Pentest MCP

MCP server providing penetration testing capabilities to AI agents. Enables authorized security professionals to run security scans, enumerate targets, test vulnerabilities, and conduct structured penetration testing workflows through AI agent orchestration — integrating common pentest tools into MCP-accessible operations.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security pentest security-testing penetration-testing authorized-use mcp-server offensive-security
⚙ Agent Friendliness
68
/ 100
Can an agent use this?
🔒 Security
68
/ 100
Is it safe for agents?
⚡ Reliability
62
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
62
Documentation
62
Error Messages
60
Auth Simplicity
88
Rate Limits
75

🔒 Security

TLS Enforcement
70
Auth Strength
68
Scope Granularity
65
Dep. Hygiene
65
Secret Handling
72

Offensive testing tool. Authorized use only. Criminal liability for unauthorized use. Professionals only.

⚡ Reliability

Uptime/SLA
65
Version Stability
62
Breaking Changes
60
Error Recovery
62
AF Security Reliability

Best When

An authorized penetration tester or security researcher wants AI agents to assist with structured penetration testing workflows — orchestrating tools, analyzing output, and managing test phases on explicitly authorized targets.

Avoid When

You don't have written authorization for every target you plan to test. Unauthorized penetration testing is illegal. This is for licensed security professionals with proper engagement scope.

Use Cases

  • Automating penetration testing workflows with AI agent orchestration (authorized targets only)
  • Running network enumeration and vulnerability scanning from security assessment agents
  • Integrating pentest tool output analysis into AI-driven security assessment workflows
  • Supporting bug bounty research with AI-assisted vulnerability discovery

Not For

  • Testing systems you don't own or lack explicit written authorization to test
  • Automated attacks against production systems
  • Red team operations without proper scope and authorization documentation

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Local operation — wraps local pentest tools. Authorization to test targets is the operator's legal responsibility.

Pricing

Model: free
Free tier: Yes
Requires CC: No

Free open source. Requires local pentest tools (nmap, etc.) to be installed.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • AUTHORIZED USE ONLY: Penetration testing without explicit written authorization is illegal
  • Requires pentest tools installed locally (nmap, etc.) — not a zero-dependency setup
  • AI agents can escalate scope unintentionally — carefully constrain target scope in prompts
  • Community tool — may not cover all pentest phases; verify capabilities before engagement

Alternatives

nuclei-mcp-server mcp-server-fuzzer pwndoc-mcp-server

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Pentest MCP.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered