@konsulto/mcp
OfficialThe @konsulto/mcp server lets MCP-compatible clients (like Claude Code) interact with the Konsulto cybersecurity audit platform to manage the full lifecycle of a penetration test or security audit.
Identity & Session Management
konsulto_whoami— Verify identity, role permissions, token expiry, and active audit.konsulto_list_my_audits— List audits you're a member of, filterable by status.konsulto_set_active_audit— Pin an audit by ID or fuzzy name for the session.konsulto_get_audit_context— One-shot snapshot: audit name, status, dates, scope/asset counts, severity rollup, and team.konsulto_audit_summary— Live finding counts by severity, status, and recency.
Finding Templates
konsulto_search_templates— Search the template catalog by free text or severity before creating a finding.
Reading Findings
konsulto_search_findings— Search findings by title, severity, or status (useful for duplicate checks).konsulto_get_finding— Read a full finding including its body rendered as markdown.konsulto_read_section— Read a single section (e.g., PoC, remediation) without fetching the whole document.
Writing & Updating Findings
konsulto_compose_finding— Create a new finding from structured fields, optionally from a template with evidence attached.konsulto_update_finding— Update scalar fields: title, severity, status, taxonomy, or linked assets.konsulto_bulk_update_status— Mass-change status on multiple findings, with adryRunpreview mode.konsulto_append_to_section— Append markdown prose to a named section without touching the rest.konsulto_replace_section— Fully replace a section's prose (previous content preserved on the audit trail).
Evidence Management
konsulto_attach_evidence— Upload evidence as a file path, inline text, or base64 content; returns anevidenceId.konsulto_add_evidence_to_finding— Graft an uploaded attachment into a specific section of a finding.
Scope & Asset Tracking
konsulto_list_scope— List authorized scope elements for an audit.konsulto_list_assets— List tracked assets (hosts, URLs, IAM roles, etc.) audit-wide or tenant-wide.konsulto_create_asset— Create a new asset when a scan reveals something untracked.konsulto_link_asset— Match-or-create an asset by name/identifier and attach it to a finding in one step.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@konsulto/mcplist my audits"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@konsulto/mcp
MCP server that lets Claude Code (and any other MCP-capable client) drive the Konsulto cybersecurity audit platform from the CLI:
Read — list audits you're on, search findings/templates, read a finding (including body rendered as markdown so the LLM can reason about prose), read a single section.
Write — compose findings from structured fields (backend builds the Tiptap body), update scalars, append/replace section prose using markdown, bulk-change status with dry-run preview.
Evidence — upload files/inline content/base64, graft evidence into a finding's body at the right section.
Scope & assets — list scope, list/create assets, match-or-create an asset and link it to a finding.
Acts as the user, with their role permissions, gated by a per-user MCP token. Three runtime gates: tenant feature flag enabled, role has mcp:use, token not revoked/expired.
Quick start
1. Mint an MCP token in the Konsulto web app
Sign in → Profile → MCP Tokens → New MCP token. Copy the kon_mcp_… value once — it isn't shown again. (Tenant admin must have enabled MCP integration first under Account → API Access.)
2. Save the token locally
One command, same on macOS, Linux, and Windows:
npx -y @konsulto/mcp@latest login kon_mcp_REPLACE_WITH_YOUR_TOKENThis writes ~/.konsulto/credentials (directory 0700, file 0600). Add
--endpoint https://your-tenant.api.konsulto.io if you're on a dedicated stack,
and --force to overwrite an existing file.
Or use the KONSULTO_TOKEN env var if you'd rather not write a file.
3. Tell Claude Code about the server
Add to ~/.claude/mcp.json:
{
"mcpServers": {
"konsulto": {
"command": "npx",
"args": ["-y", "@konsulto/mcp@latest"]
}
}
}Verify the wiring:
npx @konsulto/mcp doctorYou should see all green checks.
