Public research and training
GitHub proof buyers can inspect before they talk to us.
Our MCP security work is public and practitioner-led — including the
MCP Server Pentesting
MCP server security testing
Your MCP servers connect AI assistants to databases, file systems, and internal APIs. We test whether an attacker can exploit that connection.
Fixed scope. Tool-by-tool evidence. Retest included within 30 days.
157+
GitHub stars on vulnerable-mcp-servers-lab
9
MCP vulnerability categories documented
13
Phase testing methodology
Checklist
Authors of the public MCP pentesting checklist
What's at risk
MCP turns model output into system access.
MCP servers let assistants invoke tools, read resources, and act on connected systems. When those servers are vulnerable, prompt-layer attacks can become database queries, file reads, internal API calls, or workflow actions.
Command injection through tool parameters
Context poisoning via hidden instructions in tool descriptions
Data exfiltration through side channels
Tool shadowing - malicious tool overrides a trusted one
Privilege escalation via tool chaining
Authentication hijacking through OAuth/token flaws
What we test
Six MCP security domains, tested against your implementation.
Each domain maps to a concrete failure mode in MCP deployments: transport trust, unsafe tools, prompt-to-tool abuse, resource exposure, credential handling, and supply chain trust.
1
Transport & Connection Security
We test stdio, HTTP, and SSE transport boundaries for tampering, replay, exposure, and unsafe trust assumptions.
2
Tool Safety & Parameter Validation
We exercise every tool parameter for command injection, traversal, SSRF, unsafe parsing, and missing validation.
3
Prompt Injection & Data Leakage
We trace whether malicious content can change model behavior, expose secrets, or leak data through tool outputs.
4
Resource Access Controls
We verify which files, databases, APIs, and tenant resources the server can reach and whether boundaries hold.
5
OAuth & Credential Hygiene
We review scopes, token storage, refresh flows, logs, and multi-user isolation for credential abuse paths.
6
Supply Chain & Trust
We check package provenance, dependency exposure, tool registration integrity, and malicious-server assumptions.
Our credibility
We don't just test MCP servers. We built the tools the industry uses to learn about MCP security.
Our assessment approach is grounded in public research, intentionally vulnerable labs, and hands-on tooling for real MCP server behavior. That means the test plan is not a generic AI checklist with MCP wording added later.
9 documented vulnerability categories
Tool poisoning Rug pull attacks Tool shadowing Command injection Prompt injection Context poisoning Data exfiltration OAuth abuse Supply chain compromise
See the deliverable
Inspect the evidence format before you commission the assessment
MCP buyers usually need proof of two things before they commit: protocol-specific depth and reporting quality that will stand up in internal review. This section makes both visible.
Report format
The evidence standard is report-first and tool-specific
MCP engagements follow the same reporting discipline as our product security work, with tool-by-tool matrices, prompt-to-tool traces, and connected-resource notes added where the protocol creates extra risk.
- Tool-by-tool coverage matrix with parameters, transport, and resource notes
- Prompt-to-tool attack narratives that show how the exploit path actually works
- OAuth, token, and connected-resource review tied to affected servers
- Retest evidence for the fixes that matter to your reviewers
Preview the sample report
Redacted product-security sample. MCP engagements use the same evidence standard with additional tool-level matrixing and protocol-specific traces.
Protocol-specific depth
The MCP research is visible in public before the statement of work
This is the advantage of a specialist practice: the public research, labs, and tooling already show how the team thinks about the protocol before any buyer is asked to trust the pitch.
pentesting-mcp-servers-checklist
23+ starsThe public checklist used by security teams worldwide
vulnerable-mcp-servers-lab
157+ starsTraining lab with intentionally vulnerable MCP servers
mcp-client-and-proxy
12+ starsInterception tooling for stdio-based MCP servers
Maintained by the Appsecco research team as public practitioner assets.
Assessment artifacts
What an MCP review package should actually contain
A specialist MCP assessment should leave behind artifacts that engineering, security, and buyers can all use without reinterpreting the findings from scratch.
Tool matrix
Per-tool coverage showing tested parameters, high-risk paths, and where the exposure sits.
Attack path
Prompt-to-tool and tool-to-resource narratives that make exploitability easy to defend.
Boundary review
Auth, token, resource, and tenant boundary notes tied to the affected server or tool.
Fix verification
A clear retest record for the issues your team closes before launch or customer review.
These artifacts are designed so engineering, security, and customer-facing reviewers can inspect the same evidence.
Why buyers check this first
The same practice that maintains the checklist, lab, and interception tooling runs the client assessment. That matters because protocol-specific depth is easiest to judge before the statement of work is signed.
How it works
A focused MCP assessment from map to verified fixes
We start with the actual servers and tools you run, then test the places where AI interpretation meets system access.
Step 1
Map the environment
Enumerate servers, tools, resources, transport, auth, and runtime boundaries.
What happens
We build an inventory of MCP servers, exposed tools, resource permissions, trust boundaries, transport modes, and authentication flows.
What you do
Share the server list, access paths, architecture notes, and rules of engagement.
What we do
Confirm the test matrix and mark the highest-risk tool and data paths before active testing starts.
What comes next
A clear assessment map anchors every finding to the server, tool, and resource it affects.
Step 2
Test every tool
Run injection, traversal, SSRF, and unsafe parsing checks on each parameter.
What happens
Each tool is exercised with adversarial inputs, malformed requests, boundary bypass attempts, and chained tool-call scenarios.
What you do
Provide safe test data or staging access where destructive behavior must be avoided.
What we do
Record reproducible evidence and separate exploitable issues from defensive noise.
