Claude Code × Sysdig リモートMCPでランタイム脅威のループを閉じる:調査から修復まで詳解 Closing the loop on runtime threats with Claude Code × Sysdig remote MCP: investigate → remediate (deep dive)
Claude Code に新追加された Sysdig Secure リモート MCP サーバーと Agent Skills を組み合わせ、ランタイム脅威の検知・調査・修復を自動化するクローズドループワークフローを詳しく解説する。
English summary
- A deep dive on using the Sysdig Secure remote MCP server inside Claude Code, combined with Agent Skills, to close the investigate-to-remediate loop for runtime container and cloud security threats.
AI開発エージェント「Claude Code」が、コンテナやクラウドのランタイムセキュリティを手がけるSysdigの「Sysdig Secure」とMCP(Model Context Protocol)経由で連携できるようになった。検知から調査、修復までを一連のワークフローとして自動化する試みで、運用現場でのセキュリティ対応を効率化する狙いがある。
MCPは、AIエージェントが外部のツールやデータソースへ安全にアクセスするためのオープンな接続規格で、Anthropicが提唱した。今回のリモートMCPサーバーは、利用者が自前でサーバーを立てずに、Sysdig側がホストするエンドポイントへ接続して使える点が特徴とされる。Claude Codeはこの接続を通じて、Sysdig Secureが収集したランタイムの脅威イベントやコンテキスト情報を取得し、分析に利用できる。
Sysdig Secureは、CNCFのオープンソースプロジェクト「Falco」を基盤に、eBPFなどを用いてコンテナやホスト上の不審な挙動をリアルタイムで検知する。たとえば想定外のプロセス起動や権限昇格、外部への不審な通信といった兆候を捉え、アラートとして記録する。これらのシグナルをエージェントが読み解くことで、人手による初動調査の負担を軽減できる可能性がある。
記事が注目するのは、Claude Codeの「Agent Skills」と組み合わせる点だ。Agent Skillsは特定タスクの手順や知識をエージェントに与える仕組みで、脅威の優先度付けや関連リソースの洗い出し、推奨される修復手順の提示といった流れをパッケージ化できる。これにより、検知から調査、修復までをひとつのループとして閉じる「クローズドループ」を構築しようとしている。
同様に、セキュリティやオブザーバビリティの各社がMCPサーバーを提供する動きは広がりつつあり、DatadogやGitHubなども関連する取り組みを示している。一方で、修復をどこまで自動化するかは慎重な検討が求められる領域でもある。誤検知に基づく自動対応は本番環境に影響を及ぼしかねず、人間による承認を挟む運用が現実的と見られる。エージェントによる省力化と、操作権限の管理や監査ログの確保といったガードレールのバランスが、実運用での鍵になりそうだ。
Anthropic's Claude Code, an agentic command-line coding assistant, is increasingly being wired into security operations through the Model Context Protocol (MCP), and a recent integration with Sysdig Secure's remote MCP server illustrates how that trend extends into runtime threat detection. The combination aims to close what security teams often describe as the investigate-to-remediate loop: the gap between a runtime alert firing and an engineer actually shipping a fix. By letting Claude Code query Sysdig's data and act on it, the workflow attempts to compress detection, triage, and response into a single conversational session.
MCP is an open standard introduced by Anthropic in late 2024 that gives large language models a consistent way to connect to external tools, data sources, and services. Rather than each application building bespoke integrations, an MCP server exposes capabilities, such as querying logs or fetching findings, that any MCP-compatible client can call. A remote MCP server, as opposed to a locally run one, is hosted by the vendor and reached over the network, which means teams do not have to deploy and maintain the connector themselves. Sysdig offering a remote MCP server for Sysdig Secure fits a broader pattern in which security vendors are publishing official MCP endpoints so that agents like Claude Code can pull live data directly from the platform.
Sysdig Secure is a cloud-native security platform built largely around Falco, the open-source runtime detection engine that Sysdig originally created and later donated to the Cloud Native Computing Foundation. Falco watches system calls and other kernel-level signals to flag suspicious behavior inside containers, hosts, and Kubernetes clusters in real time, for example a shell spawning unexpectedly inside a container or a process reading sensitive files. Runtime security matters because many threats only become visible once code is executing; static scans of images or infrastructure-as-code cannot catch an attacker who exploits a workload after deployment. Surfacing that telemetry to an agent is the premise of this integration.
In practice, the described workflow pairs the Sysdig remote MCP server with Agent Skills, a Claude feature that packages instructions, scripts, and domain knowledge into reusable modules the model can invoke when relevant. The MCP server appears to provide the connective tissue, letting Claude Code retrieve runtime events, enrich them with context such as the affected workload, image, or cloud resource, and correlate related findings. Agent Skills would then encode the team's investigative playbooks, guiding the model through consistent triage steps rather than relying on ad hoc prompting. The article frames this as a closed loop: detect an anomaly, investigate root cause, and propose or apply remediation, all within the same agentic session.
The remediation half of that loop is where careful scoping is likely to matter most. Because Claude Code already operates inside a developer's environment with access to source, configuration, and shell commands, it can plausibly draft a patch, adjust a Kubernetes manifest, or tighten a policy in response to a finding. That capability is powerful but also raises the usual concerns about autonomous actions in production systems, so most teams will probably keep a human in the loop for approvals, especially where changes touch live workloads. The value proposition is reducing the manual context-switching between a security console, ticketing, and the codebase, not removing oversight.
This integration sits within a fast-moving landscape. Anthropic has been positioning Claude Code as a general agentic platform, and MCP adoption has accelerated across the industry, with support appearing in tools from multiple vendors and clients. On the security side, other platforms and SIEM providers have been experimenting with similar agent-facing interfaces, reflecting an industry bet that LLM agents can offload repetitive analyst work. Readers evaluating the approach should weigh practical considerations: how access to the remote MCP server is authenticated and scoped, how sensitive runtime data is handled when sent to a model, and how false positives from runtime detection are managed before any automated change is suggested.
For teams already running Sysdig and experimenting with Claude Code, the integration offers a concrete way to test agent-assisted security operations without building custom plumbing. Whether it meaningfully shortens response times will depend on the quality of the underlying detections, the discipline of the Agent Skills that encode investigative logic, and the guardrails placed around remediation. As with most early agentic security workflows, treating it as an assistant that accelerates analysts, rather than a replacement for them, appears to be the prudent starting point.
本ページの本文・要約は AI による自動生成です。正確性は元記事 (qiita.com) をご確認ください。