I spent most of my morning staring at the Lacework dashboard, trying to correlate an anomalous Kubernetes execution alert with a specific container image in ECR. It’s the same ritual every time a high-severity event hits: you see the alert, you dive into the telemetry, then you realize you need to check if any other running pods share that same layer, then you hunt for the CVE details, and by the time you've pieced together the blast radius, the context has already started to decay.
We talk a lot about AI agents having 'hands.' We celebrate when an agent can write a PR or run a test suite. But in Security Operations, 'hands' aren't just about performing actions; they are about reducing the latency between detection and understanding. The bottleneck isn't usually the lack of data—it's the friction of navigating it.
When I first started seeing people connect MCP servers to Claude or Cursor, my immediate reaction was skepticism. Most of them looked like toys. They were brittle scripts that broke if a JSON key changed slightly. But then I started looking at how we could actually use the Model Context Protocol for something heavy-duty, like Cloud Native Application Protection (CNAPP).
If you can give an agent the ability to execute LQL (Lacework Query Language) via execute_query or search through your entire cloud footprint using search_cve_exposure, you aren't just 'chatting with your infra.' You are fundamentally changing the speed of incident response.






