Tengu
Allows execution of Metasploit modules for exploitation and post-exploitation activities during penetration testing engagements.
Integrates with OWASP ZAP for automated web application security scanning, including active and passive scanning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Tenguscan 192.168.1.100 for open ports"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Tengu — Pentesting MCP Server
Tengu is an MCP server that turns Claude into a penetration testing copilot. It orchestrates 80 security tools — from Nmap to Metasploit — with built-in safety controls, audit logging, and professional reporting.
What is it? An MCP server that connects Claude to industry-standard pentest tools
Why use it? Automates recon and scanning while keeping the human in control of exploits
Who is it for? Pentesters, red teamers, security students, and consulting firms
Key Features
80 Tools — Nmap, Metasploit, SQLMap, Nuclei, Hydra, Burp-compatible ZAP, and more
AI-Orchestrated — Claude decides the next tool based on previous findings
Safety First — Allowlist, rate limiting, audit logs, and human-in-the-loop for destructive actions
Auto Reports — Correlate findings and generate professional pentest reports (MD/HTML/PDF)
35 Workflows — Pre-built prompts for full pentest, web app, AD, cloud, and more
20 Resources — Built-in OWASP Top 10, MITRE ATT&CK, PTES, and pentest checklists
Stealth Layer — Optional Tor/SOCKS5 proxy routing, UA rotation, and timing jitter
MCP Server Mode (Copilot)
Use Claude as an interactive pentest copilot — you direct the engagement, Claude picks the right tools and chains them together automatically.
Quick Start
git clone https://github.com/rfunix/tengu.git && cd tengu
make docker-build
make docker-upConnect Claude Code to the running server:
claude mcp add --transport sse tengu http://localhost:8000/sseThen ask Claude: Do a full pentest on http://192.168.1.100
Claude chains tools automatically: validate_target → whatweb → nmap → nikto →
nuclei → sqlmap → correlate_findings → generate_report
Docker Profiles
Command | What it starts |
| Tengu MCP server ( |
| + Juice Shop, DVWA (safe practice targets) |
| + Metasploit, OWASP ZAP (real-world targets) |
| + Metasploit, ZAP, and lab targets |
Scan custom targets without editing files:
TENGU_ALLOWED_HOSTS="192.168.1.0/24,10.0.0.0/8" make docker-upImage Tiers
Choose the right size for your use case:
Tier | Size | MCP Tools | Use case |
| ~480MB | 17 | Lightweight analysis, CVE research, reporting |
| ~7GB | 47 | Full pentest toolkit (default) |
| ~8GB | 80 | Everything + AD, wireless, stealth/OPSEC |
TENGU_TIER=minimal make docker-build # lightweight
TENGU_TIER=core make docker-build # default
TENGU_TIER=full make docker-build # everythingAll tiers include all 35 prompts and 20 resources — only the binary tools differ.
Prerequisites: Python 3.12+, uv, Kali Linux (recommended)
git clone https://github.com/rfunix/tengu.git && cd tengu
# Install Python dependencies
uv sync
# Install external pentesting tools (Kali/Debian)
make install-tools
# Run the MCP server (stdio transport)
uv run tenguConnect Claude Code:
claude mcp add --scope user tengu -- uv run --directory /path/to/tengu tenguConfigure allowed targets in tengu.toml:
[targets]
allowed_hosts = ["192.168.1.0/24", "example.com"]For Claude Desktop, VM/SSE remote setup, and advanced configurations, see docs/deployment-guide.md.
Configuration Reference
[targets]
# REQUIRED: Only these hosts will be scanned
allowed_hosts = ["192.168.1.0/24", "example.com"]
blocked_hosts = [] # Always blocked, even if in allowed_hosts
[stealth]
enabled = false # Route traffic through Tor/proxy
[stealth.proxy]
enabled = false
type = "socks5h"
host = "127.0.0.1"
port = 9050
[osint]
shodan_api_key = "" # Required for shodan_lookup
[tools.defaults]
scan_timeout = 300 # secondsSee docs/configuration-reference.md for the full reference.
Autonomous Agent Mode
Run a fully autonomous pentest without manual tool invocation. The agent uses Claude as its strategic brain and Tengu as its execution toolset, following the PTES methodology from recon through reporting.
