MCPSec
An AI-driven dynamic protocol fuzzer for the Model Context Protocol (MCP). Prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (SSRF, LFI) before your AI agents do.
What is MCPSec?
MCPSec is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to ai-driven dynamic protocol fuzzer for the model context protocol (mcp). prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (ssrf, lfi) b...
An AI-driven dynamic protocol fuzzer for the Model Context Protocol (MCP). Prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (SSRF, LFI) before your AI agents do.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- An AI-driven dynamic protocol fuzzer for the Model Context P
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx mcpsecConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use MCPSec
MCPSec is an AI-driven dynamic protocol fuzzer and security scanner purpose-built for Model Context Protocol servers. It detects over 15 vulnerability classes including command injection, SQL and NoSQL injection, path traversal, SSRF, LFI, deserialization flaws, code execution sinks, and template injection — across nine or more programming languages. Security engineers and developers use it to prove runtime exploitability before deploying MCP servers into production, running it in three modes: static audit of a GitHub repository, live fuzzing of a stdio-transport server, and scanning a server reachable via HTTP.
Prerequisites
- Python 3.9 or later with pip
- An MCP server to test (accessible via stdio command or HTTP endpoint)
- Optional: API key for an AI provider (OpenAI, Anthropic, Google, Groq, DeepSeek, or Ollama) for AI-enhanced fuzzing
- Optional: Nix for the reproducible dependency-locked environment
Install MCPSec from PyPI
Install the base package. Add the [ai] extra to enable AI-powered mutation and triage features that rely on an external LLM.
# Base install (static and protocol fuzzing only)
pip install mcpsec
# With AI features
pip install mcpsec[ai]Configure an AI provider (optional but recommended)
Run the interactive setup to configure your preferred AI provider. MCPSec uses the provider for intelligent mutation of payloads and to triage findings.
mcpsec setupAudit a GitHub repository for static vulnerabilities
Point MCPSec at a public GitHub repository containing an MCP server implementation. It will clone, analyse, and report vulnerability classes found in the source code.
mcpsec audit --github https://github.com/user/my-mcp-serverFuzz a stdio-transport MCP server
Launch a local MCP server via its stdio command and let MCPSec send malformed and adversarial inputs at high intensity to discover runtime crashes and logic flaws.
mcpsec fuzz --stdio "npx @modelcontextprotocol/server-filesystem /tmp" --intensity highScan a server exposed over HTTP
For MCP servers that expose an HTTP endpoint, use the --http flag. MCPSec will probe state violations, transport crashes, SSRF, and application-layer logic flaws.
mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"MCPSec Examples
Client configuration
MCPSec is a CLI security tool rather than an MCP server you connect a client to. The configuration below shows how to integrate it into a CI pipeline via a shell invocation.
{
"mcpServers": {
"mcpsec-runner": {
"command": "mcpsec",
"args": [
"audit",
"--github", "https://github.com/your-org/your-mcp-server"
]
}
}
}Prompts to try
CLI commands for common MCPSec security testing workflows.
- mcpsec audit --github https://github.com/your-org/mcp-server
- mcpsec fuzz --stdio "python my_mcp_server.py" --intensity high
- mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"
- mcpsec setup # interactive AI provider configuration
- mcpsec fuzz --stdio "uvx mcp-server-git" --intensity mediumTroubleshooting MCPSec
mcpsec fuzz exits immediately with 'server did not respond to initialize'
The stdio command passed to --stdio must launch a valid MCP server that speaks the JSON-RPC MCP protocol on stdout. Verify the command works standalone first: run it in a terminal and confirm it outputs JSON. If the server requires additional arguments or environment variables, include them in the quoted command string.
AI-enhanced features fail with 'no provider configured'
Run 'mcpsec setup' to configure your AI provider interactively, or set the appropriate environment variable (e.g. OPENAI_API_KEY or ANTHROPIC_API_KEY) before running mcpsec. You can also install without [ai] extras if you do not need AI-based mutation.
GitHub audit fails with rate limit or authentication errors
Set the GITHUB_TOKEN environment variable to a personal access token with public_repo read scope. This raises the API rate limit from 60 to 5000 requests per hour, which is needed for large repositories.
Frequently Asked Questions about MCPSec
What is MCPSec?
MCPSec is a Model Context Protocol (MCP) server that ai-driven dynamic protocol fuzzer for the model context protocol (mcp). prove runtime exploitability by discovering state violations, transport crashes, and application-layer logic flaws (ssrf, lfi) before your ai agents do. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install MCPSec?
Follow the installation instructions on the MCPSec GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with MCPSec?
MCPSec works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is MCPSec free to use?
Yes, MCPSec is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
MCPSec Alternatives — Similar Security Servers
Looking for alternatives to MCPSec? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up MCPSec in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use MCPSec?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.