"Website penetration testing and security vulnerability assessment tools" matching MCP tools:

• inspect_security_headers

  Ground Truth

  Fetch a public URL and inspect security-relevant response headers before you claim that a product or endpoint has a strong browser-facing security baseline. Use this for quick due diligence on public apps and docs sites. It checks for common headers such as HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options. It does not replace a real security review, authenticated testing, or vulnerability scanning.

  Connector

• scan_domain

  SiteGuardian

  Runs a free one-off security scan of the given domain and returns its grade (A–F), scan timestamp, and up to three top-priority issues with a permalink to the full report on siteguardian.io. Use this when the user asks for a quick security check of a domain that is NOT yet under SiteGuardian monitoring, or when they want a fresh assessment before subscribing. Results are cached for two hours, so repeated calls about the same domain return the same snapshot and mark it with cached=True. Do NOT use this for domains already under monitoring by the user — call get_domain_status instead for the account-scoped view with framework tags. Do NOT use this to batch-scan many domains as a competitive-intelligence tool; per-source-IP and per-target rate limits bound usage. This tool does not require authentication.

  Connector

• list_tools

  foundation-discovery

  List available MCP tools and get detailed help. Use this tool to discover what tools are available and how to use them. Call without parameters to see all tools, or provide a tool name to get detailed help including parameters, examples, and related tools. Args: tool_name: Optional name of a specific tool to get detailed help for. Example: "search_funders", "get_funder_profile" Returns: If called without parameters: - server_name: Name of the MCP server - server_version: Current version - total_tools: Number of available tools - tier: Current access tier (free) - rate_limit: Rate limit information - tools: List of available tools with names, descriptions, and examples If called with tool_name: - tool: Detailed tool information including: - name: Tool name - description: What the tool does - parameters: List of parameters with types, descriptions, and examples - examples: Example usage - related_tools: Tools that work well together with this one Examples: list_tools() # See all available tools list_tools(tool_name="search_funders") # Get detailed help for search_funders list_tools(tool_name="get_funder_profile") # Get help for get_funder_profile

  Connector

• assess_message

  Agent Safe Email MCP

  FREE triage tool — send whatever context you have (message content, sender info, URLs, attachments, draft replies, thread messages, image/video URLs) and get back a prioritized list of which security tools to run. No AI call, no charge, instant response. Always call this first to get the best security coverage.

  Connector

• search_vaadin_docs

  docs-mcp

  Search Vaadin documentation for relevant information about Vaadin development, components, and best practices. Uses hybrid semantic + keyword search. USE THIS TOOL for questions about: Vaadin components (Button, Grid, Dialog, etc.), TestBench, UI testing, unit testing, integration testing, @BrowserCallable, Binder, DataProvider, validation, styling, theming, security, Push, Collaboration Engine, PWA, production builds, Docker, deployment, performance, and any Vaadin-specific topics. When using this tool, try to deduce the correct development model from context: use "java" for Java-based views, "react" for React-based views, or "common" for both. Use get_full_document with file_paths containing the result's file_path when you need complete context.

  Connector

• ateam_test_status

  ateam-mcp

  Poll the progress of an async skill test. Returns iteration count, tool call steps, status (running/completed/failed), and result when done. (Advanced — use ateam_test_skill with wait=true for synchronous testing.)

  Connector

• generate_diagram

  ALM X++ MCP Server

  WHEN: generating a visual diagram of D365 table relationships or security chains. Triggers: 'generate diagram', 'diagramme', 'visualize', 'schéma', 'ER diagram', 'entity-relationship', 'relation diagram', 'security diagram', 'show connections'. Generate visual Mermaid diagrams from D365 F&O knowledge base data. Diagrams render directly in Copilot Chat, Cursor, Claude, and markdown viewers. Types: 'er' (entity-relationship diagram for a table and its relations), 'security' (security chain: Role->Duty->Privilege->EntryPoints -- use when you need a VISUAL Mermaid diagram; for the structured text chain with tables of duties/privileges/entry-points use `trace_security_chain` instead). Note: 'flow' (execution flowchart) is disabled -- static call trees are misleading in D365 due to CoC and event handlers.

  Connector

• scan_headers

  ContrastAPI

  Perform live HTTP GET and analyze security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, Referrer-Policy. Use to audit live website headers; use check_headers to validate headers you already have. Free: 100/hr, Pro: 1000/hr. By default header values are truncated to 500 chars (CSP can exceed 4 KB on large sites); pass include='full' for the full raw value. Returns {headers_present, headers_missing, findings, total_score}.

  Connector

• get_device_ads

  Trillboards DOOH Advertising

  Get current ads scheduled for a device (for testing). WHEN TO USE: - Testing device ad delivery - Debugging which ads are being shown - Verifying ad targeting is working RETURNS: - ads: Array of advertisement objects - default_stream: Default content when no ads - schedule: Current ad schedule EXAMPLE: User: "What ads are showing on device P_abc123?" get_device_ads({ fingerprint: "P_abc123" })

  Connector

• tech_fingerprint

  ContrastAPI

  Detect website technology stack: CMS, frameworks, CDN, analytics tools, web servers, languages (via HTTP headers + HTML analysis). Use for passive reconnaissance; for full audit use audit_domain. Free: 100/hr, Pro: 1000/hr. Returns {technologies: [{name, category, confidence%, version}]}.