Quick Start
cp .env.example .env
# Edit .env: set ANTHROPIC_API_KEY and TENGU_AGENT_TARGETLab targets (Juice Shop, DVWA):
make docker-lab
make docker-agent # default model (sonnet)
make docker-agent-haiku # cheaper — claude-haiku-4-5, max_tokens=1024
make docker-agent-sonnet # balanced — claude-sonnet-4-6, max_tokens=4096Real-world pentests (Tengu + MSF + ZAP, no lab containers):
make docker-pentest
make docker-agentView reports in browser:
make docker-report-view # http://localhost:8888 — styled HTML, all reports
make docker-report-browse # same, auto-opens browser
REPORT_PORT=9999 make docker-report-view # custom portWithout Docker:
uv sync --extra agent
python autonomous_tengu.py 192.168.1.100 --scope 192.168.1.0/24 --type blackbox
# Cost-optimised run
python autonomous_tengu.py 192.168.1.100 --model claude-haiku-4-5 --max-tokens 1024 --timeout 30Cost control — three env vars / CLI flags:
Flag | Env var | Default |
|
|
|
|
|
|
|
|
|
How It Works
START → initializer → strategist ─┬─→ executor → analyst ─┬─→ strategist (loop)
│ └─→ reporter → END
├─→ human_gate → executor
└─→ reporter → ENDKey behaviors:
Strategist (Claude) reads the current PTES phase and accumulated state to decide each action
Executor calls exactly one Tengu MCP tool per iteration
Analyst (Claude) extracts structured data from tool output and advances phases
Human gate interrupts execution before destructive tools (
msf_run_module,hydra_attack,impacket_kerberoast,sqlmap_scanwith level≥3)Runs until all 7 PTES phases are covered or
--max-iterationsis reachedFinal Reporter calls
correlate_findings+score_risk+generate_report
PTES Methodology — 7 Phases
Phase | Name | What Tengu Does | Key Tools |
1 | Pre-Engagement |
|
|
2 | Intelligence Gathering | OSINT, DNS recon, subdomain enumeration, technology fingerprinting |
|
3 | Threat Modeling | Claude analyzes gathered intel, prioritizes attack surface, builds threat scenarios | (AI-driven — no external tool) |
4 | Vulnerability Analysis | Template scanning, web app testing, SSL/TLS analysis, parameter fuzzing |
|
5 | Exploitation | Controlled exploitation of confirmed vulnerabilities with human-in-the-loop |
|
6 | Post-Exploitation | Credential harvesting, lateral movement assessment, privilege escalation |
|
7 | Reporting | Correlate all findings, calculate risk scores, generate professional report |
|
Tool Catalog
minimal(17 tools, ~480MB) ·core(47 tools, ~7GB, default) ·full(80 tools, ~8GB) Build with:TENGU_TIER=<tier> make docker-build. All tiers include all 35 prompts and 20 resources.
Category | Tools | Count |
Reconnaissance | Nmap, Masscan, Amass, Subfinder, Gowitness, HTTrack, Katana, httpx, SNMPwalk, RustScan | 10 |
Web Scanning | Nikto, Nuclei, FFUF, Gobuster, WPScan, Feroxbuster, OWASP ZAP, wafw00f | 8 |
SSL / TLS | sslyze, testssl.sh, HTTP headers analysis, CORS tester | 4 |
DNS | DNS Enumerate, DNSRecon, Subjack, WHOIS | 4 |
OSINT | theHarvester, Shodan, WhatWeb, DNStwist | 4 |
Injection Testing | SQLMap, Dalfox (XSS), Commix, CRLFuzz, GraphQL Security Check, Arjun | 6 |
Brute Force | Hydra, John the Ripper, Hashcat, CeWL | 4 |
Exploitation | Metasploit (search, info, run, sessions, cmd), SearchSploit | 6 |
Social Engineering | SET credential harvester, QR code attack, payload generator | 3 |
Secrets & Code | TruffleHog, Gitleaks | 2 |
Container & Cloud | Trivy, Checkov, ScoutSuite, Prowler | 4 |
Active Directory | NetExec, Enum4linux, Impacket (Kerberoast, secretsdump, psexec, wmiexec, smbclient), BloodHound, Responder, SMBMap | 10 |
Wireless | aircrack-ng / airodump-ng | 1 |
Anonymity & Stealth | Tor check/rotate, proxy check, identity rotation | 5 |
Analysis & Reporting | Finding correlation, CVSS risk scoring, report generation | 3 |
CVE Intelligence | CVE lookup (NVD), CVE search by keyword/product/severity | 2 |
Utility | Tool checker, target validator | 2 |
Reconnaissance
Tool | Description |
| Port scanning and service/OS detection |
| High-speed port scanner for large networks |
| Passive subdomain enumeration |
| Attack surface mapping and DNS brute-force |
| DNS recon (zone transfer, brute-force, PTR) |
| DNS record enumeration (A, MX, NS, TXT, SOA…) |
| WHOIS domain and IP lookup |
| Subdomain takeover detection |
