PenTest MCP Server
The PenTest MCP Server is an AI-powered penetration testing assistant that exposes 25+ professional security tools to AI agents (e.g., Claude Desktop), enabling natural language-driven security assessments.
Session & Reporting
Initialize assessment sessions for a target (
init_session)Generate AI-powered, CVE-enriched security reports (
get_report)
Preset Scan Modes
Quick Scan (10โ15 min): WAF detection, subdomain enum, port scan, TLS audit, header analysis, SSRF/CSRF checks
Extensive Scan (20โ45 min): Full recon, top-1000 port scan, directory discovery, XSS, SQLi, CSRF, TLS audit, and more
Reconnaissance & OSINT
Subdomain enumeration:
subfinder,amassDNS recon:
dnsreconOSINT gathering:
theharvesterWeb tech fingerprinting:
whatwebWAF detection:
wafw00f
Network Scanning
Port/service scanning:
nmap,masscanTLS/SSL analysis:
sslyze,testssl
Vulnerability Scanning
Template-based scanning:
nucleiSQL injection:
sqlmapXSS:
dalfoxCommand injection:
commixWeb server scanning:
niktoCORS misconfigurations:
corscannerGraphQL security:
graphql_copJS library CVEs:
retire
Web Fuzzing & Discovery
Directory/file/vhost discovery:
ffuf,gobuster,wfuzzHTTP parameter discovery:
arjun
Secrets & Auth Testing
Secret/credential scanning:
trufflehogExposed
.gitdumping:git_dumperJWT security testing:
jwt_tool
Note: All active scanning tools require explicit
consent: trueto ensure ethical and authorized testing.
Provides capabilities to detect and analyze exposed Git repositories on target servers to identify potential source code leaks.
Integrates security tools like graphql-cop to perform vulnerability assessments and security auditing of GraphQL endpoints.
Maps penetration testing findings to the OWASP Top 10 security standards for comprehensive and industry-aligned reporting.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@PenTest MCP ServerRun a quick security scan on example.com and analyze the findings."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
๐ก๏ธ PenTest MCP
AI-Powered Security Scanning via Model Context Protocol (MCP)
PenTest MCP is a specialized MCP server that exposes 25+ professional security tools to AI agents like Claude Desktop. It enables security researchers and developers to orchestrate penetration testing through natural language, automating complex tool chains and generating professional reports.
๐ Quick Start (Claude Desktop)
Install dependencies:
pip install -e .Configure Claude Desktop: Add the following to your
claude_desktop_config.json:{ "mcpServers": { "pentest": { "command": "python3", "args": [ "-m", "pentest_mcp.mcp_server" ], "cwd": "/absolute/path/to/pentest-mcp" } } }Restart Claude Desktop and start scanning:
"Initialize a security assessment for http://localhost:3001"
"Run a quick scan on http://localhost:3001 with consent"
"Check if the site has a WAF"
"Generate the final security report"
Claude Desktop Integration - Full orchestration via the Model Context Protocol.
25+ Security Tools - Including
nmap,sqlmap,nuclei,ffuf,nikto,testssl, and more.Natural Language Orchestration - Ask security questions, Claude picks the right tools.
Preset Scan Modes - Quick Triage and Extensive Assessment modes.
AI-Generated Reports - Professional markdown reports powered by Gemini AI.
CVE Enrichment - Findings are automatically cross-referenced with CVE data.
๐ ๏ธ Supported Tools (25)
Category | Tools |
Reconnaissance |
|
Vulnerability Scanning |
|
Web Fuzzing |
|
TLS/SSL |
|
Advanced/OSINT |
|
๐ง Installation & Setup
Prerequisites
Python 3.11+
Gemini API Key (for reports and analysis)
(Recommended) External tools installed:
nmap,sqlmap,ffuf,nuclei, etc.
Configuration
Create a .env file in the project root:
GEMINI_API_KEY=your_api_key_here
GEMINI_MODEL=gemini-flash-lite-latest๐ Project Structure
pentest-mcp/
โโโ pentest_mcp/
โ โโโ mcp_server.py # Main MCP server entry point
โ โโโ scan_modes.py # Quick & Extensive scan logic
โ โโโ session.py # Session & DB management
โ โโโ report_engine.py # AI report generation
โ โโโ llm_providers.py # Gemini API integration
โ โโโ tools/ # Tool wrappers & logic
โ โโโ models.py # Pydantic data models
โโโ vulnerable-app/ # Local test target (Node.js)
โโโ reports/ # Generated scan reports
โโโ pyproject.toml # Project dependencies๐ Security Notice
This tool is for authorized security testing only.
Always obtain explicit written permission before scanning any target.
Unauthorized testing is illegal and unethical.
The
consentflag is a mandatory requirement for all active scanning tools.
Built with ๐ Python ยท ๐ง Gemini AI ยท ๐ก๏ธ MCP
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/MohitSahoo/MCPToolForWebVulnerabilities-'
If you have feedback or need assistance with the MCP directory API, please join our Discord server