SEON MCP: AI-Assisted Investigation Guide

SEON MCP connects your Claude directly to your SEON account. Instead of manually building filters or clicking through multiple screens, you describe what you want to find in plain English. AI translates your question into a secure query, retrieves the relevant data from SEON and presents a clear summary of the results.

This guide is for fraud and AML analysts who may be new to AI tools. No technical background is required.

Note: SEON MCP is currently in beta. If you want it enabled on your account, reach out to your account manager or email us at support@seon.io

What is MCP?

MCP (Model Context Protocol) is an open standard that gives AI assistants a consistent way to connect to external systems. SEON's MCP server lets any compatible AI assistant query your investigation data on your behalf.

The connection is secure, auditable and strictly read-only so AI cannot change anything in your SEON account.

Complete these two steps once before connecting any AI tool. You only need to do this once per account and per user.

MCP is disabled by default. An account admin must enable it before any AI tool can connect.

Step 1: Enable MCP in your SEON account
Log in to SEON. Navigate to Settings -> System -> AI & Machine Learning -> Agent & MCP settings, toggle MCP on and cllick Save at the top right hand of the screen. Only users with Admin permissions can perform this step.

Step 2: Verify your user permissions
SEON MCP respects your existing role-based permissions. If you cannot view a customer or transaction in the SEON UI, you will not be able to access it through MCP either. Contact your admin if you need your access level expanded.

Once connected, your AI assistant can use five read-only investigation tools. In most supported clients, you do not need to choose the tool yourself. AI selects the right tool based on your request.

Note: All five tools are read-only. AI cannot create rules, label transactions or modify any data in your SEON account.

Transaction filtering

Describe the transactions you want to find in plain English. SEON converts your description into structured filters and returns a preview of up to 50 matching transactions, along with aggregate statistics for the full result set. You can also reference saved filters by name.

Example prompts:

• Show me declined transactions from the last 7 days with an amount over 100 EUR.
• Find transactions from the last 14 days where the IP country is the US, but the billing country is not the US.
• Filter to card payments from Hungary and Romania, completed status only, from the past 30 days.
• Run the "High Risk Customer" saved filter and show me the results.
• Find transactions where the customer email contains @gmail.com and the status is review.

Transaction statistics

Get aggregated statistics across a filtered set of transactions. This is useful for trend analysis, shift handovers and reporting to leadership. Statistics include transaction counts, total and average amounts, fraud score distribution (min/max/average), AI insight score, decline and review rates and unique user and device counts.

Example prompts:

• How many declined transactions did we have over the last 7 days, and what were the total and average amounts?
• For the last 30 days, compare transaction volume by billing country for Hungary versus Romania
• For declined transactions in the last 7 days, how many unique users and devices are involved?
• What is the fraud score distribution for Visa transactions with BIN 457123?
• For the saved filter "High Risk Customers", what are the key stats?

Single transaction details

Retrieve the full details of a single transaction using its transaction ID or by pasting the SEON admin URL directly into your AI chat. AI can return either a structured data payload or a summary. You can choose which data dimensions to include — triggered rules, linked devices, email signals, IP signals, card details and more.

Example prompts:

• Summarise transaction 12345
• Why is transaction 12345 in review?
• What caused the high fraud score for transaction 12345?
• Show me the linked devices and IPs for transaction 12345
• Which rules triggered for transaction 12345?

You can also paste a SEON admin URL directly into your prompt instead of a transaction ID. For example: "Summarise this transaction: https://admin.seon.io/transactions/12345/summary"

Customer details

Retrieve a complete customer profile for a given user ID or SEON customer URL. This includes the customer's risk signals, full activity history and network connections — showing who they are linked to through shared devices, emails, IPs or payment cards.

Example prompts:

• Who is user_abc and what is their risk profile?
• What has user_abc been doing in the last week?
• Show me any suspicious activity for user_abc in the last month.
• Show me clusters around user_abc — shared device, email, IP or card.
• Who is the customer behind transaction 12345?