| Web screenshot capture for documentation |
| Full website mirror for offline analysis and forensics |
| Fast web crawler for link discovery and endpoint mapping |
| HTTP probe — status codes, tech stack, redirects |
| SNMP enumeration and MIB walking |
| Ultra-fast port scanning (finds open ports for Nmap follow-up) |
Web Scanning
Tool | Description |
| Template-based vulnerability scanner (CVEs, misconfigs) |
| Web server misconfiguration and outdated software scanner |
| Directory, parameter, and vhost fuzzing |
| Directory, DNS, and vhost brute-force |
| WordPress vulnerability scanner |
| Comprehensive SSL/TLS configuration analysis |
| HTTP security headers analysis and grading |
| CORS misconfiguration detection |
| SSL/TLS certificate and cipher check (sslyze) |
| Web Application Firewall detection and fingerprinting |
| Fast, recursive content discovery via brute-force |
OSINT
Tool | Description |
| Email, subdomain, and host enumeration from public sources |
| Shodan host and asset search |
| Web technology fingerprinting (CMS, WAF, frameworks) |
| Domain permutation and typosquatting detection |
Injection Testing
Tool | Description |
| Automated SQL injection detection and exploitation |
| XSS detection via Dalfox |
| Automated command injection detection and exploitation |
| CRLF injection fuzzing for header injection vulnerabilities |
| GraphQL introspection, batching, depth limit, field suggestions |
| Hidden HTTP parameter discovery |
Exploitation
Tool | Description |
| Search Metasploit modules |
| Get detailed Metasploit module information |
| Execute a Metasploit module (requires explicit confirmation) |
| List active Metasploit sessions |
| Execute a command on an active session (shell/Meterpreter) |
| Search Exploit-DB offline database |
Social Engineering
Tool | Description |
| Clone a website and capture submitted credentials (authorized phishing simulations) |
| Generate QR code pointing to a URL for physical social engineering assessments |
| Generate social engineering payloads (PowerShell, HTA) for authorized campaigns |
Brute Force
Tool | Description |
| Network login brute-force (SSH, FTP, HTTP, SMB…) |
| Dictionary hash cracking (Hashcat / John the Ripper) |
| Hash type identification |
| Custom wordlist generation from a target website |
Proxy / DAST
Tool | Description |
| OWASP ZAP web spider |
| OWASP ZAP active vulnerability scan |
| Retrieve ZAP scan findings |
Secrets & Code Analysis
Tool | Description |
| Leaked secrets detection in git repositories |
| Credential scanning in git history |
Container Security
Tool | Description |
| Vulnerability scanning for Docker images, IaC, and SBOM |
Cloud Security
Tool | Description |
| Cloud security audit (AWS, Azure, GCP) |
| AWS/GCP/Azure security best practices and compliance audit |
Active Directory
Tool | Description |
| SMB/NetBIOS enumeration |
| Active Directory enumeration via NetExec |
| Kerberoasting with Impacket GetUserSPNs |
| Remote SAM/LSA/NTDS secrets dump via Impacket |
| Remote command execution via SMB (PsExec-style) |
| Remote command execution via WMI |
| SMB share enumeration and file access |
| BloodHound AD data collection (SharpHound/bloodhound-python) |
| LLMNR/NBT-NS/MDNS poisoning for credential capture |
| SMB share enumeration and access testing |
Wireless
Tool | Description |
| Passive wireless network scan (airodump-ng) |
IaC Security
Tool | Description |
| IaC misconfiguration scan (Terraform, K8s, Dockerfile) |
Stealth / OPSEC
Tool | Description |
| Verify Tor connectivity and exit node IP |
| Request new Tor circuit (NEWNYM) |
| Check exposed IP, DNS leaks, and anonymity level |
| Validate proxy latency, exit IP, and anonymity type |
| Rotate Tor circuit and User-Agent simultaneously |
Analysis & Utility
Tool | Description |
| Verify which external tools are installed |
| Validate target against allowlist |
| Correlate findings across multiple scans |
| CVSS-based risk scoring |
| CVE details from NVD (CVSS, CWE, affected products) |
| Search CVEs by keyword, product, or severity |
| Generate Markdown/HTML/PDF pentest report |
Workflows & Prompts (35)
Pre-built workflow templates that guide Claude through complete engagements.
