toolbox
toolbox/sectool is a CLI + MCP server that enables collaborative application security testing between a human operator and an AI agent. It provides a wire-fidelity HTTP(S) MITM proxy (native, and optional Burp as a front-end), captures and replays authenticated browser/proxy traffic, supports crawling/diffing/reflection detection and out-of-band interaction testing (OAST via Interactsh), and exposes these capabilities as MCP tools (plus CLI commands sharing state).
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security-relevant strengths: supports HTTPS interception via user-installed CA to enable accurate testing; provides workflow guidance to reduce excessive agent behavior. Security concerns/unknowns: no documented authentication/authorization for the local MCP server interface (likely intended for localhost trust). Tooling manipulates potentially sensitive captured traffic (including cookies/JWTs) and thus requires careful handling of local artifacts and logs; the provided content does not specify redaction or secure storage. Dependency hygiene and detailed security practices are not verifiable from the provided README/metadata alone.
⚡ Reliability
Best When
You need agent-assisted, authenticated, stateful web app testing where a human can drive the browser/UI and the agent can analyze and mutate the resulting traffic via MCP.
Avoid When
You cannot install/use a MITM CA cert or otherwise cannot inspect/modify traffic (corporate policy, strict client constraints), or when you require formal SLAs and SaaS-style operational guarantees.
Use Cases
- • Interactive appsec testing where a human performs authentication and UI actions while an agent explores and mutates captured flows
- • Validating vulnerability reports by replaying and diffing captured request/response pairs
- • Endpoint and form discovery via crawling seeded from proxy history
- • Injection/reflection triage by detecting reflected parameters across encoding variants
- • Out-of-band callback checks (OAST) for blind behaviors using Interactsh
- • Regression-style testing by exporting/editing request bundles and resending
Not For
- • Automated, fully headless vulnerability scanning without a human/agent workflow
- • General-purpose API testing for environments where MITM proxying is disallowed or impractical
- • Use as an authorization boundary (it helps testing; it does not replace proper authz/authn controls)
Interface
Authentication
No service-to-service API auth is described for the local MCP server; access appears intended for local use. Agent/user authentication to the target application is handled via interactive browser/proxy session.
Pricing
Open-source CLI/tooling (MIT license per repository metadata). No pricing model indicated in provided content.
Agent Metadata
Known Gotchas
- ⚠ Requires a working MITM setup (proxy configuration + CA installation for HTTPS interception) or Burp MCP availability.
- ⚠ The tool is not a scanner; agent success depends on the human providing appropriate authentication/UI state and selecting appropriate workflow mode.
- ⚠ Workflows can exclude crawling tools in test-report mode; agents need to respect workflow instructions.
- ⚠ OAST requires external callback infrastructure (Interactsh) and waiting/polling for events.
- ⚠ Proxy fidelity (HTTP/1.1, HTTP/2, WebSocket) may introduce complexity for certain edge cases; agent should handle protocol-specific artifacts carefully.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for toolbox.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.