BloodHound-MCP

Translates conversational security queries into optimized Cypher queries executed against BloodHound's Neo4j graph database. The FastMCP server acts as an intermediary that interprets natural language intent and routes it to specialized security analysis tools, which then construct and execute graph database queries. This eliminates the need for security professionals to learn Cypher syntax while maintaining full access to BloodHound's relationship mapping capabilities.

Executes specialized Cypher queries that traverse BloodHound's Active Directory graph to identify privilege escalation and lateral movement paths. The system implements graph traversal algorithms that discover multi-hop relationships between users, groups, computers, and resources, exposing attack chains that could lead to domain compromise. Results are returned as structured relationship data that can be visualized or analyzed programmatically.

Implements secure configuration management through environment variables for database connection parameters and credentials. The system reads BLOODHOUND_URI, BLOODHOUND_USERNAME, and BLOODHOUND_PASSWORD from the environment at startup, enabling flexible deployment across different environments without code changes. This approach supports containerized deployments, CI/CD pipelines, and secure credential handling through environment-based secrets management.

Provides specialized tools for analyzing Active Directory domain structure, organizational units, group policies, and trust relationships. These tools execute Cypher queries that map domain topology, identify policy inheritance chains, and expose trust configurations that could be exploited. The system returns structured data about domain organization, group memberships, and inter-domain relationships.

Executes specialized Cypher queries to identify authentication-related security misconfigurations and vulnerabilities in Active Directory. This includes detection of weak authentication mechanisms (NTLM, Kerberos weaknesses), unconstrained delegation, resource-based constrained delegation misconfigurations, and accounts with dangerous properties. The system returns structured data about vulnerable authentication paths and configurations.

Provides tools for analyzing Public Key Infrastructure configurations and certificate-based attack vectors in Active Directory environments. These tools execute Cypher queries to identify certificate templates with dangerous configurations, certificate authority relationships, and potential certificate-based privilege escalation paths. The system returns structured data about PKI vulnerabilities and exploitation chains.

Executes specialized Cypher queries to identify NTLM relay vulnerabilities and network-based attack opportunities in Active Directory environments. These tools analyze which systems accept NTLM authentication, identify signing and sealing requirements, and map potential relay targets. The system returns structured data about NTLM relay risks and network attack paths.

Provides tools for analyzing security implications of hybrid cloud environments where on-premises Active Directory is synchronized with Azure Active Directory. These tools execute Cypher queries to identify cross-environment attack paths, Azure AD Connect compromise risks, and privilege escalation opportunities spanning on-premises and cloud environments. The system returns structured data about hybrid environment vulnerabilities.

Implements a FastMCP server that hosts and manages the 75+ specialized security analysis tools through the Model Context Protocol. The server handles tool registration, parameter validation, execution orchestration, and result formatting. It provides a standardized interface that allows any MCP-compatible AI client to discover and invoke security analysis tools without direct Neo4j knowledge. The server manages database connections, error handling, and response serialization.

Manages connections to the Neo4j graph database containing BloodHound data and executes Cypher queries through the Neo4j Python driver. The system handles connection pooling, authentication, query parameterization, and result processing. It provides a reliable interface for executing security analysis queries against the graph database while managing connection lifecycle and error handling.

Enables security professionals to conduct multi-turn conversations with an AI agent that understands Active Directory security concepts and can reason about attack scenarios. The AI agent uses the MCP tool registry to select appropriate security analysis tools, interpret results, and provide contextual security insights. This capability transforms BloodHound analysis from a query-response interaction into a collaborative investigation where the AI can ask clarifying questions, suggest additional analysis, and synthesize findings.