Similarity ranking

Find other users who share data points — such as device fingerprint, IP address, card BIN or email domain — with a specific customer or transaction. Results are ranked and grouped into three tiers: Identical, Highly Similar and Associated. This tool is particularly valuable for uncovering coordinated fraud rings and account takeover clusters.

What the tiers mean:

• Identical: Users sharing the exact same high-confidence signal (e.g., the same device fingerprint or card number).
• Highly Similar: Users sharing multiple signals, suggesting a strong connection.
• Associated: Users sharing at least one signal, indicating a weaker but potentially relevant link.

Example prompts:

• Who else looks like user_abc?
• Show me identical and highly similar users to user_abc, and what data points they share.
• Are there near-duplicate accounts for this user?
• Find other users strongly connected to transaction 12345.

Follow the guide for the AI platform you use. Setup time varies by platform, plan and admin controls. All supported platforms use the same SEON MCP endpoint and an OAuth sign-in flow.

Tip: OAuth is the industry-standard secure login method. When prompted, you will sign in with your existing SEON credentials — no new passwords or API keys are required. If your AI platform is cloud-hosted, the SEON MCP endpoint must be reachable from the public internet.

Claude 

The claude.ai web interface is the recommended path for fraud analysts. No software installation is required — you connect directly from your browser.

Step 1    Enable MCP in the Seon Admin Panel
Go to admin.seon.io and sign in. Navigate to Settings / System / AI & Machine Learning -> Agent & MCP settings, turn MCP on, and click Save. Only users with Admin permissions can complete this step.

Step 2    Open connectors in Claude
Go to claude.ai and sign in.  
Team or Enterprise: An admin system Owner must first add the connector in Organization settings -> Connectors.
Individual supported plans: Open Settings -> Connectors, click +, then click Add custom connector.
 

Step 3    Add the Seon connection
Give the connection a name (for example, "SEON") and paste your SEON MCP endpoint depending on the region that you live in. Use the endpoint for your SEON region:

• Europe: https://mcp.seon.io/mcp
• North America: https://mcp.us-east-1-main.seon.io/mcp
• Middle East: https://mcp.me-central-1-main.seon.io/mcp
• Asia Pacific (Singapore): https://mcp.ap-southeast-1-main.seon.io/mcp
• Asia Pacific (Jakarta): https://mcp.ap-southeast-3-main.seon.io/mcp

If you are unsure about what URL you should use, login to your SEON account and look at the URL. Choose the URL that matches your environment. For example, for European hosted accounts, URLs will show up as https://admin.seon.io/ and map to https://mcp.seon.io/mcp

Step 4    Complete the OAuth login
Claude opens the SEON sign-in and consent flow. Sign in with your normal SEON credentials and approve the requested permissions. The connection shows as active once complete.

Step 5    Start investigating
Open a new Claude conversation and try: "Show me declined transactions from the last 7 days." Claude will automatically call the SEON tools and present the results.

Claude desktop 

Claude Desktop can use the same remote SEON connector as Claude web. Use this path if you prefer the desktop app.

Step 1    Install Claude Desktop
Download and install Claude Desktop from claude.ai/download, then sign in with your Claude account.

Step 2    Open connectors in Claude Desktop
Open Claude Desktop.
Team or Enterprise: An admin system Owner must first add the connector in Organization settings ? Connectors.
Individual supported plans: Open Settings -> Connectors, click +, then click Add custom connector.

Step 3    Add the Seon connection
Give the connection a name (for example, "SEON") and paste your SEON MCP endpoint. Use the endpoint for your SEON region:

• Europe: https://mcp.seon.io/mcp
• North America: https://mcp.us-east-1-main.seon.io/mcp
• Middle East: https://mcp.me-central-1-main.seon.io/mcp
• Asia Pacific (Singapore): https://mcp.ap-southeast-1-main.seon.io/mcp
• Asia Pacific (Jakarta): https://mcp.ap-southeast-3-main.seon.io/mcp

If you are unsure about what URL you should use, login to your SEON account and look at the URL. Choose the URL that matches your environment. For example, for European hosted accounts, URLs will show up as https://admin.seon.io/ and map to https://mcp.seon.io/mcp

Step 4    Complete the OAuth login
Claude opens the SEON sign-in and consent flow. Sign in with your normal SEON credentials and approve the requested permissions. The connection shows as active once complete.

