StackHawk MCP Server

Official StackHawk MCP server enabling AI agents to trigger DAST (Dynamic Application Security Testing) scans, retrieve vulnerabilities, and integrate security testing into CI/CD agent workflows.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security stackhawk security dast api-security testing mcp-server official owasp pentest
⚙ Agent Friendliness
74
/ 100
Can an agent use this?
🔒 Security
82
/ 100
Is it safe for agents?
⚡ Reliability
76
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
76
Documentation
78
Error Messages
72
Auth Simplicity
82
Rate Limits
58

🔒 Security

TLS Enforcement
100
Auth Strength
80
Scope Granularity
72
Dep. Hygiene
78
Secret Handling
80

Security tool with appropriate security practices. API keys scoped to org/app context. HTTPS enforced. SOC 2 certified.

⚡ Reliability

Uptime/SLA
80
Version Stability
78
Breaking Changes
75
Error Recovery
72
AF Security Reliability

Best When

An agent needs to perform or query dynamic security testing against web APIs and applications — integrating DAST into automated security workflows.

Avoid When

You need source code security scanning or SCA (Software Composition Analysis) — StackHawk is DAST only.

Use Cases

  • Triggering application security scans from agent workflows
  • Querying scan results and vulnerability findings in agent context
  • Integrating security testing into AI-driven DevSecOps pipelines
  • Getting remediation guidance for discovered vulnerabilities
  • Monitoring scan status in automated security workflows

Not For

  • Static code analysis (use CodeQL or Semgrep for that)
  • Container vulnerability scanning (use Trivy or Snyk)
  • Teams without web applications to test (requires a running app)

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
Yes

Authentication

Methods: api_key
OAuth: No Scopes: Yes

StackHawk API key tied to organization. Scoped to application and organization context configured in HAWK.yaml config file.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

Generous free tier for single app. Paid plans required for team use and advanced features.

Agent Metadata

Pagination
cursor
Idempotent
Full
Retry Guidance
Documented

Known Gotchas

  • Scan execution requires a running application accessible from StackHawk's scanners — not for local-only apps
  • Scan duration can be minutes to hours depending on application size — agents must poll for completion
  • HAWK.yaml configuration file required per application — agents must manage config state
  • False positives in DAST scans are common — agents should not auto-remediate without human review
  • Rate limits on API not clearly documented — add conservative delays between scan triggers

Alternatives

snyk-api burp-suite-api zap-api

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for StackHawk MCP Server.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5229
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered