Security Operations with RunReveal's MCP Server

Last Thursday, we released a RunReveal Model Context Protocol Server. We knew it had the potential to be good, but we didn't anticipate that it would be this good. Since we released it we received numerous customer success stories, so we wanted to share some real-world experiences from the future of log analysis.
The immediate success stories came as a bit of a surprise to us. We expected some pretty cool use cases but thought that it might take additional work to make it faster, more user friendly, or to help them better utilize the context window. Instead, it was an immediate success.
RunReveal paired with a reasoning model like Claude enables analyzing logs 100x more quickly while retaining accuracy, and with clear explanations. The craziest bit? That multiple is far from an exaggeration. If anything it is an underestimate. That's a fairly large claim, so here are some specific examples worth sharing!
Threat Hunting with Cursor
One customer had questions about their AWS account and wondered if everything was operating the way they expected it to be. They prompted with the following:
in runreveal, tell me the AWS pricipals that have tried to assume roles and failed over the last two weeks more than 100 times
You can see that the agent queries the RunReveal MCP server a half dozen times to find out what it was looking for. In our experience the LLMs will break down a task into 6-10 small queries that they keep the results in their context window, instead of formulating 1-2 big queries which keeps costs low and speeds fast.
What we've seen is that the LLM does a fantastic job at turning a random question into a complete answer in only a few seconds. Security logs have answers to an infinite number of questions that compliance, detection & response, engineering, and other orgs are wondering but most don't have the time or know-how to ask the logs for those answers with traditional query languages. Who can keep the hundreds of schemas from dozens of SaaS vendors in their head all the time? Only an LLM can.
The short CSV produced gives our customer a short todo list to hunt down broken infrastructure and the best part is the entire process only cost the 60 seconds they waited for the answer.
GuardDuty Alert Investigation
Another really cool use case that a customer forwarded to us was a deep dive video of an investigation they did into a GuardDuty alert. They received an alert about anomalous behavior in one of their K8s containers and they wanted to look into seriously.
The investigation was as simple as copy pasting the alert into Claude and asking for a report about the finding like a security analyst would write. It took less than a minute and the result gave our customer the information about:
- Exactly what commands were run in the container.
- Who ran the commands and when.
- Additional context about the user's IP address and correlate with other behavior of that user.
- Enough information to conclude that nothing seemed malicious or worrying based on what was run.
This is a real screen grab from the video that the customer sent us (and consented to us sharing). Most of us have had incidents where we struggled to query and then piece together specific details of an alert of the course of hours. The true super-power of LLMs is being able to collect all of that data into a context window quickly and summarize exactly the key points.
Alert testing and tuning
Most mature detection and response teams are writing dozens of their own detections. This takes tuning, expert knowledge of the logs you're collecting, and it can be a time-consuming art to craft good detections.
In this case our customer wanted a second opinion on one of the detections they had written, what to make of their detection results, and if there was anything they could improve about it.
Claude's analysis looked at the findings, false positives, recommend tuning options, and gave an easy to understand overview of what the detection had triggered on in under a minute.
This type of analysis would take an entire afternoon to analyze and tune the detection. On top of collecting that data, analyzing individual false positives and understanding why they occur can take even longer. Recognizing specific processes as being related to Adobe or important Mac system processes is instantly recognized by a LLM but would, once again, be manual research for most detection engineers.
If you multiply this tuning effort across dozens of detections and alerts it's easy to see why so many detection & response teams feel overworked and underwater with alert fatigue!
Thoughts on what's next…
Not every security data platform can enable these use cases. RunReveal takes great care to normalize and enrich the data we collect on ingest, and to store that data in a format that is easy for LLMs to understand while being fast to query. We provide an architecture where the kinds of questions our customers ask don't incur a significant compute cost on the underlying data platform.
These investigations cost pennies to run which is a massive leap forward from the status quo 5 years ago: when stories of accidental $5000 Athena queries weren't uncommon. These customer stories were eye-opening and inspired us, so we are planning to announce some additional big improvements to our MCP offering in the coming days. We'll see you back here soon!
If you want to see what RunReveal can do then get in touch. RunReveal is hiring and looking for great engineers, product managers, and customer facing folks who can help us build the future of security data.