Step 5    Start investigating
Open a new Claude conversation and, if prompted, enable SEON for that chat. Try: "Show me declined transactions from the last 7 days."

The following examples show how to use SEON MCP for the most common fraud and AML investigation scenarios. Each example shows the prompt you would send and what AI returns.

Morning shift triage

You start your shift and need to quickly understand whether anything unusual happened overnight — without manually building filters in the SEON UI.

Example prompt
"Show me the last 12 hours of declined transactions. How does the volume compare to yesterday, and are there any geographic anomalies?"

What you get back
Returns decline counts, a volume comparison against the previous day, and a breakdown by IP country — flagging any unusual spikes automatically.

Deep-dive into a flagged transaction

A transaction has been flagged for manual review. You need to understand exactly why and decide whether to approve or reject it quickly.

Example prompt
"Why is transaction 48291 in review? What rules triggered, and what does the linked device history look like?"

What you get back
Returns the triggered rule set, fraud score breakdown, linked device fingerprints and a plain-English explanation of the risk signals.

Identify a potential fraud ring

A high-fraud-score user was declined. You suspect they may be part of a coordinated group and want to map the network before taking action.

Example prompt
"Who looks similar to user_7x9mz? Show me identical and highly similar users, and what data points they share."

What you get back
Returns a ranked list of up to 30 connected users grouped by similarity tier, with the shared signals (device ID, card BIN, IP, email domain) that link them.

Country-level pattern analysis

Your team suspects a surge in fraud from a specific region. You need statistics broken down by country to quantify the pattern and report to leadership.

Example prompt
"For the last 30 days, compare transaction volume, decline rates and average fraud score by billing country for our top 10 markets."

What you get back
Produces a country-by-country statistical breakdown including counts, amounts and decline percentages — ready to include in a report.

Investigate a high-risk customer

Customer support has escalated an account after multiple chargebacks. Your team needs a full picture before deciding whether to restrict or close the account.

Example prompt
"Show me everything about user john.doe@example.com. What is their risk profile, recent activity and who are they connected to?"

What you get back
Returns the customer profile, full activity history, connection graph highlights and any shared signals with other flagged users.

Card BIN fraud investigation

You notice a BIN range appearing in a high volume of declined transactions and suspect a stolen card dump attack.

Example prompt
"Filter transactions where card BIN starts with 457123, status is declined, from the last 48 hours. How many unique devices and users are involved?"

What you get back
Returns filtered transaction count, unique device and user counts and aggregated fraud scores — confirming or ruling out a coordinated BIN attack pattern.

Daily saved filter report

Your team maintains a saved filter that needs to be checked every morning as part of an SLA commitment. Instead of opening SEON and running the filter manually, you ask AI.

Example prompt
Show me VIP customers in review from the last 24 hours and give me the key statsts — counts, amounts, top triggered rules.

What you get back
Returns a repeatable summary for that exact prompt, which is easier to validate and reuse across the team..

Explaining a fraud score to a new analyst

You are new to the team and encounter a transaction with a high fraud score. You are not yet familiar with all of SEON's risk signals and want a plain-language explanation before making a decision.

Example prompt
"I am looking at transaction 88102 and it has a fraud score of 87. Can you explain in plain English what that score means and what I should check next?"

What you get back
Returns a plain-language explanation of the score, the contributing signals, the triggered rules and a recommended next-step checklist, significantly lowering the learning curve for new analysts.

The following tips will help you get the most accurate and useful responses from SEON MCP.

Always specify a time range
Vague prompts like "show me declined transactions" may return unexpected date ranges or time out. Be explicit: "Show me declined transactions from the last 7 days with a fraud score above 75."

Use saved filters for repeatable queries
If you run the same type of investigation daily, save the filter in SEON's UI and reference it by name in your prompts. This ensures consistency and saves time: "Run the 'High Risk Customers – Last 24h' saved filter and show me the key stats."

