Model Context Protocol (MCP) servers expose a structured, machine-readable API for your enterprise data—designed for AI-powered automation, copilots, and decision engines. By delivering a clear, contextual slice of your security environment, MCP lets you query, analyze, and optimize complex systems without building custom SDKs or parsing raw exports.
The Argos ERM MCP Server provides programmatic access to Check Point's Argos External Risk Management platform. It enables AI assistants and automation tools to query risk assessments, compliance data, and security posture information directly from your Argos deployment.
While the Argos ERM MCP works well on its own, it is designed to integrate with other Check Point MCP servers for comprehensive security management workflows.
- get_alerts - Search and retrieve security alerts with comprehensive filtering
- get_alert_details - Get detailed alert information with intelligence enrichment
- get_assets - Retrieve digital asset inventory with tech stack enrichment
- enrich_iocs - Enrich IOCs (IPs/domains/URLs/hashes) with threat intelligence
- get_vulnerability_details - Get CVE details with CVSS scores and exploit info
- search_vulnerabilities_by_technology - Search CVEs by product and version
- check_credential_exposure - Check for exposed credentials by domain or email
- get_threat_landscape_news - Retrieve curated threat intelligence news
- get_threat_landscape_metadata - Get available filter options for threat news
- get_threat_actors_metadata - Get available filter options for threat actors
- get_most_active_threat_actors - Retrieve active threat actors with filtering
- get_threat_actor_by_id - Get detailed threat actor information
- get_malware_by_id - Get detailed malware information
- get_security_analytics - Get comprehensive security posture analytics
[Demo placeholder - add your demo video link here]
"Show me critical alerts from the last 24 hours"
→ Returns filtered alerts with severity, status, and IOC enrichment.
"Get details for alert INT10-343 with intelligence enrichment"
→ Returns comprehensive alert details including threat intelligence for all indicators.
"List all phishing alerts that are still open"
→ Returns filtered alerts by type and status with enriched data.
"Show me all monitored domains with their technology stacks"
→ Returns asset inventory with detailed technology versions, CVE counts, and risk scores.
"Find vulnerabilities in Apache HTTP Server version 2.4.41"
→ Returns CVEs affecting specific technology versions with CVSS scores and exploit availability.
"What's the CVSS score for CVE-2024-30040?"
→ Returns comprehensive CVE details including CVSS v2/v3 scores, affected products, and remediation.
"Get latest threat intelligence news about ransomware"
→ Returns curated threat intelligence articles filtered by labels, regions, or sectors.
"Enrich these IOCs: 8.8.8.8, malicious-site.com"
→ Returns threat intelligence for each IOC including reputation, geo-location, and related threats.
"Show me the most active threat actors targeting the financial sector"
→ Returns threat actor profiles with motivation, targeted sectors, and attack patterns.
"Tell me about the LockBit threat actor"
→ Returns detailed threat actor profile including aliases, targeted countries/sectors, and TTPs.
"Check if company.com has any exposed credentials"
→ Returns exposed credentials found in data breaches with breach metadata.
"What's our current security posture?"
→ Returns comprehensive analytics including risk scores, trends, and threat distribution.
"Show me the risk assessment dashboard"
→ Returns overall risk, targeting threats, data exposure, and posture risk metrics.
This server supports configuration via command-line arguments or environment variables:
The Argos ERM server requires connection details to your Argos instance.
Set the following environment variables:
ARGOS_HOST(orARGOS_SERVER_URL): Your Argos ERM server URL (e.g.,https://argos.example.com)ARGOS_API_KEY(orARGOS_INTEGRATION_TOKEN): Your Argos ERM API authentication tokenARGOS_CUSTOMER_ID: Your Argos customer ID (required for all API calls)
Download and install the latest version of Node.js if you don't already have it installed.
You can check your installed version by running:
node -v # Should print "v18" or higher
nvm current # Should print "v18" or higherThis server has been tested with Claude Desktop, Cursor, GitHub Copilot, and Windsurf clients.
