README.md
Run AI-powered penetration tests and review findings from your coding assistant.
@turbopentest/mcp-server
MCP server for TurboPentest — run AI-powered penetration tests and review findings from your coding assistant.
Setup
1. Get your API key
Create an API key at turbopentest.com/settings/api-keys.
2. Add to your MCP client
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}
Claude Code (.mcp.json in your project root):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}
Cursor (Settings > MCP Servers > Add):
{
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
Tools
| Tool | Description |
|---|---|
start_pentest |
Launch a pentest against a verified domain. Supports recon/standard/deep/blitz tiers and optional GitHub repo for white-box scanning. |
get_pentest |
Get full scan details: status, progress, findings summary, executive summary, attack surface map, STRIDE threat model. |
list_pentests |
List all your pentests with status and finding counts. Filter by status, limit results. |
get_findings |
Get structured vulnerability findings with severity, CVSS, CWE, PoC, remediation, and retest commands. Filter by severity. |
download_report |
Download a pentest report as markdown (best for AI), JSON, or PDF. |
get_credits |
Check your credit balance and available scan tiers with pricing. |
verify_attestation |
Verify a blockchain-anchored pentest attestation by hash (public, no API key required). |
list_domains |
List your verified domains and their verification status. |
Prompts
Built-in prompts for common workflows. Your AI assistant can use these to guide multi-step operations.
| Prompt | Description |
|---|---|
analyze_findings |
Deep-dive analysis of a pentest's findings with prioritized remediation plan |
compare_pentests |
Diff two pentests to track what's new, fixed, and persistent across tests |
run_pentest |
Guided full-lifecycle pentest: domain check, credit verification, launch, monitoring, and summary |
security_posture |
Executive summary of overall security posture across all recent pentests |
Scan Tiers
| Tier | Agents | Duration | Price |
|---|---|---|---|
| Recon | 1 | 30 min | $49 |
| Standard | 4 | 1 hour | $99 |
| Deep | 10 | 2 hours | $299 |
| Blitz | 20 | 4 hours | $699 |
Example
You: "Run a pentest on staging.example.com"
Claude: Calls start_pentest → "Started pentest tp_abc123, 4 agents, ~1 hour"
You: "How's it going?"
Claude: Calls get_pentest → "60% complete, 3 findings so far (1 high, 2 medium)"
You: "Show me the high severity findings"
Claude: Calls get_findings(severity: "high") → Shows SQL injection details with PoC and remediation
Configuration
| Environment Variable | Description | Default |
|---|---|---|
TURBOPENTEST_API_KEY |
Your TurboPentest API key (required) | — |
TURBOPENTEST_API_URL |
Custom API base URL (for testing) | https://turbopentest.com/api |
Requirements
- Node.js 18+
- A TurboPentest account with API access
License
MIT
Tools (8)
start_pentestLaunch a pentest against a verified domain.get_pentestGet full scan details including status, findings, and threat models.list_pentestsList all your pentests with status and finding counts.get_findingsGet structured vulnerability findings with severity, CVSS, and remediation.download_reportDownload a pentest report as markdown, JSON, or PDF.get_creditsCheck your credit balance and available scan tiers.verify_attestationVerify a blockchain-anchored pentest attestation by hash.list_domainsList your verified domains and their verification status.Environment Variables
TURBOPENTEST_API_KEYrequiredYour TurboPentest API keyTURBOPENTEST_API_URLCustom API base URL for testingConfiguration
claude_desktop_config.json
{"mcpServers": {"turbopentest": {"command": "npx", "args": ["@turbopentest/mcp-server"], "env": {"TURBOPENTEST_API_KEY": "tp_live_..."}}}}Try it
→Run a pentest on staging.example.com
→How is the progress of my current pentest?
→Show me the high severity findings for the latest scan
→Generate a summary of my overall security posture across recent tests