Package Exports
- @turbopentest/mcp-server
- @turbopentest/mcp-server/dist/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (@turbopentest/mcp-server) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
@turbopentest/mcp-server
MCP server for TurboPentest — run AI-powered penetration tests and review findings from your coding assistant.
Setup
1. Get your API key
Create an API key at turbopentest.com/settings/api-keys.
2. Add to your MCP client
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}Claude Code (.mcp.json in your project root):
{
"mcpServers": {
"turbopentest": {
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}
}
}Cursor (Settings > MCP Servers > Add):
{
"command": "npx",
"args": ["@turbopentest/mcp-server"],
"env": {
"TURBOPENTEST_API_KEY": "tp_live_..."
}
}Tools
| Tool | Description |
|---|---|
start_pentest |
Launch a pentest against a verified domain. Supports recon/standard/deep/blitz tiers and optional GitHub repo for white-box scanning. |
get_pentest |
Get full scan details: status, progress, findings summary, executive summary, attack surface map, STRIDE threat model. |
list_pentests |
List all your pentests with status and finding counts. Filter by status, limit results. |
get_findings |
Get structured vulnerability findings with severity, CVSS, CWE, PoC, remediation, and retest commands. Filter by severity. |
download_report |
Download a pentest report as markdown (best for AI), JSON, or PDF. |
get_credits |
Check your credit balance and available scan tiers with pricing. |
verify_attestation |
Verify a blockchain-anchored pentest attestation by hash (public, no API key required). |
list_domains |
List your verified domains and their verification status. |
Prompts
Built-in prompts for common workflows. Your AI assistant can use these to guide multi-step operations.
| Prompt | Description |
|---|---|
analyze_findings |
Deep-dive analysis of a pentest's findings with prioritized remediation plan |
compare_pentests |
Diff two pentests to track what's new, fixed, and persistent across tests |
run_pentest |
Guided full-lifecycle pentest: domain check, credit verification, launch, monitoring, and summary |
security_posture |
Executive summary of overall security posture across all recent pentests |
Scan Tiers
| Tier | Agents | Duration | Price |
|---|---|---|---|
| Recon | 1 | 30 min | $49 |
| Standard | 4 | 1 hour | $99 |
| Deep | 10 | 2 hours | $299 |
| Blitz | 20 | 4 hours | $699 |
Example
You: "Run a pentest on staging.example.com"
Claude: Calls start_pentest → "Started pentest tp_abc123, 4 agents, ~1 hour"
You: "How's it going?"
Claude: Calls get_pentest → "60% complete, 3 findings so far (1 high, 2 medium)"
You: "Show me the high severity findings"
Claude: Calls get_findings(severity: "high") → Shows SQL injection details with PoC and remediationConfiguration
| Environment Variable | Description | Default |
|---|---|---|
TURBOPENTEST_API_KEY |
Your TurboPentest API key (required) | — |
TURBOPENTEST_API_URL |
Custom API base URL (for testing) | https://turbopentest.com/api |
Requirements
- Node.js 18+
- A TurboPentest account with API access
License
MIT