Stratos - Azure Security Assessment MCP Server

Enterprise-grade Azure security assessment toolkit with multi-location scanning, IMDS exploitation, attack path analysis, and compliance reporting

Designed for security professionals conducting authorized penetration tests, compliance audits, and executive risk reporting

Features • Quick Start • Documentation • Examples

Overview

Stratos is a comprehensive Azure security assessment framework built on the Model Context Protocol (MCP). It provides 40 production-ready tools covering multi-location scanning, enumeration, vulnerability scanning, attack path analysis, AKS/Kubernetes security (including live K8s API scanning and IMDS exploitation), backup security, VNet topology analysis, private endpoint validation, and compliance reporting for Azure cloud environments.

Use Cases

• Multi-Location Scanning - Scan resources across all 45+ Azure regions

• Security Assessments - Identify misconfigurations and vulnerabilities

• IMDS Exploitation - Token theft, cluster-wide exposure, deep data plane access

• Executive Reporting - Generate professional risk assessment reports

• Compliance Audits - Map findings to CIS, NIST frameworks

• Penetration Testing - Discover attack paths and privilege escalation vectors

• Kubernetes Security - AKS cluster, node, and IMDS vulnerability testing

• DevOps Security - Detect hardcoded secrets in Azure DevOps

Key Highlights

• 100% Read-Only - Safe for production environments

• 40 Security Tools - Comprehensive Azure service coverage (v1.14.0)

• Multi-Location - Scan common (10) or all (45+) Azure regions

• Multi-Format Reports - PDF, HTML, CSV, Markdown, JSON

• Attack Path Analysis - Privilege escalation and lateral movement mapping

• AKS/Kubernetes - 4 consolidated container security tools (ARM + Live K8s + IMDS)

• Enterprise Ready - Professional reports for executives and auditors

What's New in v1.14.0 🎉

Critical Security Enhancement - Research-Driven Expansion

• 6 New Security Tools - Backup security, VNet peering, Private Endpoints, Diagnostic Settings, Defender coverage, Policy compliance

• 8 Enhanced Tools - Storage (SAS tokens + WORM), Service Principals (RBAC-focused), Managed Identities (federation), NSG (service endpoints + load balancers), SQL (PostgreSQL + MySQL + Redis), Function Apps (Event Grid + Service Bus)

• 23 New Parameters - Extended capabilities across existing tools (100% backward compatible)

• Research Attribution - Based on Azure Security Benchmark v3, redskycyber/Cloud-Security, CIS Azure Foundations

• Cloud Infrastructure Focus - Service principal analysis excludes Azure AD (cloud resources only)

Related MCP server: SecOps MCP

Key Features

🌍 Multi-Location (2 Tools)

• list_active_locations - Discover active Azure regions

• scan_all_locations - Scan resources across all regions

• Support for 45+ Azure locations globally

• Location filtering on enumeration tools

🔍 Enumeration (7 Tools)

• Subscriptions - Map Azure environment structure

• Resource Groups - List all resource containers (with location filter)

• Resources - Enumerate all resources (with location filter)

• Resource Details - Get detailed configurations

• Public IPs - Identify internet-exposed attack surface

• RBAC Assignments - Audit access control permissions

• Managed Identities - Track passwordless authentication

🛡️ Security Scanning (10 Tools)

• Storage Security - Public access, HTTPS, encryption

• Storage Containers - Deep scan for sensitive files

• NSG Rules - Internet-exposed ports, wildcard rules

• SQL Databases - TDE encryption, firewall, auth

• Key Vaults - Soft delete, purge protection, secrets

• Virtual Machines - Disk encryption, security extensions

• Cosmos DB - Public access, firewall, encryption

• Container Registries - Admin user, vulnerability scanning

• Attack Paths - Privilege escalation chains

• Service Principals - Application identity scanning

☸️ Kubernetes/AKS (3 Tools + Enhanced Features)

• scan_aks_full - 🚀 ENHANCED Comprehensive AKS security with multiple scan modes:

  • mode: 'full' - Complete ARM-based assessment (30+ CIS checks)

  • mode: 'live' - Live K8s API scanning (secrets, RBAC, pods, SAs)

  • mode: 'imds' - IMDS exploitation & token theft (cluster-wide scan, token export)

  • mode: 'pod_identity' - Pod Identity/Workload Identity analysis

  • mode: 'admission' - Admission controller bypass detection

• scan_aks_policy_bypass - OPA/Kyverno policy bypass detection

• get_aks_credentials - Extract kubeconfig for kubectl access

Migration Note (v1.12.0): Deprecated tools scan_aks_live, scan_aks_imds, scan_aks_pod_identity, and scan_aks_admission_bypass are now consolidated into scan_aks_full with scanMode parameter.

