@turbopentest/mcp-server
MCP server for TurboPentest — run AI-powered penetration tests and review findings from your coding assistant.
Setup
1. Get your API key
Create an API key at turbopentest.com/settings/api-keys.
2. Add to your MCP client
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}
Claude Code (.mcp.json in your project root):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}
Cursor (Settings > MCP Servers > Add):
{
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
Tools
| Tool | Description |
|---|---|
start_pentest | Launch a pentest against a verified domain. Supports recon/standard/deep/blitz tiers and optional GitHub repo for white-box scanning. |
get_pentest | Get full scan details: status, progress, findings summary, executive summary, attack surface map, STRIDE threat model. |
list_pentests | List all your pentests with status and finding counts. Filter by status, limit results. |
get_findings | Get structured vulnerability findings with severity, CVSS, CWE, PoC, remediation, and retest commands. Filter by severity. |
download_report | Download a pentest report as markdown (best for AI), JSON, or PDF. |
get_credits | Check your credit balance and available scan tiers with pricing. |
verify_attestation | Verify a blockchain-anchored pentest attestation by hash (public, no API key required). |
list_domains | List your verified domains and their verification status. |
Scan Tiers
| Tier | Agents | Duration | Price |
|---|---|---|---|
| Recon | 1 | 30 min | $49 |
| Standard | 4 | 1 hour | $99 |
| Deep | 10 | 2 hours | $299 |
| Blitz | 20 | 4 hours | $699 |
Example
You: "Run a pentest on staging.example.com"
Claude: Calls start_pentest → "Started pentest tp_abc123, 4 agents, ~1 hour"
You: "How's it going?"
Claude: Calls get_pentest → "60% complete, 3 findings so far (1 high, 2 medium)"
You: "Show me the high severity findings"
Claude: Calls get_findings(severity: "high") → Shows SQL injection details with PoC and remediation
Configuration
| Environment Variable | Description | Default |
|---|---|---|
TURBOPENTEST_API_KEY | Your TurboPentest API key (required) | — |
TURBOPENTEST_API_URL | Custom API base URL (for testing) | https://turbopentest.com/api |
Requirements
- Node.js 18+
- A TurboPentest account with API access
License
MIT