The MCP (Model Context Protocol) server allows large language models (LLMs) to access a unified database of security detection rules from Sigma, Splunk ESCU, Elastic, and KQL. Key updates in version 2.1 include fixes for Windows file locking issues that previously caused crashes on startup, as well as enhanced error handling and dynamic pattern extraction capabilities. It now supports a cross-platform continuous integration setup, meaning builds and tests run on both Windows and Linux. New features enhance detection engineering and analytical capabilities. The server can now request user confirmations for sensitive actions and offers LLM-enhanced analysis through sampling. Users can subscribe to resource changes for real-time updates and utilize a persistent knowledge graph that records decision-making context. The tool suite has expanded to over 70 tools, including those for pattern learning and template generation. It can learn from different detection formats, automatically generating reusable templates and logging analytical decisions for future reference. The MCP server comes with 11 pre-built prompts designed for various security tasks, simplifying the process for users. For example, the ransomware readiness assessment prompt generates a detailed report on ransomware risks and remediation steps. Each prompt automates significant tasks, such as analyzing detection coverage against specific threat actors like APT29 or creating a test plan for purple team exercises. Users can execute complex queries using SQL-like operations and filter detections by technique ID, CVE, or severity, all through a unified search interface. No installation is required; users can run the server easily with a few commands. The setup process is straightforward, involving cloning the repository and configuring the MCP settings. This tool provides a comprehensive approach to security detection, making it easier for security professionals to manage and analyze threats effectively.