Overview/Products/MCP for AI agents

Product

First EASM with an MCP server
for AI agents.

We expose the platform as a tool set over the Model Context Protocol. Claude Code, Cursor, and other MCP clients trigger scans, verify findings, and fetch reports directly, without a human opening a web dashboard.

14 tools, four categories, npm package. One line in ~/.claude/.mcp.json.

~/.claude/.mcp.jsonjson
{
  "mcpServers": {
    "pentesting": {
      "command": "npx",
      "args": [
        "-y",
        "@adminor/pentesting-mcp"
      ],
      "env": {
        "PENTESTING_API_KEY": "ps_live_..."
      }
    }
  }
}
Save and restart Claude Code.

What you do with it

Agentic, not automation.

The difference between writing a cron script that calls our API and asking Claude to do it is that Claude understands context. It knows if a scan result is worth escalating, if a finding looks like FP, and if it should run another verification. Three common scenarios:

01

Trigger a scan from chat

"Claude, scan shop.example.com with the standard profile and summarize what you found." Claude uses pentesting_trigger_scan, polls pentesting_scan_status until done, fetches findings, and writes a short summary in the same window.

02

Verify a suspected finding

"This SQL injection finding looks fishy. Re-run verification and check if it reproduces." Cursor calls pentesting_verify_finding against the specific finding id, reads the new self-test result, and updates the finding status if it turns out to be FP. No dashboard login needed.

03

Wire into the CI/CD loop

An agent runs in the pipeline before production deploy. It triggers a scan against staging, waits, checks if any critical/high were added since the last run, and aborts deploy if so. The difference from a regular API call is that the agent can reason about the result, not just match a counter.

Tool set

14 tools, four categories.

All routed through the API key with the same permissions the web dashboard grants. Nothing extra. No side effects beyond what you can already do when signed in.

Scan

Trigger and watch scans, pick a profile, request an artisanal review.

  • pentesting_trigger_scan
  • pentesting_scan_status
  • pentesting_list_scan_profiles
  • pentesting_request_artisanal_review

Inventory

List verified targets, organizations, and discovered assets.

  • pentesting_list_targets
  • pentesting_list_organizations
  • pentesting_get_discovery

Findings

Fetch findings, request re-verification, export reports in different formats.

  • pentesting_get_findings
  • pentesting_verify_finding
  • pentesting_get_scan_report
  • pentesting_export_report

Compliance and alerts

Compliance status (NIS2, ISO 27001), run a health check, subscribe to events.

  • pentesting_get_compliance_status
  • pentesting_run_health_check
  • pentesting_subscribe_alerts

MCP for agentic, REST for automation.

Both work against the same platform. The difference is who calls them. The REST API is for cron scripts, GitHub Actions, Terraform providers, and anything with a fixed loop. MCP is for agents that need to reason about what they just saw and decide what to do next. Use both. They count against the same API quota.

REST documentation: pentesting.se/api/v1. MCP server: @adminor/pentesting-mcp on npm.

Want to try the MCP server?

Create an account, generate an API key, drop three lines into ~/.claude/.mcp.json.

Create accountRead setup guide