# pentest-mcp-server MCP server

Offline methodology engine for authorized penetration testing, CTF, and security research.

## Links
- Registry page: https://www.getdrio.com/mcp/io-github-cyanheads-pentest-mcp-server
- Repository: https://github.com/cyanheads/pentest-mcp-server

## Install
- Command: `npx -y @cyanheads/pentest-mcp-server`
- Endpoint: https://pentest.caseyjhand.com/mcp
- Auth: Not captured

## Setup notes
- Package: Npm @cyanheads/pentest-mcp-server v0.1.1
- Environment variable: MCP_LOG_LEVEL (default info)
- Package: Npm @cyanheads/pentest-mcp-server v0.1.1
- Environment variable: MCP_HTTP_HOST (default 127.0.0.1)
- Environment variable: MCP_HTTP_PORT (default 3010)
- Environment variable: MCP_HTTP_ENDPOINT_PATH (default /mcp)
- Environment variable: MCP_AUTH_MODE (default none)
- Environment variable: MCP_LOG_LEVEL (default info)
- Remote endpoint: https://pentest.caseyjhand.com/mcp

## Tools
- pentest_guide (Pentest Guide) - Return a structured attack methodology playbook for the given attack vector and optional target context, for use in authorized penetration testing, CTF, or security research. Covers reconnaissance, enumeration, exploitation, and post-exploitation phases for the vector, filtered to what is relevant given the provided stack and WAF profile. Each phase includes: what to look for, tools to use, common mistakes, detection indicators that would alert defenders, and recommended mitigations. Next-tool suggestions are pre-filled with payload generator and technique lookup calls. Covers 15 vectors via the vector enum. Authorized testing only. Endpoint: https://pentest.caseyjhand.com/mcp
- pentest_analyze_response (Pentest Analyze Response) - Analyze a server response from authorized probing for information leakage, fingerprinting signals, and exploitation opportunities scoped to the authorized engagement. Accepts raw HTTP response headers and body (paste from Burp, curl, or any HTTP client) and returns structured findings grouped by category. Each finding includes: what was detected, why it matters for an authorized tester, how a defender detects misuse, and recommended remediation. Identifies version disclosures, stack traces, debug headers, internal paths, JWT/cookie patterns, CORS misconfigurations, and other common leakage patterns. Use as the bridge between recon/probing output and the methodology and payload tools. Endpoint: https://pentest.caseyjhand.com/mcp
- pentest_lookup_technique (Pentest Lookup Technique) - Look up a MITRE ATT&CK technique by ID or keyword for authorized penetration testing and security research. Returns the full technique record: name, associated tactics, description, detection opportunities (log sources, behavioral indicators), real-world procedure examples from public reporting, recommended mitigations, and related sub-techniques. The detection and mitigation sections make this equally useful for defenders building detection coverage. Accepts exact IDs (T1190, T1059.001) or keyword search (e.g., "sql injection", "pass the hash", "web shell upload"). Endpoint: https://pentest.caseyjhand.com/mcp
- pentest_map_techniques (Pentest Map Techniques) - Given a profile of the authorized test target (technology stack, exposed services, authentication type, OS), return a ranked list of ATT&CK techniques and OWASP test cases most relevant to that profile — not a generic dump of all techniques. Ranking factors: platform match, service match, auth type exposure, technique prevalence. Each result includes why it is relevant to this specific profile, the detection opportunity, and the recommended mitigation. Use when starting an authorized engagement to prioritize the testing scope; pair with pentest_guide to get the full methodology for each top-ranked vector. Endpoint: https://pentest.caseyjhand.com/mcp
- pentest_generate_payloads (Pentest Generate Payloads) - Generate payload templates for authorized testing against systems the tester owns or is permitted to test. Payloads are annotated templates — each includes why it works in the specified context, what vulnerability class it tests, detection signatures that WAF/IDS products might fire, and recommended mitigations. Context-awareness is core: an XSS payload for an HTML attribute differs entirely from one for a JS template literal, and both differ from a DOM-based sink. When a WAF profile is specified, bypass variants reference known public research for that WAF product. All payloads are illustrative templates for authorized testing only. Endpoint: https://pentest.caseyjhand.com/mcp
- pentest_encode (Pentest Encode) - Transform a payload string through one or more encoding layers for bypass research during authorized testing. Accepts a chain of encodings applied in order (e.g., ["unicode", "url", "base64"] applies Unicode → URL-encode → base64). Returns the transformed payload with a step-by-step decoding explanation: how a WAF or server would decode each layer, and why the combined encoding might bypass a specific filter. Use to understand filter bypass mechanics in an authorized engagement and to confirm that a target's decoding pipeline matches an expected bypass path. Payloads are transformed mathematically — no live probing occurs. Endpoint: https://pentest.caseyjhand.com/mcp

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: io.github.cyanheads
- Version: 0.1.1
- Runtime: Npm
- Transports: STDIO, HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 31, 2026
- Source: https://registry.modelcontextprotocol.io