@konsulto/mcp
OfficialThe @konsulto/mcp server lets MCP-compatible clients (like Claude Code) interact with the Konsulto cybersecurity audit platform to manage the full lifecycle of a penetration test or security audit.
Identity & Session Management
konsulto_whoami— Verify identity, role permissions, token expiry, and active audit.konsulto_list_my_audits— List audits you're a member of, filterable by status.konsulto_set_active_audit— Pin an audit by ID or fuzzy name for the session.konsulto_get_audit_context— One-shot snapshot: audit name, status, dates, scope/asset counts, severity rollup, and team.konsulto_audit_summary— Live finding counts by severity, status, and recency.
Finding Templates
konsulto_search_templates— Search the template catalog by free text or severity before creating a finding.
Reading Findings
konsulto_search_findings— Search findings by title, severity, or status (useful for duplicate checks).konsulto_get_finding— Read a full finding including its body rendered as markdown.konsulto_read_section— Read a single section (e.g., PoC, remediation) without fetching the whole document.
Writing & Updating Findings
konsulto_compose_finding— Create a new finding from structured fields, optionally from a template with evidence attached.konsulto_update_finding— Update scalar fields: title, severity, status, taxonomy, or linked assets.konsulto_bulk_update_status— Mass-change status on multiple findings, with adryRunpreview mode.konsulto_append_to_section— Append markdown prose to a named section without touching the rest.konsulto_replace_section— Fully replace a section's prose (previous content preserved on the audit trail).
Evidence Management
konsulto_attach_evidence— Upload evidence as a file path, inline text, or base64 content; returns anevidenceId.konsulto_add_evidence_to_finding— Graft an uploaded attachment into a specific section of a finding.
Scope & Asset Tracking
konsulto_list_scope— List authorized scope elements for an audit.konsulto_list_assets— List tracked assets (hosts, URLs, IAM roles, etc.) audit-wide or tenant-wide.konsulto_create_asset— Create a new asset when a scan reveals something untracked.konsulto_link_asset— Match-or-create an asset by name/identifier and attach it to a finding in one step.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@@konsulto/mcplist my audits"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
@konsulto/mcp
MCP server that lets Claude Code (and any other MCP-capable client) drive the Konsulto cybersecurity audit platform from the CLI:
Read — list audits you're on, search findings/templates, read a finding (including body rendered as markdown so the LLM can reason about prose), read a single section.
Write — compose findings from structured fields (backend builds the Tiptap body), update scalars, append/replace section prose using markdown, bulk-change status with dry-run preview.
Evidence — upload files/inline content/base64, graft evidence into a finding's body at the right section.
Scope & assets — list scope, list/create assets, match-or-create an asset and link it to a finding.
Acts as the user, with their role permissions, gated by a per-user MCP token. Three runtime gates: tenant feature flag enabled, role has mcp:use, token not revoked/expired.
Quick start
1. Mint an MCP token in the Konsulto web app
Sign in → Profile → MCP Tokens → New MCP token. Copy the kon_mcp_… value once — it isn't shown again. (Tenant admin must have enabled MCP integration first under Account → API Access.)
2. Save the token locally
mkdir -p ~/.konsulto && chmod 700 ~/.konsulto
cat > ~/.konsulto/credentials <<EOF
token: kon_mcp_REPLACE_WITH_YOUR_TOKEN
endpoint: https://api.konsulto.io
EOF
chmod 600 ~/.konsulto/credentialsOr use the KONSULTO_TOKEN env var if you'd rather not write a file.
3. Tell Claude Code about the server
Add to ~/.claude/mcp.json:
{
"mcpServers": {
"konsulto": {
"command": "npx",
"args": ["-y", "@konsulto/mcp@latest"]
}
}
}Verify the wiring:
npx @konsulto/mcp doctorYou should see all green checks.
