BetaWe're currently in beta. Signing in will place you on our waitlist.
Integration & Automation

MCP Server for AI-Assistant-Driven Pentesting

What is the Model Context Protocol?

The Model Context Protocol (MCP) is an open standard that allows AI assistants to interact with external tools and services. Instead of copying and pasting between your security dashboard and your code editor, MCP lets your AI assistant talk directly to TurboPentest — launching pentests, querying results, and even acting on findings without leaving your development environment.

TurboPentest's MCP Server exposes the full pentest lifecycle as MCP tools that any compatible AI assistant can call. This includes Claude Code, VS Code with Copilot, Cursor, Windsurf, and any other editor that supports the MCP standard.

Installing the MCP Server

The TurboPentest MCP Server is distributed as an npm package:

npm install -g @turbopentest/mcp-server

Once installed, you configure it in your editor's MCP settings. For Claude Code, add it to your .claude/settings.json:

{
  "mcpServers": {
    "turbopentest": {
      "command": "turbopentest-mcp",
      "env": {
        "TURBOPENTEST_API_KEY": "your-api-key-here"
      }
    }
  }
}

For VS Code, add the equivalent configuration in your MCP settings file. The server authenticates using your TurboPentest API key passed as an environment variable.

Available MCP Tools

The MCP Server exposes the following tools to your AI assistant:

Pentest Lifecycle

  • turbopentest_launch — Start a new pentest with a target URL, tier, and optional parameters. Returns a pentest ID for tracking.
  • turbopentest_status — Check the current status of a running pentest (queued, phase1, phase2, complete, failed).
  • turbopentest_cancel — Cancel a running pentest. Credits are refunded if Phase 2 has not yet started.
  • turbopentest_list — List recent pentests with their status, target, and finding counts.

Results and Findings

  • turbopentest_findings — Retrieve all findings for a completed pentest, with severity, description, proof-of-concept, and remediation steps.
  • turbopentest_finding_detail — Get full details for a specific finding by ID, including the exploit chain, affected endpoints, and retest commands.
  • turbopentest_report_url — Get the direct URL to the web report for a pentest.

Continuity and Comparison

  • turbopentest_compare — Compare findings between two pentests to see what is new, fixed, or persistent.
  • turbopentest_history — View the history of pentests for a specific target, with finding trend data.

Workflow: Pentest from Your Editor

Here is a typical interaction with an MCP-aware AI assistant:

You: "Run a standard pentest against our staging environment at staging.example.com"

Assistant: Calls turbopentest_launch with target https://staging.example.com and tier standard. Returns pentest ID pt_abc123.

You: "What is the status?"

Assistant: Calls turbopentest_status with ID pt_abc123. Reports: "Phase 2 in progress. 3 of 8 agents complete. 4 findings so far (1 high, 2 medium, 1 low)."

You: "Show me the high severity finding."

Assistant: Calls turbopentest_findings filtered to high severity. Returns: "SQL Injection in /api/users endpoint via the 'sort' parameter. The agent demonstrated data extraction using a UNION-based payload."

You: "Fix this vulnerability in our codebase."

Assistant: Reads the finding's remediation guidance and the relevant source file, then applies a parameterized query fix — all without leaving the editor.

This workflow compresses what would normally be a multi-day cycle (run pentest, read report, switch to IDE, find code, apply fix) into a single conversation.

Tool Reference Details

turbopentest_launch

ParameterTypeRequiredDescription
targetstringyesThe URL to pentest
tierstringyesrecon, standard, deep, or blitz
source_urlstringnoGit repository URL for source analysis
callback_urlstringnoWebhook URL for completion notification
tagsstring[]noCustom tags for organizing pentests

turbopentest_findings

ParameterTypeRequiredDescription
pentest_idstringyesThe pentest to query
severitystringnoFilter by severity (critical, high, medium, low)
categorystringnoFilter by OWASP category
statusstringnoFilter by status (new, persistent, fixed)

Security Considerations

The MCP Server runs locally on your machine and communicates with TurboPentest's API over HTTPS. Your API key never leaves your local environment. The server does not store any pentest data locally — all data remains in TurboPentest's infrastructure.

For team environments, each developer should use their own API key scoped to their role permissions. Admin-level keys should not be distributed to individual developer MCP configurations.

Advantages Over the Web Dashboard

While the TurboPentest web dashboard provides a full-featured interface for managing pentests, the MCP Server offers unique advantages for developers:

  • No context switching — Stay in your editor throughout the entire pentest-review-fix cycle
  • AI-assisted remediation — Your AI assistant can read findings and apply fixes in the same conversation
  • Programmatic filtering — Query findings by severity, category, or status without navigating a UI
  • Natural language interaction — Ask questions about findings in plain English rather than navigating menus
  • Batch operations — Launch pentests across multiple targets or compare results across environments using conversational commands

Previous

GitHub Action for CI/CD Pentesting

Next

Slack & Jira Workflows

On this page