Vision: Bring the Security MCP App to Mobile via the Claude Marketplace
Status: Draft
Author: David Elgut (PM, Security AI)
Date: 2026-05-29
Horizon: Exploratory — MVP (triage/review) near-term, full parity longer-term
Epic Link: (to be filled when published as a GitHub issue)
Background
The Elastic Security MCP App brings analyst workflows — alert triage, attack discovery, case management, detection rules, and threat hunting — directly into Claude. It is how we meet analysts inside the AI host they already use, instead of asking them to context-switch back to a console. Early adoption is underway, and we are now instrumenting usage (see Epic #37 — MCP App Usage Telemetry) to learn which workflows analysts actually exercise.
But the MCP App lives only on Claude Desktop. The moment an analyst steps away from their laptop, their connection to Elastic goes with it. There is no good way to interact with an Elastic cluster from mobile today — so triage, review, and the quick judgment calls that define security operations all wait until someone is back at a desk.
Meanwhile, Claude's connector marketplace (the Directory) has matured into a credible distribution surface, with first-class connectors for tools like Gmail, Google Drive, Slack, and Atlassian. Critically, web-based connectors installed in Claude Desktop sync to the Claude mobile app. That is the unlock: a marketplace connector is not just easier discovery and setup — it is the bridge that puts Elastic in an analyst's pocket.
What's Changing
Two shifts make this timely. First, AI hosts like Claude are becoming the primary surface where analysts do their work — not a side tool, but the place the day starts and the work happens. Second, Claude's web-based connectors now sync from Desktop to Mobile, which means a single official Elastic connector can deliver the Security MCP App to a phone with no separate mobile build.
Put together, the path to mobile that used to require a dedicated app and a long roadmap is now within reach through a channel that already exists. The question shifts from "how would we ever build an Elastic mobile app?" to "should we publish the MCP App as a Claude connector so it simply shows up on mobile?"
This is also the direction of travel for Elastic's agentic interfaces more broadly — meeting users inside the AI hosts they already use. Realizing it at scale points to hosting the MCP experience via Kibana (a server-hosted connector rather than a locally-run one) so any Elastic user can connect and reach it across desktop and mobile without manual setup.
Vision
The AI SOC in your pocket. An analyst opens Claude on their phone over morning coffee, asks what fired overnight, and triages the highest-severity alerts — acknowledging the noise, escalating the one that matters, leaving a note on a case — all before they open their laptop. At lunch, they review an attack discovery and confirm it is a true positive. The work follows them, because the tool is wherever they are.
We get there by publishing the Security MCP App as an official Elastic connector in the Claude marketplace. Installed once in Claude Desktop, it syncs to Claude Mobile, and the same Security workflows analysts already trust become available on the device that is always with them. The initial bar is deliberately modest — triage and review alerts — the glanceable, high-value actions that benefit most from being mobile. Over time, the experience grows toward full parity with the desktop app.
This directly advances our goal of a world-class Agentic Security Operations product. It meets analysts where they live, compresses time-to-response by removing the "wait until I'm at my desk" gap, and extends the reach of EASE and Attack Discovery to the moments that matter most.
Focus Areas
The vision is organized around the following capability areas:
- Mobile reach — Deliver the Security MCP App to Claude Mobile through the marketplace connector's Desktop-to-Mobile sync, with no separate mobile build.
- Triage & review on the go (MVP) — Make the glanceable, high-value actions — review alerts, acknowledge/escalate, leave a case note — feel native to a phone.
- Attack discovery review on mobile — Let analysts review and confirm attack discoveries away from their desk.
- Path to full parity — Grow the mobile experience over time toward the full set of desktop workflows.
- Trust & security posture — Establish what it means to safely review and act on sensitive security data from a mobile device.
User Stories
- As an on-call SOC analyst, I want to triage overnight alerts from my phone so that the queue is handled before I reach my desk.
- As a security analyst, I want to review and confirm an attack discovery on mobile so that investigations don't stall when I'm away from my laptop.
- As an analyst, I want to update a case from my phone so that I can keep work moving from anywhere.
- As a security lead, I want confidence that acting on alerts from a mobile device is safe and appropriate for sensitive data.
- As an analyst, over time I want the full SOC experience on mobile so that my phone is a complete extension of my desk.
Open Questions
This is exploratory. The vision rests on a few keystone assumptions that must be validated first: that the MCP experience can be hosted via Kibana, that Anthropic's Directory accepts a third-party Elastic connector, and that the MCP App's interactive views actually function through Desktop-to-Mobile sync. Until those hold, everything below is a hypothesis.
- Marketplace eligibility & partnership (keystone) — Does Anthropic's Directory accept third-party connectors like Elastic's, and what is the submission, review, and partnership/approval path?
