Announcement] iris-mcp: A Model Context Protocol (MCP) server for DFIR-Iris

[srozb]

Hi everyone! 👋

I'm excited to share a project I've been working on: iris-mcp.

It is a Model Context Protocol (MCP) server that acts as a bridge between AI agents (like Claude Desktop or Gemini) and a DFIR-Iris instance. It allows LLMs to assist analysts by managing cases, recording evidence/IOCs, tracking timeline events, and managing tasks directly through the Iris API.

🤖 Built with AI, Battle-Tested by Analysts
This project was almost entirely developed using Gemini, but it isn't just a prototype. It has been battle-tested during real-world engagements and has proven to work excellently under pressure.

✨ Key Features
Case Management: Create, list, and update cases without leaving your agent interface.
Evidence, IOC, Assets Tracking: Seamlessly add/edit/list malicious artifacts, iocs, assets to your investigation.
Unified Timeline: Maintain a chronological record of events, add/edit/list/remove.
Zero-Setup Execution: Built with the uv script format, meaning it can run as a single file with self-contained dependencies.

🚀 Getting Started
The server supports both Stdio and HTTP/SSE agentic communication (Gemini, OpenAI, Claude)

bash
# Run directly (Stdio)
./iris_mcp.py
# Run for Gemini (HTTP/SSE)
./iris_mcp.py --http

Check out the README for detailed configuration and integration steps.

I'd love to hear your feedback or see how you're using AI to speed up your IR workflows with Iris!

Repo: https://github.com/srozb/iris-mcp