Turbopentest

8 toolsauthSTDIOregistry active

Summary

Connects Claude to TurboPentest's API so you can launch pentests, poll for findings, and pull reports without switching windows. Exposes seven tools covering the full workflow: start scans against verified domains, filter findings by severity, download reports in markdown or PDF, and verify blockchain attestations. Four built-in prompts handle common sequences like compare_pentests for diff'ing two runs or security_posture for an executive view across recent scans. Supports white-box mode if you pass a GitHub repo URL, adding SAST and secret detection on top of black-box testing. Each completed scan gets anchored on-chain with a SHA-256 hash you can verify independently. Useful when you want security testing in the same loop as code review and deployment prep.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Tools

Public tool metadata for what this MCP can expose to an agent.

8 tools

turbopentest_download_reportDownload a full penetration test report in the specified format. The scan must have status 'complete' before a report can be generated. Use format 'markdown' for AI-readable analysis, 'json' for structured programmatic data, or 'pdf' for a professionally formatted document sui...2 params

Download a full penetration test report in the specified format. The scan must have status 'complete' before a report can be generated. Use format 'markdown' for AI-readable analysis, 'json' for structured programmatic data, or 'pdf' for a professionally formatted document sui...

Parameters* required

formatstring

one of json · markdown · pdf

pentest_idstring

turbopentest_get_creditsCheck your current credit balance, usage breakdown by tier, and available scan tiers with pricing. Credits are consumed when launching penetration tests — each tier costs one credit of the matching type. Call this before turbopentest_start_scan to verify you have sufficient cr...

Check your current credit balance, usage breakdown by tier, and available scan tiers with pricing. Credits are consumed when launching penetration tests — each tier costs one credit of the matching type. Call this before turbopentest_start_scan to verify you have sufficient cr...

No parameter schema in public metadata yet.

turbopentest_get_findingsRetrieve structured vulnerability findings for a completed penetration test. Each finding includes severity, CVSS score, CWE classification, detailed description, proof of concept, remediation steps, and a retest command. Returns up to 20 findings at a time — use the severity...2 params

Retrieve structured vulnerability findings for a completed penetration test. Each finding includes severity, CVSS score, CWE classification, detailed description, proof of concept, remediation steps, and a retest command. Returns up to 20 findings at a time — use the severity...

Parameters* required

severitystring

one of critical · high · medium · low · info

pentest_idstring

turbopentest_get_scanRetrieve full details for a specific penetration test by its ID. Returns current status, scan progress percentage, findings summary by severity, executive summary, attack surface map, and STRIDE threat model. Use this to monitor a running scan or review completed results. For...1 params

Retrieve full details for a specific penetration test by its ID. Returns current status, scan progress percentage, findings summary by severity, executive summary, attack surface map, and STRIDE threat model. Use this to monitor a running scan or review completed results. For...

Parameters* required

pentest_idstring

turbopentest_list_domainsList all domains in your account with their verification status and expiry dates. A domain must have status 'verified' before it can be used as a target in turbopentest_start_scan. To verify a new domain, add a DNS TXT record via the TurboPentest dashboard at turbopentest.com/...

List all domains in your account with their verification status and expiry dates. A domain must have status 'verified' before it can be used as a target in turbopentest_start_scan. To verify a new domain, add a DNS TXT record via the TurboPentest dashboard at turbopentest.com/...

No parameter schema in public metadata yet.

turbopentest_list_scansList all your penetration tests with their status and finding counts, ordered newest first. Use this to find pentest IDs, check which scans are running, or review past results. Supports filtering by status and limiting result count. Use turbopentest_get_scan with a specific ID...2 params

List all your penetration tests with their status and finding counts, ordered newest first. Use this to find pentest IDs, check which scans are running, or review past results. Supports filtering by status and limiting result count. Use turbopentest_get_scan with a specific ID...

Parameters* required

limitinteger

default: 10

statusstring

one of queued · scanning · complete · failed

turbopentest_start_scanLaunch an AI-powered penetration test against a target URL. The target domain must be verified first — use turbopentest_list_domains to check. Requires an available credit matching the selected tier — use turbopentest_get_credits to check balance. Returns a pentest ID that can...3 params

Launch an AI-powered penetration test against a target URL. The target domain must be verified first — use turbopentest_list_domains to check. Requires an available credit matching the selected tier — use turbopentest_get_credits to check balance. Returns a pentest ID that can...