- Hosting model (keystone) — A marketplace/web connector implies a hosted, server-side MCP experience. The direction is to host this via Kibana so any Elastic user can connect without manual setup. What does a Kibana-hosted MCP connector require, and how does it relate to today's locally-run app?
- Mobile auth & security posture — What is the right authentication and authorization model for connecting to an Elastic cluster and acting on alerts from a phone?
- Mobile-appropriate workflows — Which MCP App workflows make sense on a small screen and on the go (triage/review) versus those that remain desktop-first (e.g., deep threat hunting / query authoring)?
- Data sensitivity — What are the implications of viewing and acting on security alerts and case data on a mobile device, and what guardrails do customers expect?
- Experience fidelity on mobile (keystone) — How well do the existing MCP App views render and behave in the Claude mobile app, and where is adaptation needed?
Related Issues
Stakeholders
| Role |
Name |
Responsibility |
| Product Manager |
David Elgut |
Vision ownership, prioritization |
| Stakeholder / Idea origin |
Aaron Jewitt |
Use case, requirements input |
| Engineering (MCP App) |
Kenneth Kreindler (KDKHD) |
Technical feasibility |
| Design |
TBD |
Mobile UX vision, research |
| Executive Sponsor |
TBD |
Strategic alignment, funding |
Vision: Bring the Security MCP App to Mobile via the Claude Marketplace
Background
The Elastic Security MCP App brings analyst workflows — alert triage, attack discovery, case management, detection rules, and threat hunting — directly into Claude. It is how we meet analysts inside the AI host they already use, instead of asking them to context-switch back to a console. Early adoption is underway, and we are now instrumenting usage (see Epic #37 — MCP App Usage Telemetry) to learn which workflows analysts actually exercise.
But the MCP App lives only on Claude Desktop. The moment an analyst steps away from their laptop, their connection to Elastic goes with it. There is no good way to interact with an Elastic cluster from mobile today — so triage, review, and the quick judgment calls that define security operations all wait until someone is back at a desk.
Meanwhile, Claude's connector marketplace (the Directory) has matured into a credible distribution surface, with first-class connectors for tools like Gmail, Google Drive, Slack, and Atlassian. Critically, web-based connectors installed in Claude Desktop sync to the Claude mobile app. That is the unlock: a marketplace connector is not just easier discovery and setup — it is the bridge that puts Elastic in an analyst's pocket.
What's Changing
Two shifts make this timely. First, AI hosts like Claude are becoming the primary surface where analysts do their work — not a side tool, but the place the day starts and the work happens. Second, Claude's web-based connectors now sync from Desktop to Mobile, which means a single official Elastic connector can deliver the Security MCP App to a phone with no separate mobile build.
Put together, the path to mobile that used to require a dedicated app and a long roadmap is now within reach through a channel that already exists. The question shifts from "how would we ever build an Elastic mobile app?" to "should we publish the MCP App as a Claude connector so it simply shows up on mobile?"
This is also the direction of travel for Elastic's agentic interfaces more broadly — meeting users inside the AI hosts they already use. Realizing it at scale points to hosting the MCP experience via Kibana (a server-hosted connector rather than a locally-run one) so any Elastic user can connect and reach it across desktop and mobile without manual setup.
Vision
The AI SOC in your pocket. An analyst opens Claude on their phone over morning coffee, asks what fired overnight, and triages the highest-severity alerts — acknowledging the noise, escalating the one that matters, leaving a note on a case — all before they open their laptop. At lunch, they review an attack discovery and confirm it is a true positive. The work follows them, because the tool is wherever they are.
We get there by publishing the Security MCP App as an official Elastic connector in the Claude marketplace. Installed once in Claude Desktop, it syncs to Claude Mobile, and the same Security workflows analysts already trust become available on the device that is always with them. The initial bar is deliberately modest — triage and review alerts — the glanceable, high-value actions that benefit most from being mobile. Over time, the experience grows toward full parity with the desktop app.
This directly advances our goal of a world-class Agentic Security Operations product. It meets analysts where they live, compresses time-to-response by removing the "wait until I'm at my desk" gap, and extends the reach of EASE and Attack Discovery to the moments that matter most.
Focus Areas
The vision is organized around the following capability areas:
User Stories
Open Questions
This is exploratory. The vision rests on a few keystone assumptions that must be validated first: that the MCP experience can be hosted via Kibana, that Anthropic's Directory accepts a third-party Elastic connector, and that the MCP App's interactive views actually function through Desktop-to-Mobile sync. Until those hold, everything below is a hypothesis.
Related Issues
work_docs/prd/mcp-app-security-vision.md) — parent vision for the Security MCP App.Stakeholders