What comes next
You receive a tool-by-tool matrix that makes remediation ownership clear.
Step 3
Test the data flow
Probe prompt injection at every stage of the prompt, resource, tool, and response pipeline.
What happens
We test whether hidden instructions, tool descriptions, resource content, and retrieved data can alter behavior or leak information.
What you do
Identify sensitive data classes, tenant boundaries, and content sources in scope.
What we do
Trace attack paths through model context, tool outputs, side channels, and downstream systems.
What comes next
Findings show how data moves, where trust is misplaced, and how to reduce exposure.
Step 4
Review credentials and auth
Assess secret storage, token handling, OAuth flows, scopes, and tenant isolation.
What happens
We inspect how credentials are stored, passed, logged, refreshed, scoped, and isolated across users and servers.
What you do
Share the intended permission model and any constraints for tokens or connected services.
What we do
Look for scope creep, token leakage, replay paths, weak OAuth assumptions, and auth confusion.
What comes next
Credential findings include least-privilege recommendations and validation steps.
Step 5
Verify supply chain
Audit dependencies, package provenance, and tool registration integrity.
What happens
We review installed MCP packages, dependency vulnerabilities, malicious-server assumptions, and whether registered tools can be trusted.
What you do
Provide package manifests, deployment details, and approved source locations.
What we do
Check provenance, dependency risk, update posture, and integrity controls around server registration.
What comes next
You receive a defensible inventory and prioritized fixes for trust and dependency gaps.
3-5 days for a single server
5-10 days for multi-server ecosystems
Retest included within 30 days
Who this is for
MCP testing matters when AI assistants can reach systems that were never designed to be prompt-facing.
Building MCP servers
You are shipping integrations to customers and need confidence that exposed tools cannot be abused.
You receive:
Tool-by-tool assessment matrix with reproducible findings
Deploying AI assistants internally
You are connecting assistants to internal tools, files, databases, or workflows used by your team.
You receive:
Access boundary review and configuration recommendations
Shipping AI features
You are embedding AI capabilities in a product and need evidence for customers, security, or leadership.
You receive:
Integration security report with attack-path narratives
Pricing
Fixed pricing for MCP server security testing.
Scope depends on the number of servers, exposed tools, connected resources, tenant model, and auth complexity.
Scope
Price
Duration
Single MCP server (< 10 tools)
$3,500-$5,000
3-5 days
Multi-server (2-5 servers)
$7,500-$12,500
5-7 days
Enterprise (5+ servers, multi-tenant)
From $15,000
7-10 days
Add-on to existing pentest
$2,000-$3,500
1-2 days
Fixed price. No hourly. Quote in 48 hours. Retest included within 30 days.
What you get
Report artifacts your engineers can act on.
The output is built for remediation, review, and proof. You get the attack path, the affected tool or resource, and the specific change needed to close the issue.
Executive summary with prioritized findings
Technical report with attack-path narratives
Tool-by-tool assessment matrix
Remediation guidance specific to your MCP framework
Supply chain audit results
Verification letter / attestation on request
Walkthrough call included
One free retest within 30 days
MCP security testing FAQ
What is included in an MCP server assessment?
We test the server transport, every exposed tool, prompt-to-tool data flow, resource boundaries, OAuth and token handling, and the supply-chain assumptions around installed MCP packages and registered tools.
Do you test custom MCP servers or only public frameworks?
Both. We assess internally built MCP servers as well as framework-based deployments, provided they implement the protocol and can be exercised in a controlled environment.
Can you review both the MCP server and the connected AI feature in one engagement?
Yes. If your product includes both model-facing application logic and MCP servers, we can scope them together so the report covers the full prompt, tool, auth, and data path.
What access do you need to test MCP safely?
We usually start with staging access, architecture notes, and enough credentials to exercise the in-scope tools. If production validation is necessary, the exact boundaries and safe methods are agreed before testing starts.
What does the final deliverable look like?
You receive a report with prioritized findings, tool-by-tool coverage, attack-path narratives, remediation guidance tied to your MCP stack, and a retest window so fixes can be verified.
Explore the MCP security surface
Related MCP security services and resources
Continue from the concept into testing scope, implementation risks, tools, and adjacent AI security topics.
Service
AI & MCP Security Testing
Product security testing for AI apps, agent workflows, MCP tools, prompts, and connected data sources.
Guide
MCP Security Testing Checklist for Buyers
A buyer-facing guide for evaluating MCP assessment scope, vendor depth, reporting quality, and protocol-specific coverage.
Guide
AI Agent Security Testing vs MCP Security Testing
Clarify when the risk lives in the agent workflow, the MCP server boundary, or both.
Glossary
Prompt Injection
How malicious instructions enter prompts through users, documents, retrieved content, and tool output.
Glossary
AI Agent Security
Security controls for agents that use tools, memory, approvals, and connected workflows.
Glossary
LLM Security
Risks and controls for LLM applications, RAG systems, embeddings, and model-connected workflows.
Tool
MCP Pentesting Checklist
Open-source checklist for reviewing MCP server security, tool safety, auth boundaries, and data exposure paths.
Tool
Universal MCP Client
Appsecco testing client and proxy for exercising MCP servers during security reviews.
Tool
Vulnerable MCP Servers Lab
Intentionally vulnerable MCP servers for learning attack paths and validating defensive controls.
Safe next step
Test your MCP servers
before someone else does
Share what your MCP servers can reach and how they are used. We will outline a scoped assessment, answer questions, and give you a fixed quote before any work begins.
Start a conversationor download the MCP pentesting checklist first
No sales pressure
Fixed pricing
You decide pace