What can you do with this server?

TurboPentest MCP Server lets you launch and manage AI-powered penetration tests against verified domains directly from your AI assistant (Claude Desktop, Claude Code, Cursor, etc.). * Start a pentest (start_pentest): Launch a pentest against a verified target URL, choosing from four scan tiers (recon, standard, deep, blitz) and optionally providing a GitHub repo for white-box scanning (SAST, secrets, SCA). * Get pentest details (get_pentest): Retrieve status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model for a specific pentest. * List pentests (list_pentests): View all pentests ordered newest first, filterable by status (queued, scanning, complete, failed). * Get findings (get_findings): Fetch structured vulnerability findings including severity, CVSS, CWE, proof-of-concept, remediation guidance, and retest commands — filterable by severity. * Download reports (download_report): Download completed pentest reports in markdown (AI-friendly), JSON (structured data), or PDF (formatted document) format. * Check credits (get_credits): View your credit balance and available scan tiers with pricing. * Verify attestation (verify_attestation): Publicly verify a blockchain-anchored pentest attestation by hash — no API key required. * List domains (list_domains): View verified domains and their verification status (domains must be verified before pentesting). * Built-in prompts: Use guided workflows for deep-dive findings analysis (analyze_findings), comparing pentests (compare_pentests), running full-lifecycle pentests (run_pentest), and summarizing overall security posture (security_posture).

Which integrations are available for this server?

Allows for white-box scanning by integrating GitHub repositories into penetration test workflows for source code analysis.

TurboPentest

by IntegSec

Overview Schema Related Servers Score Discussions

TypeScript

Remote

@turbopentest/mcp-server

MCP server for TurboPentest — launch AI-powered penetration tests, review vulnerability findings, and generate security reports, all without leaving your coding assistant.

What it does

Ask your AI assistant to run a pentest, check progress, and walk you through remediation — the server handles all the API calls. Every completed scan is anchored to the blockchain, giving you a tamper-proof attestation you can share with customers or auditors.

Quick start

1. Get your API key

2. Verify a domain

Before scanning, verify that you own the target domain at turbopentest.com/domains.

3. Add the server to your MCP client

Claude Code (.mcp.json in your project root):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Cursor (Settings > MCP Servers > Add):

{
  "command": "npx",
  "args": ["@turbopentest/mcp-server"],
  "env": {
    "TURBOPENTEST_API_KEY": "tp_live_..."
  }
}

Example session

You:    "Run a standard pentest on staging.example.com"
Claude: Checks domain is verified, confirms credit balance,
        calls start_pentest → "Started tp_abc123, 4 agents, ~1 hour"

You:    "Any findings yet?"
Claude: Calls get_pentest → "62% complete — 3 findings (1 high, 2 medium)"

You:    "Show me the high severity ones"
Claude: Calls get_findings(severity: "high") →
        [1] HIGH: SQL Injection in /api/search
            CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
            CWE: CWE-89
            PoC: POST /api/search?q=' OR 1=1--
            Remediation: Use parameterized queries...
            Retest: sqlmap -u "https://staging.example.com/api/search" ...

You:    "Give me a prioritized remediation plan"
Claude: Uses the analyze_findings prompt → produces a full markdown
        remediation plan grouped by severity and effort

White-box scanning

Pass a GitHub repository URL to start_pentest to enable white-box mode. In addition to black-box testing, the scan will include:

SAST — static code analysis for common vulnerability patterns
Secret detection — leaked API keys, credentials, and tokens in source
SCA — dependency audit for known CVEs

You:  "Pentest staging.example.com, the repo is github.com/myorg/myapp"

Tools

Tool	Description
`turbopentest_start_pentest`	Launch a pentest against a verified domain. Supports four tiers and optional GitHub repo for white-box scanning.
`turbopentest_get_pentest`	Get scan status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model.
`turbopentest_list_pentests`	List all pentests with status and finding counts. Filterable by status.
`turbopentest_get_findings`	Retrieve structured findings with severity, CVSS, CWE, OWASP category, PoC, remediation steps, and retest commands. Filterable by severity.
`turbopentest_download_report`	Download a report in markdown (best for AI), JSON, or PDF format.
`turbopentest_get_credits`	Check your credit balance and available scan tiers with pricing.
`turbopentest_verify_attestation`	Verify a blockchain-anchored attestation by SHA-256 hash. No API key required — public endpoint.
`turbopentest_list_domains`	List your verified domains and their verification status.

Prompts

Built-in prompts guide your AI assistant through multi-step workflows. Invoke them by name in any MCP client that supports prompts.

Prompt	Description
`run_pentest`	Full-lifecycle pentest: domain check → credit verification → launch → progress monitoring → findings summary → report download
`analyze_findings`	Deep-dive analysis of a single pentest's findings, producing a prioritized remediation plan with effort estimates and retest commands
`compare_pentests`	Diff two pentests on the same target — shows what's new, what's been fixed, and what's still unresolved
`security_posture`	Executive briefing across your 5 most recent pentests: risk trends, highest-risk targets, and top 3 recommended actions

Scan tiers

Tier	Agents	Duration	Price
Recon	1	~30 min	$49
Standard	4	~1 hour	$99
Deep	10	~2 hours	$299
Blitz	20	~4 hours	$699

Default tier is standard. Use recon for a quick surface sweep or blitz for maximum coverage on critical assets.

Blockchain attestation

Every completed pentest is anchored on-chain as a tamper-proof attestation. The SHA-256 hash is included in the report and can be independently verified — by you, your customers, or auditors — with no API key required:

You:  "Verify attestation abc123def456..."

turbopentest_verify_attestation returns the scan metadata (tier, agents, duration, risk score, findings summary) alongside the blockchain proof (chain ID, transaction hash, block number, merkle root).

Configuration

Variable	Required	Default	Description
`TURBOPENTEST_API_KEY`	Yes	—	API key from turbopentest.com/settings/api-keys
`TURBOPENTEST_API_URL`	No	`https://turbopentest.com/api`	Override the API base URL (for testing)

Requirements

Node.js 18+
A TurboPentest account with at least one verified domain

License

MIT

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Resources

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

Appeared in Searches

A server for penetration testing resources and information

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/IntegSec/turbopentest-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server