It is expected to work with any MCP client that supports the Model Context Protocol.
{
"mcpServers": {
"argos-erm": {
"command": "npx",
"args": ["@chkp/argos-erm-mcp"],
"env": {
"ARGOS_HOST": "https://your-argos-instance.com",
"ARGOS_API_KEY": "your-api-key-here",
"ARGOS_CUSTOMER_ID": "your-customer-id"
}
}
}
}# Create the config file if it doesn't exist
touch "$HOME/Library/Application Support/Claude/claude_desktop_config.json"
# Open the config file in TextEdit
open -e "$HOME/Library/Application Support/Claude/claude_desktop_config.json"code %APPDATA%\Claude\claude_desktop_config.jsonAdd the server configuration:
{
"mcpServers": {
"argos-erm": {
"command": "npx",
"args": ["@chkp/argos-erm-mcp"],
"env": {
"ARGOS_HOST": "https://your-argos-instance.com",
"ARGOS_API_KEY": "your-api-key-here",
"ARGOS_CUSTOMER_ID": "your-customer-id"
}
}
}
}Enter VSCode settings and type "mcp" in the search bar. You should see the option to edit the configuration file. Add this configuration:
{
...
"mcp": {
"inputs": [],
"servers": {
"argos-erm": {
"command": "npx",
"args": [
"@chkp/argos-erm-mcp"
],
"env": {
"ARGOS_HOST": "https://your-argos-instance.com",
"ARGOS_API_KEY": "your-api-key-here",
"ARGOS_CUSTOMER_ID": "your-customer-id"
}
}
}
},
...
}Enter Windsurf settings and type "mcp" in the search bar. You should see the option to edit the configuration file. Add the configuration as Claude Desktop App.
Enter Cursor settings and click on "MCP Servers" in the left menu. You should see the option to add a new MCP Server. Add the configuration as Claude Desktop App.
By default, this server uses stdio transport, which is the standard mode for MCP clients like Claude Desktop and Cursor. For hosted or multi-user deployments, an HTTP transport (MCP Streamable HTTP) is also available.
Security notice before you continue: The HTTP server has no built-in authentication and no TLS. Any client that can reach the port can establish a session, and credentials travel in cleartext. Only use HTTP transport behind an authenticated reverse proxy (nginx, Caddy, a cloud load balancer) that terminates TLS and enforces authentication. If you are running the server on the same machine as your MCP client, use the default stdio transport — it has none of these concerns.
MCP_TRANSPORT_TYPE=http MCP_TRANSPORT_PORT=3000 npx @chkp/argos-erm-mcp
# or
npx @chkp/argos-erm-mcp --transport http --transport-port 3000The server exposes:
POST/GET/DELETE /mcp— MCP protocol endpointGET /health— server status (active session count, version)
Point your MCP client at http://<host>:3000/mcp. Example for Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"argos-erm": {
"url": "http://localhost:3000/mcp"
}
}
}- Node.js 20+
- npm 10+
# Install all dependencies
npm install# Build all packages
npm run buildYou can run the server locally for development using MCP Inspector or any compatible MCP client.
node FULL_PATH_TO_SERVER/packages/argos-erm/dist/index.js \
--argos-host "https://your-argos-instance.com" \
--argos-api-key "your-api-key" \
--argos-customer-id "your-customer-id"- Authentication keys and credentials are never shared with the model. They are used only by the MCP server to authenticate with your Argos ERM system.
- Only use client implementations you trust. Malicious or untrusted clients could misuse your credentials or access data improperly.
- Risk and compliance data is exposed to the model. Ensure that you only use models and providers that comply with your organization's policies for handling sensitive data and PII.
Anonymous Usage Statistics: Check Point collects anonymous usage statistics to improve this MCP server. Only tool usage patterns and anonymous identifiers are collected—no credentials, policies, or sensitive data.
Opt-Out: Set TELEMETRY_DISABLED=true environment variable or use the --no-telemetry flag to disable telemetry collection.