Start broad, then drill down
Begin with a high-level filter to understand the landscape, then follow up with specific transaction or customer queries. This mirrors how experienced analysts work and helps AI maintain context across a conversation.

Chain tools together in one conversation
The most powerful investigations combine multiple tools. Start from a transaction, pivot to the customer, then look at their network — all in the same conversation. Example: "From transaction 99231, who is the customer, and do they have any highly similar users sharing the same device?"

Ask for structured output when reporting
When you need to share findings with colleagues or paste results into a report, tell AI how to format the output: "Summarize the fraud stats for last week in a bullet-point format suitable for a weekly leadership email."

SEON MCP is designed with a security-first approach. Access is controlled at every level, from the account-level toggle to individual user permissions. The following controls are in place by default.

Explicit opt-in: MCP access is disabled by default for all accounts. An admin must intentionally enable it in Settings before any AI tool can connect.

OAuth authentication: All MCP connections use OAuth. Users must log in and explicitly grant permission before any data can be accessed. No static API keys are used.

Permission-scoped access: MCP tools respect your existing SEON role permissions. You can only access data that your user role already permits within the SEON UI.

Read-only: No rules can be created, no transactions labelled and no account settings changed via MCP. AI can only retrieve and summarize data.

Full audit trail: Every MCP action is recorded in the SEON Activity log with a dedicated MCP icon and filter. Nothing is hidden from your security or compliance team.

Kill switch: Admins can disable all MCP access for the entire account instantly via a single toggle in Settings — no engineering action required.

All MCP activity is recorded in the SEON Activity log, giving your security and compliance teams full visibility into what AI tools are doing on your behalf.

MCP actions appear in the Activity log with a dedicated MCP icon, making them easy to distinguish from manual analyst actions. You can filter the Activity log to show only MCP-originated activities using the MCP activities filter.

Each Activity log entry records the user who authorized the connection, the tool called, the timestamp and a summary of the query parameters used. Raw transaction data is not logged — only the query context.

Tip: You can access the Activity log from Settings -> Activity log in the SEON UI. Use the MCP activities filter to view only AI-generated actions.

AI says it cannot find a transaction or a customer
Verify that you have the correct permissions in the SEON dashboard to view that data. MCP cannot bypass your role-based access controls. Contact your admin if you need your access level expanded.

The connection shows as inactive or disconnected
Your OAuth token may have expired. Go to your AI assistant's integration settings, find the SEON connection, and re-authenticate. This typically takes under a minute.

AI is returning results from an unexpected time range
Always include an explicit time range in your prompt. For example: "Show me declined transactions from the last 7 days" rather than "Show me declined transactions."

I cannot see the MCP Access option in Settings
Only users with the necessary permissions can see and enable MCP Access. Contact your SEON account administrator.

Is MCP enabled by default?
No. MCP access is disabled for all SEON accounts by default. An account admin must explicitly enable it in Settings -> Integrations -> MCP Access. Individual users must also complete an OAuth authorization flow before their AI tool can connect.

Does MCP bypass my team's existing permissions?
No. SEON MCP respects your existing role-based permissions exactly as they are configured. If a user cannot view a specific customer or transaction in the SEON UI, MCP will not return that data either. OAuth tokens are scoped to the authorizing user's permission level.

Can AI make changes to my SEON account?
No. SEON MCP is strictly read-only in this release. AI cannot create or modify rules, label transactions, change account settings or take any action on your behalf.

How do I revoke MCP access?
A SEON admin can disable MCP access in the SEON MCP settings page. Individual users can also disconnect SEON from their AI client and re-authenticate later if needed. All active sessions are terminated immediately upon revocation.

Is my data safe when using an AI assistant?
Yes. All connections use OAuth, which means AI never sees your SEON password. Access is scoped to your existing permissions, is read-only and every action is logged in the Activity log. You can revoke access at any time.

What is a fraud score, and how should I interpret it?
A fraud score in SEON is a number from 0 to 100 that reflects the level of risk associated with a transaction or customer. A score above 75 is typically considered high risk. You can ask AI to explain any score: "Explain the fraud score for transaction 12345 and what I should check next."