TurboPentest MCP Server lets you launch and manage AI-powered penetration tests against verified domains directly from your AI assistant (Claude Desktop, Claude Code, Cursor, etc.).

• Start a pentest (start_pentest): Launch a pentest against a verified target URL, choosing from four scan tiers (recon, standard, deep, blitz) and optionally providing a GitHub repo for white-box scanning (SAST, secrets, SCA).

• Get pentest details (get_pentest): Retrieve status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model for a specific pentest.

• List pentests (list_pentests): View all pentests ordered newest first, filterable by status (queued, scanning, complete, failed).

• Get findings (get_findings): Fetch structured vulnerability findings including severity, CVSS, CWE, proof-of-concept, remediation guidance, and retest commands — filterable by severity.

• Download reports (download_report): Download completed pentest reports in markdown (AI-friendly), JSON (structured data), or PDF (formatted document) format.

• Check credits (get_credits): View your credit balance and available scan tiers with pricing.

• Verify attestation (verify_attestation): Publicly verify a blockchain-anchored pentest attestation by hash — no API key required.

• List domains (list_domains): View verified domains and their verification status (domains must be verified before pentesting).

• Built-in prompts: Use guided workflows for deep-dive findings analysis (analyze_findings), comparing pentests (compare_pentests), running full-lifecycle pentests (run_pentest), and summarizing overall security posture (security_posture).

Allows for white-box scanning by integrating GitHub repositories into penetration test workflows for source code analysis.