  Connector

• get_competitors

  ENTIA Entity Verification MCP

  Find all verified businesses competing in the same sector and city. Use when a user asks 'who are my competitors?', 'how many dentists are in Valencia?', 'list all law firms in Bilbao', 'what's the market density for gyms in Madrid?', or needs competitive intelligence for any sector and location. Searches ENTIA's verified registry (5.5M entities, 26 sectors in Spain) for businesses matching the sector + city combination. Returns for each competitor: legal name, full address, phone, website, rating, and canonical Entia Home URL for the full verified profile. Useful for: competitive analysis, market entry assessment, franchise territory planning, zone saturation mapping, and local SEO benchmarking.

  Connector

• submit_website

  Silicon Friendly

  Submit a new website to the Silicon Friendly directory. Requires authentication. Pass your silicon auth_token. Args: url: The website URL (e.g. "https://stripe.com") name: Display name for the website (e.g. "Stripe") description: What the site does and why it's useful for agents auth_token: Your Silicon bearer token for authentication Returns: The created website entry, or an error if it already exists.

  Connector

• check_injection

  ContrastAPI

  Scan source code for injection vulnerabilities: SQL injection, command injection, path traversal via unsafe string concatenation/unsanitized input. Supports Python, JavaScript, TypeScript, Java, Go, Ruby, Shell, Bash. Use to detect input-handling bugs; for secrets use check_secrets. Companion code-security tools: check_secrets (hard-coded credential detection), check_dependencies (known-CVE vulnerability audit), check_headers (live HTTP security-header validation), scan_headers (live HTTP scan via domain). Free: 100/hr, Pro: 1000/hr. Returns {total, by_severity, findings}. No data stored.

  Connector

• generate_sra

  HIPAA Agent

  Initiate a HIPAA Security Risk Assessment. Returns the first batch of questions for the respondent to answer. Requires active subscription or platform/MSP key. Cost: 500 credits.

  Connector

• audit_domain

  ContrastAPI

  Perform comprehensive domain audit: combines domain_report + live HTTP security headers + technology fingerprinting. By default report.dns.txt is filtered to security-relevant entries (SPF, DMARC, DKIM, MTA-STS, TLS-RPT) and report.dns.total_txt_records reports the honest pre-filter count; pass include_all_txt=true for the raw TXT list. Use when you need the full picture (recon + active checks); use domain_report for passive-only assessment. Response carries next_calls — chain with subdomain_enum (always emitted) and ssl_check (when an A record resolves) for the residual recon depth (tech_fingerprint already inline as `technologies`). Free: 100/hr (costs 4 credits), Pro: 1000/hr. Returns {domain, report, technologies, live_headers, summary, next_calls}.

  Connector

• server.capabilities

  AurelianFlo

  Free capability and connection check for AurelianFlo, including OFAC wallet screening tools, direct and Smithery-hosted access modes, and which tools require x402 payment.

  Connector

• get_security_writing_guidelines

  website-search

  Get Lenny Zeltser's expert writing guidelines for security reports and assessments. Provides guidance on tone, structure, clarity, executive summaries, and avoiding common writing mistakes. Includes rating-sheet items (the four lens sheets: structure, look, words, tone) as concrete reference points for grounded feedback. Works for any security document. This server never requests your documents and instructs your AI to keep them local—guidelines flow to your AI for local analysis. Note: For incident response reports specifically, use the ir_* tools which provide deeper section-by-section review criteria.

  Connector

• product_load_context

  website-search

  Load Lenny Zeltser's product strategy context for local analysis. Returns expert strategic frameworks, principles, and guidance for evaluating or creating security product plans. Includes rating-sheet items (the lens taxonomy: structure, words, tone) as concrete reference points for grounded feedback on the plan's writing. This server never requests your plans and instructs your AI to keep them local. Use detail_level to control response size: "minimal" (~2k tokens), "standard" (~5k tokens), "compact" (~3-4k tokens, all sections but stripped), or "comprehensive" (~12k tokens). Use market_segment: "smb" for SMB-specific guidance. Use product_focus: "endpoint" for endpoint security viability assessment. Set include_template: true to include the fill-in-the-blank template in the response.

  Connector

• get_index_info

  website-search

  Get statistics about the Lenny Zeltser's Website search index including total pages indexed, last update time, and available tools.

  Connector

• talent_assess_start

  Talent-Augmenting Layer

  Start a Talent-Augmenting OS onboarding assessment. Returns the full assessment protocol with all questions, behavioural anchors, and instructions for how to run the assessment conversationally. The chatbot uses this to ask questions one at a time, collect answers, then call talent_assess_score and talent_assess_create_profile to compute scores and save the profile. Call this at the beginning of any onboarding conversation.

  Connector