A Model Context Protocol (MCP) server that connects LLMs to BloodHound Community Edition. Ask questions in natural language, get attack path analysis, run Cypher queries, and explore Active Directory, Azure/Entra ID, and OpenGraph environments — all from your AI assistant.
Watch the demonstration video (updated demo coming soon)
The server exposes BloodHound CE's REST API and Neo4j graph through a set of 11 composite MCP tools, 10 reference resources, and a system prompt tuned for offensive security analysis.
Each tool uses an info_type parameter to select what data is returned, keeping the tool surface small and token-efficient:
| Tool | info_type Options |
|---|---|
domain_info |
list, info, users, groups, computers, ous, gpos, dc_syncers, foreign_admins, foreign_group_members, linked_gpos, search |
user_info |
info, sessions, memberships, admin_rights, rdp_rights, dcom_rights, ps_remote_rights, sql_admin_rights, constrained_delegation, controllables, controllers |
group_info |
info, members, memberships, admin_rights, rdp_rights, dcom_rights, ps_remote_rights, controllers, controllables |
computer_info |
info, sessions, local_admins, rdp_rights, dcom_rights, ps_remote_rights, sql_admins, constrained_delegation, controllables, controllers |
ou_info |
info, users, groups, computers, gpos |
gpo_info |
info, controllers |
graph_analysis |
shortest_path, edge_composition, search |
adcs_info |
templates, esc_paths |
cypher_query |
run, saved_list, saved_get |
data_quality |
stats, platform_list, platform_info |
asset_groups |
list, members, custom_selectors |
custom_nodes |
list, get, create, update, delete |
Reference material the LLM loads on demand — no extra API calls:
| Resource URI | Contents |
|---|---|
bloodhound://cypher/reference |
Cypher syntax, schema, property names, patterns |
bloodhound://cypher/offensive-queries |
Battle-tested templates: DCSync, Kerberoasting, GPO abuse, delegation, ADCS, shadow credentials, NTLM relay, and more |
bloodhound://guides/ad |
AD node types and relationships quick reference |
bloodhound://guides/ad-methodology |
Full AD attack methodology and workflow |
bloodhound://guides/azure |
Azure/Entra ID analysis quick reference |
bloodhound://guides/azure-methodology |
Full Azure attack chains |
bloodhound://guides/adcs |
ADCS ESC1–ESC13 quick reference |
bloodhound://guides/adcs-methodology |
Detailed ESC analysis and exploitation |
bloodhound://opengraph/guide |
Custom node schema design and best practices |
bloodhound://opengraph/examples |
SQL Server and Web App OpenGraph examples |
The bloodhound_assistant prompt includes behavioral rules that guide the LLM:
- Load the offensive query library before writing Cypher for any attack scenario
- Never draw privilege conclusions without checking group memberships and
admincount - Respect BloodHound's property naming conventions (
hasspn,enabled,admincount— all lowercase) - Handle uppercase name storage (
DOMAIN ADMINS@CORP.LOCAL) correctly in filters - Follow proper DCSync and GPO edge traversal patterns
- Python 3.11+
- uv
- BloodHound Community Edition instance with data loaded
- BloodHound API credentials (Token ID + Token Key)
git clone https://github.com/mwnickerson/bloodhound_mcp.git
cd bloodhound-mcp
uv syncCreate a .env file in the project root:
BLOODHOUND_DOMAIN=your-bloodhound-instance.domain.com
BLOODHOUND_TOKEN_ID=your-token-id
BLOODHOUND_TOKEN_KEY=your-token-keyThe server defaults to https on port 443. Override if needed:
BLOODHOUND_PORT=8080
BLOODHOUND_SCHEME=httpAdd to claude_desktop_config.json:
{
"mcpServers": {
"bloodhound_mcp": {
"command": "uv",
"args": [
"--directory",
"/path/to/bloodhound-mcp",
"run",
"main.py"
]
}
}
}Add to ~/.claude/mcp.json:
{
"mcpServers": {
"bloodhound_mcp": {
"type": "stdio",
"command": "uv",
"args": [
"--directory",
"/path/to/bloodhound-mcp",
"run",
"main.py"
]
}
}
}Add to ~/.codex/config.toml (or .codex/config.toml for project-scoped config):
[mcp_servers.bloodhound_mcp]
command = "uv"
args = ["--directory", "/path/to/bloodhound-mcp", "run", "main.py"]Since the server loads credentials from .env automatically, no env block is needed. If you prefer to pass them explicitly:
[mcp_servers.bloodhound_mcp]
command = "uv"
args = ["--directory", "/path/to/bloodhound-mcp", "run", "main.py"]
[mcp_servers.bloodhound_mcp.env]
BLOODHOUND_DOMAIN = "your-bloodhound-instance.domain.com"
BLOODHOUND_TOKEN_ID = "your-token-id"
BLOODHOUND_TOKEN_KEY = "your-token-key"- Command:
uv - Args:
--directory /path/to/bloodhound-mcp run main.py
- Log into BloodHound CE
- Navigate to Administration → API Tokens
- Create a new token and copy the Token ID and Token Key into your
.env
Reconnaissance:
What domains are in BloodHound?
Show me all Domain Admins in CORP.LOCAL
Find all kerberoastable users
Which computers have unconstrained delegation?
User and Group Analysis:
What admin rights does jsmith@corp.local have?
Show me all sessions for the administrator account
What groups is this user a member of?
Who controls the IT ADMINS group?
Attack Path Analysis:
Find the shortest path from jsmith@corp.local to Domain Admins
Who has DCSync rights in the domain?
Show me all GPO abuse paths
Find ADCS ESC1 paths in the domain
Custom Cypher:
Run a Cypher query to find all users with SPN set and admincount=1
Find all computers where DOMAIN USERS can RDP
BloodHound 8.0+ supports custom node types via OpenGraph, letting you model non-AD infrastructure (cloud resources, databases, custom assets) in the same graph as Active Directory.
The custom_nodes tool handles CRUD operations on node type configurations. Use the bloodhound://opengraph/guide and bloodhound://opengraph/examples resources for schema design and Cypher patterns.
Requires BloodHound CE 8.0 or later.
BloodHound data processed through this tool is transmitted to your LLM provider's servers. Do not use this with production AD data unless you have assessed that risk.
Recommended use cases:
- Lab environments (GOAD, DetectionLab, custom ranges)
- Training and certification prep
- Research and tool development
- Non-production domain analysis
Best practices:
- Rotate BloodHound API tokens regularly
- Use a read-only API token where possible
- Consider a local LLM bridge for sensitive environments
# Full test suite (307 tests)
uv run pytest
# Specific modules
uv run pytest tests/test_main_mcp_tools.py -v
uv run pytest tests/test_bloodhound_api.py -v
# Integration tests (requires a live BloodHound instance)
BLOODHOUND_INTEGRATION_TESTS=1 uv run pytest tests/test_integration.py -v- Direct Neo4j access mode (bypass REST API for complex graph traversal)
- Enhanced Azure/Entra ID tooling
- Improved ADCS attack path coverage
- Additional OpenGraph examples and templates
Contributions are welcome. Open an issue to discuss significant changes before submitting a PR.
- Fork the repo
- Create a feature branch
- Add tests for new functionality
- Run
uv run pytestand confirm everything passes - Submit a pull request
- SpecterOps for BloodHound Community Edition
- Orange Cyberdefense for GOAD (used for testing)
- @jlowin for FastMCP
- @xpn for MCP inspiration via the Mythic MCP project
GNU General Public License v3.0 — see LICENSE for details.