Parameters* required

tierstring

one of recon · standard · deep · blitzdefault: standard

repo_urlstring

target_urlstring

turbopentest_verify_attestationVerify a blockchain-anchored penetration test attestation by its SHA-256 hash. Returns scan metadata (tier, agents, duration, risk score, finding summary) and blockchain proof (chain ID, transaction hash, block number, merkle root) if anchored. This is a public endpoint — no A...1 params

Verify a blockchain-anchored penetration test attestation by its SHA-256 hash. Returns scan metadata (tier, agents, duration, risk score, finding summary) and blockchain proof (chain ID, transaction hash, block number, merkle root) if anchored. This is a public endpoint — no A...

Parameters* required

hashstring

@turbopentest/mcp-server

MCP server for TurboPentest — launch AI-powered penetration tests, review vulnerability findings, and generate security reports, all without leaving your coding assistant.

What it does

Ask your AI assistant to run a pentest, check progress, and walk you through remediation — the server handles all the API calls. Every completed scan is anchored to the blockchain, giving you a tamper-proof attestation you can share with customers or auditors.

Quick start

1. Get your API key

2. Verify a domain

Before scanning, verify that you own the target domain at turbopentest.com/domains.

3. Add the server to your MCP client

Claude Code (.mcp.json in your project root):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Cursor (Settings > MCP Servers > Add):

{
  "command": "npx",
  "args": ["@turbopentest/mcp-server"],
  "env": {
    "TURBOPENTEST_API_KEY": "tp_live_..."
  }
}

Example session

You:    "Run a standard pentest on staging.example.com"
Claude: Checks domain is verified, confirms credit balance,
        calls start_pentest → "Started tp_abc123, 4 agents, ~1 hour"

You:    "Any findings yet?"
Claude: Calls get_pentest → "62% complete — 3 findings (1 high, 2 medium)"

You:    "Show me the high severity ones"
Claude: Calls get_findings(severity: "high") →
        [1] HIGH: SQL Injection in /api/search
            CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
            CWE: CWE-89
            PoC: POST /api/search?q=' OR 1=1--
            Remediation: Use parameterized queries...
            Retest: sqlmap -u "https://staging.example.com/api/search" ...

You:    "Give me a prioritized remediation plan"
Claude: Uses the analyze_findings prompt → produces a full markdown
        remediation plan grouped by severity and effort

White-box scanning

Pass a GitHub repository URL to start_pentest to enable white-box mode. In addition to black-box testing, the scan will include:

SAST — static code analysis for common vulnerability patterns
Secret detection — leaked API keys, credentials, and tokens in source
SCA — dependency audit for known CVEs

You:  "Pentest staging.example.com, the repo is github.com/myorg/myapp"

Tools

Tool	Description
`turbopentest_start_pentest`	Launch a pentest against a verified domain. Supports four tiers and optional GitHub repo for white-box scanning.
`turbopentest_get_pentest`	Get scan status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model.
`turbopentest_list_pentests`	List all pentests with status and finding counts. Filterable by status.
`turbopentest_get_findings`	Retrieve structured findings with severity, CVSS, CWE, OWASP category, PoC, remediation steps, and retest commands. Filterable by severity.
`turbopentest_download_report`	Download a report in markdown (best for AI), JSON, or PDF format.
`turbopentest_get_credits`	Check your credit balance and available scan tiers with pricing.
`turbopentest_verify_attestation`	Verify a blockchain-anchored attestation by SHA-256 hash. No API key required — public endpoint.
`turbopentest_list_domains`	List your verified domains and their verification status.

Prompts

Built-in prompts guide your AI assistant through multi-step workflows. Invoke them by name in any MCP client that supports prompts.

Prompt	Description
`run_pentest`	Full-lifecycle pentest: domain check → credit verification → launch → progress monitoring → findings summary → report download
`analyze_findings`	Deep-dive analysis of a single pentest's findings, producing a prioritized remediation plan with effort estimates and retest commands
`compare_pentests`	Diff two pentests on the same target — shows what's new, what's been fixed, and what's still unresolved
`security_posture`	Executive briefing across your 5 most recent pentests: risk trends, highest-risk targets, and top 3 recommended actions

Scan tiers

Tier	Agents	Duration	Price
Recon	1	~30 min	$49
Standard	4	~1 hour	$99
Deep	10	~2 hours	$299
Blitz	20	~4 hours	$699

Default tier is standard. Use recon for a quick surface sweep or blitz for maximum coverage on critical assets.

Blockchain attestation

Every completed pentest is anchored on-chain as a tamper-proof attestation. The SHA-256 hash is included in the report and can be independently verified — by you, your customers, or auditors — with no API key required:

You:  "Verify attestation abc123def456..."

turbopentest_verify_attestation returns the scan metadata (tier, agents, duration, risk score, findings summary) alongside the blockchain proof (chain ID, transaction hash, block number, merkle root).

