JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 141
  • Score
    100M100P100Q70994F
  • License MIT

MCP server for TurboPentest — AI-powered penetration testing from your coding assistant

Package Exports

  • @turbopentest/mcp-server
  • @turbopentest/mcp-server/dist/index.js

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@turbopentest/mcp-server) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

@turbopentest/mcp-server

MCP server for TurboPentest — run AI-powered penetration tests and review findings from your coding assistant.

Setup

1. Get your API key

Create an API key at turbopentest.com/settings/api-keys.

2. Add to your MCP client

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Claude Code (.mcp.json in your project root):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Cursor (Settings > MCP Servers > Add):

{
  "command": "npx",
  "args": ["@turbopentest/mcp-server"],
  "env": {
    "TURBOPENTEST_API_KEY": "tp_live_..."
  }
}

Tools

Tool Description
start_pentest Launch a pentest against a verified domain. Supports recon/standard/deep/blitz tiers and optional GitHub repo for white-box scanning.
get_pentest Get full scan details: status, progress, findings summary, executive summary, attack surface map, STRIDE threat model.
list_pentests List all your pentests with status and finding counts. Filter by status, limit results.
get_findings Get structured vulnerability findings with severity, CVSS, CWE, PoC, remediation, and retest commands. Filter by severity.
download_report Download a pentest report as markdown (best for AI), JSON, or PDF.
get_credits Check your credit balance and available scan tiers with pricing.
verify_attestation Verify a blockchain-anchored pentest attestation by hash (public, no API key required).
list_domains List your verified domains and their verification status.

Prompts

Built-in prompts for common workflows. Your AI assistant can use these to guide multi-step operations.

Prompt Description
analyze_findings Deep-dive analysis of a pentest's findings with prioritized remediation plan
compare_pentests Diff two pentests to track what's new, fixed, and persistent across tests
run_pentest Guided full-lifecycle pentest: domain check, credit verification, launch, monitoring, and summary
security_posture Executive summary of overall security posture across all recent pentests

Scan Tiers

Tier Agents Duration Price
Recon 1 30 min $49
Standard 4 1 hour $99
Deep 10 2 hours $299
Blitz 20 4 hours $699

Example

You:    "Run a pentest on staging.example.com"
Claude: Calls start_pentest → "Started pentest tp_abc123, 4 agents, ~1 hour"

You:    "How's it going?"
Claude: Calls get_pentest → "60% complete, 3 findings so far (1 high, 2 medium)"

You:    "Show me the high severity findings"
Claude: Calls get_findings(severity: "high") → Shows SQL injection details with PoC and remediation

Configuration

Environment Variable Description Default
TURBOPENTEST_API_KEY Your TurboPentest API key (required)
TURBOPENTEST_API_URL Custom API base URL (for testing) https://turbopentest.com/api

Requirements

License

MIT