# Using MCP for Security Operations

Scanner's MCP integration enables three complementary approaches to security operations:

## Interactive Investigations

Guided, real-time exploration of your security data. You ask questions, your AI queries Scanner iteratively, and you refine the investigation direction as findings emerge.

**Best for:** Incident response, alert triage, threat hunting, following investigative leads

→ [Interactive Investigations](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/interactive-investigations)

## Detection Engineering

Write, test, and validate detection rules with your AI. Get rule suggestions, test them against your data, migrate rules from other platforms, and tune for your environment.

**Best for:** Building new detections, tuning existing rules, migrating from other platforms, ensuring coverage

→ [Detection Engineering](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/detection-engineering)

## Autonomous Workflows

AI agents that run continuously to hunt threats, triage alerts, analyze coverage, and investigate IOCs 24/7.

**Best for:** Continuous monitoring, scheduled hunting, automation at scale

→ [Autonomous Workflows](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/using-mcp-for-security-operations/autonomous-workflows)

***

## Getting Started

New to Scanner MCP? Check out [setup instructions](https://docs.scanner.dev/scanner/using-scanner-complete-feature-reference/mcp-and-ai-secops/getting-started) to connect Scanner and get running.

Choose your approach based on your current need, or use all three together for comprehensive AI-driven security operations.