Open Source

Security tools we build and share.

We publish the training materials, testing tools, and checklists we use in our own work — covering application security, cloud infrastructure, Kubernetes, and API testing. These projects reflect the same approach we bring to client engagements: practical, well-documented, and focused on real-world security.

2,000+

GitHub Stars

6

Active Projects

10+

Years of Contributions

Used by security teams at companies like yours for training, testing, and reference. Over 10 years of building and maintaining open-source security tools.

AI Security

Tools and resources for testing AI integrations, MCP servers, and LLM-powered applications.

vulnerable-mcp-servers-lab

Intentionally vulnerable MCP servers for security training and research.

157+
pentesting-mcp-servers-checklist

Community-driven checklist for MCP server security testing.

23+
mcp-client-and-proxy

Universal MCP client for security testing and inspection.

12+

Cloud Security

Training and tools for AWS, Azure, and cloud infrastructure security testing.

breaking-and-pwning-apps-and-servers-aws-azure-training

Hands-on cloud security training course materials covering AWS and Azure.

949+

Application Security Training

Deliberately vulnerable applications for learning and practicing security testing.

dvna

Damn Vulnerable NodeJS Application — a training ground for Node.js security testing.

756+
dvja

Damn Vulnerable Java Application — for practicing Java application security testing.

144+

All projects are available on github.com/appsecco

Why We Build in Public

Security testing keeps changing. New frameworks appear, cloud providers ship features faster than documentation, and AI integrations introduce attack surfaces that didn't exist a year ago. Keeping up is hard — for everyone, including us.

We publish these tools because building them helps us understand new territory deeply. When we create a vulnerable lab for MCP servers, we're forcing ourselves to map out the attack surface systematically. When we write a testing checklist, we're codifying what we've learned across dozens of engagements.

This approach benefits security teams who use these resources for training and reference. But it also benefits our testing work — the same rigor that produces a useful open-source tool produces a thorough security assessment.

The MCP pentesting checklist, for example, emerged from our first several AI agent security tests. We noticed patterns, documented them, and made the checklist public. Now other teams can learn from that work, and we have a structured foundation for every new engagement.

Work with us

Work with the team behind the tools.No commitment required.

The expertise that built these open-source resources is available for your product security testing — apps, APIs, cloud infrastructure, and AI integrations. Testing is scoped, scheduled around your team, and designed to fit into your workflow.

Start a Conversation

or view a sample report first

No sales pressure
Fixed pricing, no surprises
You decide the pace