Folder pinning (optional, recommended)
Run npx @konsulto/mcp init inside an engagement folder to pin it to one audit:
~/audits/acme-q2-pentest/
├── .konsulto.yml ← pins this folder to one audit
├── recon/
└── notes.mdWhen Claude Code launches in that folder (or any subfolder), the MCP auto-pins the audit. No more thinking about audit IDs.
The file is sharable with your team — it contains an audit ID and optional endpoint, no secrets.
Workflow patterns
Pattern | When to use |
Repeat work on the same engagement. Run | |
One workspace, switching audits mentally. Tell Claude "switch to ". | |
Explicit per-call | Juggling several audits in one session. Pass |
Tools
Every tool is prefixed konsulto_* so it doesn't collide with other MCPs (Burp, nmap, prowler, etc.) you might have configured.
Identity & context
Tool | What it does |
| Identity, permissions, active audit. Call first in a session. |
| List audits you're a member of. |
| Pin one audit for the rest of the session (fuzzy match by name). |
| One-shot orientation — name, status, scope/asset counts, severity rollup, team. |
| Live finding counts for an audit: total, by severity, by status, recent 7d/30d, last-finding timestamp. |
Templates
Tool | What it does |
| Find finding templates by query/severity. Slim shape — id, title, severity, summary, slot names, taxonomy. No body. |
Findings — read
Tool | What it does |
| Search within an audit (defaults to active). |
| Read a finding including its body rendered as markdown so the LLM can reason about prose. |
| Read just one section of a finding's body as markdown. Cheaper than |
Findings — write
Tool | What it does |
| Create from structured fields + optional template + evidence. Backend builds the Tiptap body. |
| Change scalar fields (title, severity, status, taxonomy, assets). |
| Mass status change. Supports |
| Add markdown prose to a section. Section names accept aliases (recommendations, mitigation, fix, summary, etc.) — they normalize to canonical keys server-side. |
| Replace a section's prose. Old content saved on the audit trail. |
Evidence
Tool | What it does |
| Upload a file path / inline content / base64. Returns an evidenceId. |
| Graft an evidenceId into an existing finding's body ( |
Scope & assets
Tool | What it does |
| Scope elements for an audit — what's authorized to test. |
| Assets in the audit (or tenant-wide). |
| Create a host / URL / IAM-role / etc. when a scan reveals one not yet tracked. |
| Match-or-create an asset by name and attach it to a finding. |
Helper CLI
The same npx @konsulto/mcp command runs as the stdio MCP server when
called with no arguments (what Claude Code does), and as an interactive
helper when called with a subcommand:
npx @konsulto/mcp init— write.konsulto.ymlfor the current foldernpx @konsulto/mcp whoami— verify token, show identity + permissionsnpx @konsulto/mcp doctor— sanity-check credentials, token, reachability, and configuration
Troubleshooting
Run npx @konsulto/mcp doctor first — it prints a one-line fix for the first failure. For the rest:
Symptom | Fix |
| Set |
Token rejected as the wrong type | You used a non-MCP token. Mint one under Profile → MCP Tokens. |
Authentication errors on every call | Token revoked or expired — mint a fresh one. |
Permission errors after working previously | Your role or tenant settings changed. Ask an admin. |
Loose-permissions warning at startup |
|
Security
Treat tokens like passwords. They carry your role's permissions to anyone who holds them. Don't share or commit them.
Revoke if leaked. Web app → Profile → MCP Tokens. Revocations take effect on the next request.
Watch your inbox. Konsulto emails you on suspicious token activity — investigate and revoke if you didn't trigger it.
Verify the package. Published with npm provenance —
npm view @konsulto/mcpshows the signature.
Multi-engagement on one machine
Set KONSULTO_PROFILE=acme to read ~/.konsulto/credentials.acme instead of the default. Useful when you're contracting on a customer's Konsulto tenant from the same laptop you use for your firm's tenant.
License
MIT — see LICENSE.
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/konsulto/konsulto-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server