rapid7-mcp
Provides read-only access to Metasploit Pro telemetry, including listing workspaces, sessions, loot (credentials/hashes), and background tasks, enabling visibility into pentest results without interactive capabilities.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@rapid7-mcpList all critical vulnerabilities and their exploit status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
rapid7-mcp
A unified MCP server for Rapid7's security platform — exposing InsightVM (vulnerability management), InsightIDR (SIEM/investigations), and Metasploit Pro (pentest telemetry) as tools for Claude, Cursor, and any MCP-compatible LLM client.
Ask natural-language questions across your entire Rapid7 environment — vulnerabilities, active incidents, compromised hosts — and get structured answers without writing a single API call.
Built with fastapi-mcp, FastAPI, and httpx.
No Rapid7 instance? Set
DEMO_MODE=trueto explore all 26 tools against realistic fixture data. Clone, run, connect — no credentials required.
What you can do
Once connected to Claude, you can ask things like:
"Which of my sites has the highest risk score?" "What are the critical vulnerabilities on the production web server, and is there already a remediation project for them?" "Is Log4Shell present anywhere in my environment? Show me the CVSS score and any available exploits." "Are there any open InsightIDR investigations right now? What's the highest priority one?" "Search our logs for any connections to this IP address: 185.220.101.1" "What active Metasploit sessions exist and what hosts were compromised?" "Give me a full security posture summary across sites, open incidents, and active sessions."
The server translates these into API calls across InsightVM, InsightIDR, and Metasploit Pro and returns structured data that Claude can reason over, correlate, and summarize.
Related MCP server: cve-mcp
Architecture
Claude / Cursor / MCP Client
│ MCP (Streamable HTTP)
▼
┌───────────────────────────────────────────┐
│ FastAPI + fastapi-mcp :8000 │
│ │
│ InsightVM InsightIDR MSP │
│ ────────────── ────────── ───────── │
│ /sites /idr/invest. /workspcs │
│ /assets /idr/logs /sessions │
│ /asset_groups /idr/iocs /loot │
│ /vulnerabilities /tasks │
│ /scans │
│ /remediation_projects │
│ /reports │
│ │
│ /mcp ← MCP endpoint │
└──────┬──────────────┬──────────┬──────────┘
│ Basic Auth │ X-Api-Key│ Token
▼ ▼ ▼
InsightVM InsightIDR Metasploit
Console Cloud API Pro Console
:3780 (regional) :3790Every FastAPI route is automatically published as an MCP tool via fastapi-mcp. Operation IDs become tool names, Pydantic schemas become input/output schemas, and docstrings become tool descriptions.
Quick Start
Prerequisites: Python 3.11+, uv
# 1. Clone and install
git clone https://github.com/SecuritahGuy/rapid7-mcp.git
cd rapid7-mcp
uv sync
# 2. Configure (or skip and use DEMO_MODE)
cp .env.example .env
# edit .env with your console URLs and credentials
# 3. Start the server
DEMO_MODE=true uv run uvicorn rapid7_mcp.main:app --port 8000MCP endpoint:
http://localhost:8000/mcpInteractive API docs:
http://localhost:8000/docs
Connect to VS Code
Add .vscode/mcp.json to your workspace (already included in this repo):
{
"servers": {
"rapid7-mcp": {
"type": "http",
"url": "http://localhost:8000/mcp"
}
}
}Start the server first (Ctrl+Shift+P → Tasks: Run Task → Start MCP Server (Demo Mode)), then connect in the Claude Code panel.
Connect to Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"rapid7": {
"url": "http://localhost:8000/mcp"
}
}
}Start the server first, then restart Claude Desktop.
