next then drop your email below. If you'd like to try the product then sign up now.