playbooks

home / mcp / mcp pentest server

MCP Pentest Server

Bridges AI with pentesting tools, orchestrates workflows, and logs findings for reports.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "allsmog-mcp-pentest": {
      "command": "python",
      "args": [
        "/path/to/mcp-pentest/server.py"
      ]
    }
  }
}

MCP (Model Context Provider) for Penetration Testing is an AI-assisted middleware that connects penetration testing tools, normalizes their outputs, and guides you through reconnaissance, scanning, exploitation, post-exploitation, and reporting. It aggregates real-time tool results into a unified engagement context and provides LLM-powered insights to help you make informed decisions during a legal, authorized security test.

How to use

You use MCP by running its local server (stdio-based) and connecting an MCP client or environment that can communicate with the MCP protocol. In practice, you start the server locally and then issue commands from your toolchain or editor to perform reconnaissance, scanning, exploitation, and reporting tasks. The system enforces a standard engagement flow: recon → scanning → exploitation → post-exploitation → reporting, and it surfaces results in a consistent, queryable format.

How to install

Prerequisites you need before installing MCP are Python 3.8 or newer and a suitable network tool set for your engagements (as applicable, Nmap for scanning and Gobuster for web enumeration). Ensure you have proper authorization and a clearly defined scope for any penetration testing activity.

# Step 1: Clone the MCP pentest server repository
git clone https://github.com/allsmog/mcp-pentest.git
cd mcp-pentest

# Step 2: Install the MCP server package in editable mode
pip install -e .

# Step 3: Install required runtime dependencies (the MCP package and peers)
pip install mcp

Configuration and running the local MCP server

To run the local MCP server, you execute the Python entry point that serves the MCP protocol via stdio. The example shows starting the server directly from the script path, allowing you to interact with counselors, clients, or editors that speak the MCP protocol.

# Start the MCP server directly
python server.py

# The server communicates over stdio and accepts MCP protocol messages

Testing with a client (Claude Desktop example)

If you use a desktop client to drive MCP, configure the client to launch the MCP server with the appropriate command and arguments. The configuration points to the Python interpreter and the server script, with an environment block for any needed variables.

{
  "mcpServers": {
    "mcp_pentest": {
      "command": "python",
      "args": ["/path/to/mcp-pentest/server.py"],
      "env": {}
    }
  }
}

Available tools

Reconnaissance

Coordinate information gathering using integrated tools to build a baseline map of the target environment.

Scanning

Perform network and web enumeration with supported scanners to identify open ports, services, and potential vulnerabilities.

Exploitation

Coordinate exploit attempts through the integrated exploitation framework or compatible tooling.

Post-exploitation

Enumerate and gather additional context, credentials, and pivot opportunities after initial access.

Reporting

Structure findings and actions into a comprehensive report, preserving knowledge across the engagement.

LLM Insights

Provide AI-assisted guidance and interpretation of findings, helping prioritize next steps.

Context Aggregation

Aggregate tool outputs into a unified engagement context for real-time analysis.

Security & Access Control

Enforce role-based access and sanitize data interactions with the LLM for safe operation.