SOLUTIONS · BY WHAT THEY TOUCH Payments Code & CI Data & databases Infrastructure Customer ops Org-wide rollout SOLUTIONS · BY AGENT TYPE Coding agents Customer-support agents Internal copilots Autonomous agents MCP DIRECTORY Tools Policies Risk Levels Token Cost MCP SECURITY MCP Security Attack Database MCP Incidents Compliance LEARN Blog Research State of MCP Glossary Integrations Compare Scan STACK CHECK DOCS PRICING GET STARTED

// MCP TOOL REFERENCE

VELOCIRAPTOR MCP TOOLS

28 tools from the Velociraptor MCP MCP Server, categorised by risk level.

View the Velociraptor MCP policy →

// ALL 28 VELOCIRAPTOR MCP TOOLS

READ 26 tools

Read client_info Retrieve client information from the Velociraptor server. Args: hostname: Hostname or FQDN of ... Read get_collection_results get_collection_results Read linux_groups List groups on a Linux host. Args: client_id: The Velociraptor client ID. org_id: ... Read linux_mounts List mounts on a Linux host. Args: client_id: The Velociraptor client ID. org_id: ... Read linux_netstat_enriched List network connections (netstat) with process metadata on a Linux host. Args: client_id:... Read linux_pslist List running processes on a Linux host. Args: client_id: The Velociraptor client ID. o... Read linux_users List users on a Linux host. Args: client_id: The Velociraptor client ID. org_id: O... Read list_linux_artifacts Finds Availible Linux artifacts. Read list_orgs List available Velociraptor orgs for multi-tenant deployments. Returns: A list of org metadata... Read list_windows_artifacts Finds Availible Windows artifacts. Generally paramaters that target filename regexs are more performa... Read windows_evidence_of_download Collect evidence of download from a Windows host. Args: client_id: Velociraptor client ID. ... Read windows_execution_activitiesCache Evidence of execution from activitiesCache.db (windows timeline) of system activity on a Windows host. ... Read windows_execution_amcache Collect evidence of execution from Amcache on a Windows host. Args: client_id: Velociraptor cl... Read windows_execution_bam Extract evidence of execution from the BAM (Background Activity Moderator) registry key on a Windows host. ... Read windows_execution_prefetch Parse Prefetch files on a Windows host to identify previously executed programs. Args: client_... Read windows_execution_shimcache Parse ShimCache (AppCompatCache) entries from the registry on a Windows host. Note: Presence o... Read windows_execution_userassist Extract evidence of execution from UserAssist registry keys. Args: client_id: Velociraptor cli... Read windows_mounted_mass_storage_usb Collect evidence of mounted mass storage from Registry on a Windows host. Args: client_id: Vel... Read windows_mountpoints2 Collect evidence of download from a Windows host. Args: client_id: Velociraptor client ID. ... Read windows_netstat_enriched List network connections (netstat) with process metadata on a Windows host. Args: client_id: V... Read windows_ntfs_mft Search MFT for filename or path on a Windows machine. This is a forensic collection and may return many row... Read windows_pslist List running processes on a Windows host. Args: client_id: Velociraptor client ID. org... Read windows_recentdocs Collect RecentDocs from Registry on a Windows host. Args: client_id: Velociraptor client ID. ... Read windows_scheduled_tasks List scheduled tasks (persistance) with metadata on a Windows host Args: client_id: Velocirapt... Read windows_services List services with metadata on a Windows host. Args: client_id: Velociraptor client ID. ... Read windows_shellbags Collect Shellbags from Registry on a Windows host. Args: client_id: Velociraptor client ID. ...

EXECUTE 2 tools

Execute collect_forensic_triage Start a Windows.Triage.Targets basic triage collection and return flow metadata. Args: client_... Execute collect_artifact collect_artifact

// FAQ

How many tools does the Velociraptor MCP MCP server have? +

The Velociraptor MCP MCP server exposes 28 tools across 2 categories: Read, Execute.

How do I enforce policies on Velociraptor MCP tools? +

Route the Velociraptor MCP server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Velociraptor MCP tools fall into? +

Velociraptor MCP tools are categorised as Read (26), Execute (2). Each category has a recommended default policy.

Enforce policy on every Velociraptor MCP tool call.

Start from Velociraptor MCP, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.