Related MCP server: claude-sessions-mcp
Folder pinning (optional, recommended)
Run npx @konsulto/mcp init inside an engagement folder to pin it to one audit:
~/audits/acme-q2-pentest/
├── .konsulto.yml ← pins this folder to one audit
├── recon/
└── notes.mdWhen Claude Code launches in that folder (or any subfolder), the MCP auto-pins the audit. No more thinking about audit IDs.
The file is sharable with your team — it contains an audit ID and optional endpoint, no secrets.
Workflow patterns
Pattern | When to use |
Folder-pinned | Repeat work on the same engagement. Run |
| One workspace, switching audits mentally. Tell Claude "switch to ". |
Explicit per-call | Juggling several audits in one session. Pass |
Tools
Every tool is prefixed konsulto_* so it doesn't collide with other MCPs (Burp, nmap, prowler, etc.) you might have configured.
Identity & context
Tool | What it does |
| Identity, permissions, active audit. Call first in a session. |
| List audits you're a member of. |
| Pin one audit for the rest of the session (fuzzy match by name). |
| One-shot orientation — name, status, scope/asset counts, severity rollup, team. |
| Live finding counts for an audit: total, by severity, by status, recent 7d/30d, last-finding timestamp. |
Templates
Tool | What it does |
| Find finding templates by query/severity. Slim shape — id, title, severity, summary, slot names, taxonomy. No body. |
Findings — read
Tool | What it does |
| Search within an audit (defaults to active). |
| Read a finding including its body rendered as markdown so the LLM can reason about prose. |
| Read just one section of a finding's body as markdown. Cheaper than |
Findings — write
Tool | What it does |
| Return the section structure + markdown authoring rules (and an optional template starter) for composing a finding in this audit. Call before |
| Create a finding with a fully-formatted body. Author each section as markdown in |
| Change scalar fields (title, severity, status, taxonomy, assets). |
| Mass status change. Supports |
| Add markdown prose to a section. Section names accept aliases (recommendations, mitigation, fix, summary, etc.) — they normalize to canonical keys server-side. |
| Replace a section's prose. Old content saved on the audit trail. |
Evidence
Tool | What it does |
| Upload a file path / inline content / base64. Returns an evidenceId. |
| Graft an evidenceId into an existing finding's body ( |
Scope & assets
Tool | What it does |
| Scope elements for an audit — what's authorized to test. |
| Assets in the audit (or tenant-wide). |
| Create a host / URL / IAM-role / etc. when a scan reveals one not yet tracked. |
| Match-or-create an asset by name and attach it to a finding. |
Helper CLI
The same npx @konsulto/mcp command runs as the stdio MCP server when
called with no arguments (what Claude Code does), and as an interactive
helper when called with a subcommand:
npx @konsulto/mcp login <token>— save your token to~/.konsulto/credentials(--endpoint <url>,--force)npx @konsulto/mcp init— write.konsulto.ymlfor the current foldernpx @konsulto/mcp whoami— verify token, show identity + permissionsnpx @konsulto/mcp doctor— sanity-check credentials, token, reachability, and configuration
Troubleshooting
Run npx @konsulto/mcp doctor first — it prints a one-line fix for the first failure. For the rest:
Symptom | Fix |
| Set |
Token rejected as the wrong type | You used a non-MCP token. Mint one under Profile → MCP Tokens. |
Authentication errors on every call | Token revoked or expired — mint a fresh one. |
Permission errors after working previously | Your role or tenant settings changed. Ask an admin. |
Loose-permissions warning at startup |
|
Security
Treat tokens like passwords. They carry your role's permissions to anyone who holds them. Don't share or commit them.
Revoke if leaked. Web app → Profile → MCP Tokens. Revocations take effect on the next request.
Watch your inbox. Konsulto emails you on suspicious token activity — investigate and revoke if you didn't trigger it.
Verify the package. Published with npm provenance —
npm view @konsulto/mcpshows the signature.
Multi-engagement on one machine
Set KONSULTO_PROFILE=acme to read ~/.konsulto/credentials.acme instead of the default. Useful when you're contracting on a customer's Konsulto tenant from the same laptop you use for your firm's tenant.
License
MIT — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/konsulto/konsulto-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server