Available MCP Tools
InsightVM — Vulnerability Management
Tool | Description |
| List all scan sites — names, asset counts, risk scores, last scan time |
| Full details for a single site |
| Logical asset groupings (PCI scope, DMZ, dynamic OS groups) |
| Details for a single asset group |
| Asset details — IP, hostname, OS, vulnerability counts by severity, risk score |
| Filter assets by IP, hostname, OS family, site ID, or tag |
| All vulnerabilities found on a specific asset |
| Owner, environment, and compliance tags assigned to an asset |
| Browse the vulnerability library, filter by severity |
| Full vuln details — CVSS v2/v3, CVEs, exploit count, description |
| Recent scans with status, duration, and vulnerability summaries |
| Details for a single scan |
| In-flight fix tracking — owner, due date, affected assets |
| Details for a single remediation project |
| All configured reports (executive summaries, PCI exports, CSV) |
| Configuration and status for a single report |
| Trigger on-demand report generation, returns download URI |
InsightIDR — SIEM & Investigations
Tool | Description |
| Open security incidents — priority, status, assignee, alert summary |
| Full alert timeline for a specific investigation |
| LEQL search across firewall, proxy, DNS, and endpoint logs |
| Active threat intelligence IOCs — IPs, domains, hashes, URLs |
Metasploit Pro — Pentest Telemetry (read-only)
These tools are intentionally read-only. The LLM can see what Metasploit knows — active sessions, collected credentials, task status — but cannot execute exploits or interact with sessions.
Tool | Description |
| All Metasploit Pro workspaces (pentest projects) |
| Details for a single workspace |
| Active Meterpreter and shell sessions — host, exploit, platform, username |
| Credentials, hashes, and files extracted from compromised hosts |
| Background tasks — scan imports, report generation, bruteforce jobs |
Demo Mode
DEMO_MODE=true replaces all API calls with fixture data across all three products. No console, no credentials, no VPN.
Fixtures in tests/fixtures/:
Fixture | Contents |
| 3 sites: Production, Development, Cloud |
| Ubuntu and RHEL hosts with full vulnerability breakdowns |
| PCI Scope, DMZ, Critical Infra, All Linux groups |
| Owner, environment, and compliance tags |
| Log4Shell, OpenSSL CVE-2022-0778, POODLE |
| Vulnerabilities scoped to a single asset |
| One finished scan, one running |
| Q1 patching sprint, Log4Shell project |
| Executive summary, PCI report, CSV export |
| PowerShell execution alert, SSH brute force |
| Firewall and proxy hits for a Tor exit node IP |
| Tor IP, Cobalt Strike hash, APT28 C2 domain |
| Default workspace + Q1 external pentest |
| Meterpreter (SYSTEM) + shell (tomcat) sessions |
| NTLM hashes + PostgreSQL credentials |
| Completed InsightVM import + running report task |
Configuration
All settings via environment variable or .env file. Copy .env.example to get started.
InsightVM
Variable | Default | Description |
|
| InsightVM console base URL |
|
| InsightVM user (Global Administrator role required) |
|
| InsightVM password |
|
| Set to |
InsightIDR
Variable | Default | Description |
|
| Insight Platform region: |
| (empty) | Insight Platform API key |
Metasploit Pro
Variable | Default | Description |
|
| Metasploit Pro console base URL |
| (empty) | MSP REST API token |
|
| Set to |
General
Variable | Default | Description |
|
| Return fixture data for all products; skips all live connectivity |
Development
uv sync # install deps + dev extras
uv run pytest --cov=rapid7_mcp tests/ # run tests with coverage
uv run ruff check . && uv run ruff format . # lint + format
uv run mypy rapid7_mcp/ # type checkSee CONTRIBUTING.md for how to add a new tool, extend fixtures, and open a pull request.
Community & Project Health
Tech Stack
Library | Why |
Converts FastAPI routes to MCP tools automatically — auth, deps, and schemas carry through | |
Async HTTP client, consistent with FastAPI's async model | |
Type-safe config from env vars and | |
Fast dependency management, becoming the standard for MCP Python projects | |
Replaces flake8 + black + isort in one tool |
License
MIT — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/SecuritahGuy/rapid7-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server