Sibling MCP Orchestration¶

When Claude has access to multiple MCP servers in the same session, Salient can orchestrate across all of them. This is the /ttx enrich workflow — Claude reads from sibling MCPs and writes security-relevant data into the Salient twin.

How It Works¶

Claude Session
  ├── ttx-salient (Salient MCP)
  ├── Gmail MCP
  ├── Google Calendar MCP
  └── Notion MCP

/ttx enrich
  1. Claude scans Gmail for security-related emails
  2. Claude reads Notion pages tagged as security policies
  3. Claude checks Calendar for scheduled drills and reviews
  4. Claude writes everything into Salient via ingest_from_mcp / ingest_document

The key insight: Claude is the orchestrator, not Salient. Salient provides the ingestion tools and the intelligence pipeline. Claude provides the judgment about what is security-relevant.

During-Exercise Enrichment¶

While facilitating a TTX, Claude can pull real-time context from sibling MCPs:

Mid-exercise enrichment

During a phishing scenario, the team mentions they use Proofpoint. Claude checks Notion for the Proofpoint runbook, finds it, ingests it into the twin, and uses it to tailor follow-up questions — all within the same exercise session.

This makes exercises more targeted and the twin richer simultaneously.

Post-Exercise Enrichment¶

After an exercise, /ttx enrich does a broader sweep:

Gmail Integration¶

Claude searches for security-relevant emails:

Incident notification threads
Vendor security advisories
Compliance audit communications
Security tool alert summaries

Each email is ingested with data_type: "communication" or data_type: "security_event" depending on content.

Google Calendar Integration¶

Claude finds security-related calendar events:

Scheduled tabletop exercises
Security review meetings
Vendor risk assessment calls
Compliance audit dates

These provide timeline data and organizational rhythm insights.

Notion Integration¶

Claude reads security documentation:

Incident response plans
Security policies and standards
Architecture decision records
Meeting notes from security reviews

Documents are ingested with ingest_document using the appropriate document_type for targeted fact extraction.

Ingestion Tools¶

Two tools handle sibling MCP data:

`ingest_from_mcp`¶

For discrete data items — an email, a calendar event, a Slack message:

{
  "source_mcp": "gmail",
  "data_type": "security_event",
  "title": "CrowdStrike Alert: Suspicious PowerShell",
  "content": "Alert forwarded from SOC...",
  "metadata": {"date": "2025-04-08", "from": "soc@company.com"}
}

`ingest_document`¶

For full documents — IR plans, policies, runbooks:

{
  "source": "notion",
  "document_type": "ir_plan",
  "title": "Incident Response Plan v3.2",
  "content": "## Purpose\nThis plan defines..."
}

Configuring Sibling MCPs¶

Add multiple MCP servers to your Claude session:

Claude CodeClaude Desktop

{
  "mcpServers": {
    "ttx-salient": { "command": "python3", "args": ["tools/mcp-ttx/server.py"] },
    "gmail": { "command": "npx", "args": ["-y", "@anthropic/mcp-gmail"] },
    "notion": { "command": "npx", "args": ["-y", "@anthropic/mcp-notion"] }
  }
}

Add all servers to claude_desktop_config.json following each MCP server's setup instructions.

MCP Client · Tools Reference