📊 Reporting & DevOps (3 Tools)

• Security Reports - PDF/HTML/CSV with CIS/NIST mapping

• Azure DevOps Scanner - Hardcoded secrets detection

• Credential Exposure - Scan for exposed credentials

Report Features:

• Executive summaries with risk statistics

• Color-coded severity (CRITICAL/HIGH/MEDIUM/LOW)

• Compliance framework mapping

• Remediation guidance

📋 Tool Reference (40 Tools)

Naming Convention

Complete Tool List

🚀 Quick Start

Installation

Option 1: Install from npm (Recommended)

# Install globally from npm
npm install -g stratos-mcp

Option 2: Build from source

# Clone the repository
git clone https://github.com/h4cd0c/stratos-mcp.git
cd stratos-mcp

# Install dependencies
npm install
npm run build

Prerequisites

# Login to Azure CLI
az login

VS Code Configuration

Add to .vscode/mcp.json:

{
  "servers": {
    "stratos": {
      "command": "node",
      "args": ["C:\\path\\to\\stratos-mcp\\dist\\index.js"],
      "type": "stdio"
    }
  }
}

🛡️ Input Validation & Auto-Completion ⭐ NEW

Enhanced Security (OWASP MCP-05 Compliance):

• Pattern-Based Validation - Regex validation for all Azure resource identifiers (subscription IDs, resource groups, locations, etc.)

• Whitelist Validation - Location names and resource types validated against Azure service catalogs

• Sanitization - Automatic removal of control characters and length enforcement

• Clear Error Messages - Helpful validation errors guide users to correct input formats

Improved User Experience:

• Auto-Completion Support - Intelligent suggestions for locations, resource types, formats, and scan modes

• Prefix Filtering - Type-ahead suggestions as you enter values

• Context-Aware - Suggests relevant values based on the current tool and argument

Supported completions:

• location/locations - All 60+ Azure locations + "all", "common"

• resourceType - VMs, Storage, NSGs, AKS, SQL, Key Vaults, Public IPs, All

• format - markdown, json, html, pdf, csv

• scanMode - common, all

• startFrom - public-ips, storage, vms, identities, all

� Output Format Control ⭐ NEW

All 30 security tools now support flexible output formatting via the optional format parameter:

Markdown (Default) - Human-readable output, perfect for documentation and reports

#azure_whoami
# Returns: Clean markdown text (backward compatible)

JSON - Machine-readable structured data with metadata for automation

#azure_whoami format: json
# Returns: { "tool": "azure_whoami", "format": "json", "timestamp": "...", "data": {...} }

Key Benefits:

• ✅ Backward Compatible - Existing tools work without changes (defaults to markdown)

• ✅ API Integration - JSON format enables programmatic consumption

• ✅ Automation - Parse structured data for CI/CD pipelines

• ✅ Metadata - JSON includes tool name, timestamp, and versioning

• ✅ Flexible - Choose format per-tool based on use case

Supported Tools: All security scanners, enumerators, and analyzers (34 tools total)

Example Use Cases:

# Export scan results to JSON for automation
#azure_analyze_storage_security subscriptionId: YOUR_SUB format: json > results.json

# Human-readable documentation output (default)
#azure_scan_sql_databases subscriptionId: YOUR_SUB

# Structured data for API integration
#azure_analyze_attack_paths subscriptionId: YOUR_SUB format: json

�📊 Example Workflows

1. Generate Security Reports (Quick vs Comprehensive)

# Quick scan (4 core tools: Storage, NSG, SQL, KeyVault) - 5-10 seconds
generate_security_report subscriptionId="YOUR_SUB_ID" format="pdf" outputFile="C:\\reports\\quick-scan.pdf"

# Comprehensive scan (ALL 34 tools) - 30-60 seconds
generate_security_report subscriptionId="YOUR_SUB_ID" format="pdf" outputFile="C:\\reports\\full-scan.pdf" fullScan=true

2. Analyze Attack Paths

analyze_attack_paths subscriptionId="YOUR_SUB_ID" startFrom="public-ips"

3. Scan Azure DevOps for Secrets

scan_azure_devops organizationUrl="https://dev.azure.com/yourorg" personalAccessToken="YOUR_PAT"

4. AKS Security Assessment

# Comprehensive ARM-based scan
scan_aks_full subscriptionId="YOUR_SUB_ID" resourceGroup="RG-NAME" clusterName="CLUSTER-NAME"

# IMDS exploitation with token export
scan_aks_imds subscriptionId="YOUR_SUB_ID" resourceGroup="RG-NAME" clusterName="CLUSTER-NAME" scanAllPods=true exportTokens=true deepDataPlane=true

5. Deep Storage Container Scan

scan_storage_containers subscriptionId="YOUR_SUB_ID"

📄 Report Formats

🔧 Technical Details

Dependencies:

• Azure SDK v4+ for all services

• Azure DevOps API v13.2.0

• PDFKit, Marked, CSV-Writer for exports

• TypeScript 5.3.3, Node.js 20+

• MCP SDK v1.0.4

Supported Azure Services:

• Storage Accounts, Network Security Groups

• SQL Databases, Key Vaults, Virtual Machines

• Cosmos DB, Container Registries

• AKS/Kubernetes, Azure DevOps

⚠️ Disclaimer

FOR AUTHORIZED SECURITY TESTING ONLY

This tool is designed for security professionals conducting authorized penetration tests. Users must:

• Have explicit written authorization from target organization

• Comply with all applicable laws and regulations

• Follow responsible disclosure practices

• Respect Azure Terms of Service

Unauthorized access to computer systems is illegal.

📝 License

MIT

🤝 Author

h4cd0c - GitHub

Made with ❤️ for the security community