Category | Prompts |
Pentest workflows |
|
Vulnerability assessment |
|
OSINT |
|
Reports |
|
Stealth/OPSEC |
|
Specialized |
|
Quick actions |
|
Social Engineering |
|
Built-in Resources (20)
Static reference data loaded by Claude during engagements.
URI | Content |
| OWASP Top 10:2025 full list |
| Per-category details + testing checklist |
| OWASP API Security Top 10 (2023) |
| Per-category details |
| PTES 7-phase methodology overview |
| Phase details (objectives, tools, deliverables) |
| Web app pentest checklist (OWASP Testing Guide) |
| API pentest checklist |
| Network infrastructure checklist |
| MITRE ATT&CK Enterprise tactics + techniques |
| Technique detail by ID |
| Default credentials database |
| Curated payload lists by type (xss, sqli, lfi, ssti, etc.) |
| Reference guide for operational security techniques |
| Step-by-step proxy and Tor configuration guide |
| Live tool availability status |
| Usage guide for nmap, nuclei, sqlmap, metasploit, trivy, amass |
| List of all available prompts with descriptions |
| Prompts filtered by category |
Architecture
┌─────────────┐ MCP ┌─────────────────┐ subprocess ┌─────────────────┐
│ Claude │◄────────────►│ Tengu │─────────────────►│ Nmap, SQLMap, │
│ (Desktop / │ stdio/SSE │ MCP Server │ (never shell=T) │ Metasploit... │
│ Code) │ │ │ └─────────────────┘
└─────────────┘ └────────┬─────────┘
│
Every tool call passes through:
│
┌────────▼─────────┐
│ Safety Pipeline │
│ │
│ 1. sanitizer │ ← strip metacharacters, validate format
│ 2. allowlist │ ← check target against tengu.toml
│ 3. rate_limiter │ ← sliding window + concurrent slots
│ 4. audit logger │ ← JSON log to ./logs/tengu-audit.log
└──────────────────┘Configuration Files
Tengu uses three configuration files. Editing the wrong one is the most common source of confusion when switching between local and Docker workflows.
File | When to use | What it controls |
| Running locally: | MCP server config: |
| Running via Docker: | Same settings as root, but pre-configured for Docker networking ( |
| Both local and Docker | Secrets and runtime vars: |
| Reference only | Template listing all available environment variables |
Quick config for copilot mode (local): edit tengu.toml at the project root —
add your target to [targets] allowed_hosts.
Quick config for agent mode (Docker): edit docker/tengu.toml, then run
make docker-rebuild-tengu before make docker-agent.
Common pitfall: if scans fail with
TargetNotAllowedErrorinside Docker, you probably editedtengu.toml(root) instead ofdocker/tengu.toml. Docker uses its own copy baked into the image. After editing, runmake docker-rebuild-tengu.
Safety by Design
Tengu is built as a force multiplier for human pentesters, not an autonomous attack tool.
Control | Description |
Target Allowlist | Only pre-approved targets in |
Input Sanitization | All inputs are validated against strict patterns before reaching any tool |
Rate Limiting | Sliding window + concurrent slot limits prevent accidental DoS |
Audit Logging | Every tool invocation logged to |
Human-in-the-Loop |
|
No shell=True — ever | All subprocess calls use |
Development
make install-dev # Install Python deps + dev extras
make test # Run unit + security tests
make lint # ruff check
make typecheck # mypy strict
make check # lint + typecheck
make coverage # pytest --cov
make inspect # Open MCP Inspector
make doctor # Check which pentest tools are installedTengu has 2643+ tests covering unit logic, security (command injection, input validation), and integration scenarios. See CLAUDE.md for the full contributor guide.
Legal Notice
Tengu is designed for authorized security testing only. Only scan systems you own or have explicit written permission to test. Unauthorized scanning is illegal in most jurisdictions. The authors accept no liability for misuse.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/rfunix/tengu'
If you have feedback or need assistance with the MCP directory API, please join our Discord server