Configuration

Variable	Required	Default	Description
`TURBOPENTEST_API_KEY`	Yes	—	API key from turbopentest.com/settings/api-keys
`TURBOPENTEST_API_URL`	No	`https://turbopentest.com/api`	Override the API base URL (for testing)

Requirements

Node.js 18+
A TurboPentest account with at least one verified domain

License

MIT

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Configuration

TURBOPENTEST_API_KEY*secret

Your TurboPentest API key for authentication

TURBOPENTEST_API_URL

Custom API base URL (default: https://turbopentest.com/api)

Registryactive

Package@turbopentest/mcp-server

TransportSTDIO

AuthRequired

UpdatedMar 16, 2026

View on GitHub

@turbopentest/mcp-server

MCP server for TurboPentest — launch AI-powered penetration tests, review vulnerability findings, and generate security reports, all without leaving your coding assistant.

What it does

Quick start

1. Get your API key

2. Verify a domain

Before scanning, verify that you own the target domain at turbopentest.com/domains.

3. Add the server to your MCP client

Claude Code (.mcp.json in your project root):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Cursor (Settings > MCP Servers > Add):

{
  "command": "npx",
  "args": ["@turbopentest/mcp-server"],
  "env": {
    "TURBOPENTEST_API_KEY": "tp_live_..."
  }
}

Example session

You:    "Run a standard pentest on staging.example.com"
Claude: Checks domain is verified, confirms credit balance,
        calls start_pentest → "Started tp_abc123, 4 agents, ~1 hour"

You:    "Any findings yet?"
Claude: Calls get_pentest → "62% complete — 3 findings (1 high, 2 medium)"

You:    "Show me the high severity ones"
Claude: Calls get_findings(severity: "high") →
        [1] HIGH: SQL Injection in /api/search
            CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
            CWE: CWE-89
            PoC: POST /api/search?q=' OR 1=1--
            Remediation: Use parameterized queries...
            Retest: sqlmap -u "https://staging.example.com/api/search" ...

You:    "Give me a prioritized remediation plan"
Claude: Uses the analyze_findings prompt → produces a full markdown
        remediation plan grouped by severity and effort

White-box scanning

Pass a GitHub repository URL to start_pentest to enable white-box mode. In addition to black-box testing, the scan will include:

SAST — static code analysis for common vulnerability patterns
Secret detection — leaked API keys, credentials, and tokens in source
SCA — dependency audit for known CVEs

You:  "Pentest staging.example.com, the repo is github.com/myorg/myapp"

Tools

Tool	Description
`turbopentest_start_pentest`	Launch a pentest against a verified domain. Supports four tiers and optional GitHub repo for white-box scanning.
`turbopentest_get_pentest`	Get scan status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model.
`turbopentest_list_pentests`	List all pentests with status and finding counts. Filterable by status.
`turbopentest_get_findings`	Retrieve structured findings with severity, CVSS, CWE, OWASP category, PoC, remediation steps, and retest commands. Filterable by severity.
`turbopentest_download_report`	Download a report in markdown (best for AI), JSON, or PDF format.
`turbopentest_get_credits`	Check your credit balance and available scan tiers with pricing.
`turbopentest_verify_attestation`	Verify a blockchain-anchored attestation by SHA-256 hash. No API key required — public endpoint.
`turbopentest_list_domains`	List your verified domains and their verification status.

Prompts

Built-in prompts guide your AI assistant through multi-step workflows. Invoke them by name in any MCP client that supports prompts.

Prompt	Description
`run_pentest`	Full-lifecycle pentest: domain check → credit verification → launch → progress monitoring → findings summary → report download
`analyze_findings`	Deep-dive analysis of a single pentest's findings, producing a prioritized remediation plan with effort estimates and retest commands
`compare_pentests`	Diff two pentests on the same target — shows what's new, what's been fixed, and what's still unresolved
`security_posture`	Executive briefing across your 5 most recent pentests: risk trends, highest-risk targets, and top 3 recommended actions

Scan tiers

Tier	Agents	Duration	Price
Recon	1	~30 min	$49
Standard	4	~1 hour	$99
Deep	10	~2 hours	$299
Blitz	20	~4 hours	$699

Default tier is standard. Use recon for a quick surface sweep or blitz for maximum coverage on critical assets.

Blockchain attestation

You:  "Verify attestation abc123def456..."

Configuration

Variable	Required	Default	Description
`TURBOPENTEST_API_KEY`	Yes	—	API key from turbopentest.com/settings/api-keys
`TURBOPENTEST_API_URL`	No	`https://turbopentest.com/api`	Override the API base URL (for testing)

Requirements

Node.js 18+
A TurboPentest account with at least one verified domain

License

MIT