operant-mcp
Officialoperant-mcp is a security testing MCP server with 51 tools covering penetration testing, network forensics, memory analysis, and vulnerability assessment.
SQL Injection — WHERE clause bypasses, login form bypasses, UNION-based extraction, boolean/time-based blind SQLi, and file reading via LOAD_FILE().
XSS — Reflected XSS testing with 10 payloads; context-aware payload generation (html_body, attribute, javascript, url, css) with filter evasion.
Command Injection — OS command injection with multiple shell operators; blind detection via time delays and OOB callbacks.
Path Traversal — Directory traversal with plain, URL-encoded, double-encoded, and null-byte variants at multiple depths.
SSRF — Localhost bypass variants (10+); cloud metadata endpoint access (AWS, GCP, Azure).
PCAP / Network Forensics — Protocol hierarchy and endpoint stats, credential extraction (FTP/HTTP/SMTP), DNS analysis, HTTP object export, port scan detection, TCP/UDP/HTTP stream following, TLS/SNI analysis, LLMNR poisoning detection, and NTLM credential extraction.
Reconnaissance — Quick recon (robots.txt, headers, common dirs), full DNS enumeration, vhost discovery, TLS SAN extraction, directory brute-force, git secret scanning, and S3 bucket permission testing.
Memory Forensics — Volatility 2 Linux and Volatility 3 Windows plugin execution; Linux rootkit detection via syscall table and hidden module analysis.
Malware Analysis — Full OLE document analysis (streams, VBA macros, IOCs) and raw VBA macro extraction.
Cloud Security — AWS CloudTrail log parsing and anomaly detection (unusual IPs, API calls, role assumptions).
Authentication — CSRF token extraction, username enumeration, credential brute-force, and cookie tampering for privilege escalation.
Access Control — IDOR testing via ID/GUID iteration; cookie/parameter-based privilege escalation.
Business Logic — Client-side price/quantity manipulation; coupon stacking and alternation abuse.
Clickjacking — X-Frame-Options/CSP header checks with PoC iframe HTML; sandbox attribute bypass for JS frame busters.
CORS — Misconfiguration testing (origin reflection, null origin trust, subdomain wildcards).
File Upload — Web shell upload via Content-Type and extension bypass techniques.
NoSQL Injection — MongoDB auth bypass via operator injection; injection point detection in query params and JSON bodies.
Deserialization — Detection and manipulation of serialized objects in cookies (PHP, Java, .NET ViewState, JSON).
GraphQL — Full schema introspection (types, fields, mutations); hidden field discovery via suggestion errors.
Methodology Guides — 8 structured prompts covering web app pentesting, PCAP forensics, memory forensics, recon, malware analysis, cloud security, SQLi, and XSS.
Searches Git repositories for exposed secrets and credentials during the reconnaissance phase of a security assessment.
Performs full GraphQL schema introspection and discovery of hidden fields to identify potential security vulnerabilities.
Provides tools for Linux-specific security tasks, including memory forensics and rootkit detection.
Tests for MongoDB-specific vulnerabilities, including authentication bypass and NoSQL injection detection.
Performs deep packet inspection and network forensics on PCAP files, including protocol analysis and credential extraction using TShark.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@operant-mcpanalyze this network capture and extract any found credentials"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
operant-mcp
Security testing MCP server with 51 tools for penetration testing, network forensics, memory analysis, and vulnerability assessment.
Quick Start
npx operant-mcpOr install globally:
npm install -g operant-mcp
operant-mcpUsage with Claude Code
Add to your MCP config:
{
"mcpServers": {
"operant": {
"command": "npx",
"args": ["-y", "operant-mcp"]
}
}
}Tools (51)
SQL Injection (6)
sqli_where_bypass— Test OR-based WHERE clause bypasssqli_login_bypass— Test login form SQL injectionsqli_union_extract— UNION-based data extractionsqli_blind_boolean— Boolean-based blind SQLisqli_blind_time— Time-based blind SQLisqli_file_read— Read files via LOAD_FILE()
XSS (2)
xss_reflected_test— Test reflected XSS with 10 payloadsxss_payload_generate— Generate context-aware XSS payloads
Command Injection (2)
cmdi_test— Test OS command injectioncmdi_blind_detect— Blind command injection via sleep timing
Path Traversal (1)
path_traversal_test— Test directory traversal with encoding variants
SSRF (2)
ssrf_test— Test SSRF with localhost bypass variantsssrf_cloud_metadata— Test cloud metadata access via SSRF
PCAP/Network Forensics (8)
pcap_overview— Protocol hierarchy and endpoint statspcap_extract_credentials— Extract FTP/HTTP/SMTP credentialspcap_dns_analysis— DNS query analysispcap_http_objects— Export HTTP objectspcap_detect_scan— Detect port scanningpcap_follow_stream— Follow TCP/UDP streamspcap_tls_analysis— TLS/SNI analysispcap_llmnr_ntlm— Detect LLMNR/NTLM attacks
Reconnaissance (7)
recon_quick— Quick recon (robots.txt, headers, common dirs)recon_dns— Full DNS enumerationrecon_vhost— Virtual host discoveryrecon_tls_sans— Extract SANs from TLS certificatesrecon_directory_bruteforce— Directory brute-forcerecon_git_secrets— Search git repos for secretsrecon_s3_bucket— Test S3 bucket permissions
Memory Forensics (3)
volatility_linux— Linux memory analysis (Volatility 2)volatility_windows— Windows memory analysis (Volatility 3)memory_detect_rootkit— Linux rootkit detection
Malware Analysis (2)
maldoc_analyze— Full OLE document analysis pipelinemaldoc_extract_macros— Extract VBA macros
Cloud Security (2)
cloudtrail_analyze— CloudTrail log analysiscloudtrail_find_anomalies— Detect anomalous CloudTrail events
Authentication (3)
auth_csrf_extract— Extract CSRF tokensauth_bruteforce— Username enumeration + credential brute-forceauth_cookie_tamper— Cookie tampering test
Access Control (2)
idor_test— Test for IDOR vulnerabilitiesrole_escalation_test— Test privilege escalation
Business Logic (2)
price_manipulation_test— Test price/quantity manipulationcoupon_abuse_test— Test coupon stacking/reuse
Clickjacking (2)
clickjacking_test— Test X-Frame-Options/CSPframe_buster_bypass— Test frame-busting bypass
CORS (1)
cors_test— Test CORS misconfigurations
File Upload (1)
file_upload_test— Test file upload bypasses
NoSQL Injection (2)
nosqli_auth_bypass— MongoDB auth bypassnosqli_detect— NoSQL injection detection
Deserialization (1)
deserialization_test— Test insecure deserialization
GraphQL (2)
graphql_introspect— Full schema introspectiongraphql_find_hidden— Discover hidden fields
Prompts (8)
Methodology guides for structured security assessments:
web_app_pentest— Full web app pentest methodologypcap_forensics— PCAP analysis workflowmemory_forensics— Memory dump analysis (Linux/Windows)recon_methodology— Reconnaissance checklistmalware_analysis— Malware document analysiscloud_security_audit— CloudTrail analysis workflowsqli_methodology— SQL injection testing guidexss_methodology— XSS testing guide
System Requirements
Tools require various CLI utilities depending on the module:
Most tools:
curlPCAP analysis:
tshark(Wireshark CLI)DNS recon:
dig,hostMemory forensics:
volatility/vol.py/vol3Malware analysis:
olevba,oledump.pyCloud analysis:
jqSecrets scanning:
git
License
MIT
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/operantlabs/operant-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server