How I wired Rivendell and Archer into Claude using the Model Context Protocol - and what it unlocked.
There’s a problem every DFIR analyst knows intimately: your tools don’t talk to each other.
You’re mid-incident, jumping between a terminal running Volatility, a browser tab open on the MITRE ATT&CK matrix, a MDE rule half-written in VS Code, and a case notes doc trying to stitch the narrative together. Every context switch costs you time. Every time you manually copy an IOC from one tool to another, you’re doing work that a machine should be doing for you.
I’ve been building a platform called Rivendell for exactly this problem - a unified DFIR platform that brings artefact acquisition, memory forensics, timeline analysis, and IOC extraction under one roof. Alongside it, I have Archer, a detection engineering tool that maps findings to MITRE ATT&CK and generates KQL, SPL, and YARA rules. Both tools work. But they still existed as separate things that I ran separately, in separate terminals, thinking separately.
Then I found MCP.