Is Turbopentest free?

Yes, Turbopentest is free to use.

How do I install Turbopentest?

Turbopentest is a local plugin. Install it using npm package: @turbopentest/mcp-server and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What credentials does Turbopentest need?

Turbopentest requires the following credentials or environment variables: TURBOPENTEST_API_KEY, TURBOPENTEST_API_URL. You can find setup instructions on the server detail page.

What AI apps work with Turbopentest?

Turbopentest uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

Turbopentest MCP Server

by integsec

SecurityLow Risk10.0Local

Free

AI-powered penetration testing. Launch scans, review findings, download reports.

About

AI-powered penetration testing. Launch scans, review findings, download reports.

Security Report

10.0

Low Risk10.0Low Risk

Valid MCP server (1 strong, 1 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.

12 files analyzed · 1 issue found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

HTTP Network Access

Connects to external APIs or services over the internet.

What You'll Need

Set these up before or after installing:

Your TurboPentest API key for authenticationRequired

Environment variable: TURBOPENTEST_API_KEY

Custom API base URL (default: https://turbopentest.com/api)Optional

Environment variable: TURBOPENTEST_API_URL

How to Install

Add this to your MCP configuration file:

{
  "mcpServers": {
    "io-github-integsec-turbopentest": {
      "env": {
        "TURBOPENTEST_API_KEY": "your-turbopentest-api-key-here",
        "TURBOPENTEST_API_URL": "your-turbopentest-api-url-here"
      },
      "args": [
        "-y",
        "@turbopentest/mcp-server"
      ],
      "command": "npx"
    }
  }
}

Documentation

View on GitHub

From the project's GitHub README.

@turbopentest/mcp-server

MCP server for TurboPentest — launch AI-powered penetration tests, review vulnerability findings, and generate security reports, all without leaving your coding assistant.

What it does

Ask your AI assistant to run a pentest, check progress, and walk you through remediation — the server handles all the API calls. Every completed scan is anchored to the blockchain, giving you a tamper-proof attestation you can share with customers or auditors.

Quick start

1. Get your API key

2. Verify a domain

Before scanning, verify that you own the target domain at turbopentest.com/domains.

3. Add the server to your MCP client

Claude Code (.mcp.json in your project root):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Claude Desktop (claude_desktop_config.json):

{
  "mcpServers": {
    "turbopentest": {
      "command": "npx",
      "args": ["@turbopentest/mcp-server"],
      "env": {
        "TURBOPENTEST_API_KEY": "tp_live_..."
      }
    }
  }
}

Cursor (Settings > MCP Servers > Add):

{
  "command": "npx",
  "args": ["@turbopentest/mcp-server"],
  "env": {
    "TURBOPENTEST_API_KEY": "tp_live_..."
  }
}

Example session

You:    "Run a standard pentest on staging.example.com"
Claude: Checks domain is verified, confirms credit balance,
        calls start_pentest → "Started tp_abc123, 4 agents, ~1 hour"

You:    "Any findings yet?"
Claude: Calls get_pentest → "62% complete — 3 findings (1 high, 2 medium)"

You:    "Show me the high severity ones"
Claude: Calls get_findings(severity: "high") →
        [1] HIGH: SQL Injection in /api/search
            CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
            CWE: CWE-89
            PoC: POST /api/search?q=' OR 1=1--
            Remediation: Use parameterized queries...
            Retest: sqlmap -u "https://staging.example.com/api/search" ...

You:    "Give me a prioritized remediation plan"
Claude: Uses the analyze_findings prompt → produces a full markdown
        remediation plan grouped by severity and effort

White-box scanning

Pass a GitHub repository URL to start_pentest to enable white-box mode. In addition to black-box testing, the scan will include:

SAST — static code analysis for common vulnerability patterns
Secret detection — leaked API keys, credentials, and tokens in source
SCA — dependency audit for known CVEs

You:  "Pentest staging.example.com, the repo is github.com/myorg/myapp"

Tools

Tool	Description
`turbopentest_start_pentest`	Launch a pentest against a verified domain. Supports four tiers and optional GitHub repo for white-box scanning.
`turbopentest_get_pentest`	Get scan status, progress, findings summary, executive summary, attack surface map, and STRIDE threat model.
`turbopentest_list_pentests`	List all pentests with status and finding counts. Filterable by status.
`turbopentest_get_findings`	Retrieve structured findings with severity, CVSS, CWE, OWASP category, PoC, remediation steps, and retest commands. Filterable by severity.
`turbopentest_download_report`	Download a report in markdown (best for AI), JSON, or PDF format.
`turbopentest_get_credits`	Check your credit balance and available scan tiers with pricing.
`turbopentest_verify_attestation`	Verify a blockchain-anchored attestation by SHA-256 hash. No API key required — public endpoint.
`turbopentest_list_domains`	List your verified domains and their verification status.

Prompts

Built-in prompts guide your AI assistant through multi-step workflows. Invoke them by name in any MCP client that supports prompts.

Prompt	Description
`run_pentest`	Full-lifecycle pentest: domain check → credit verification → launch → progress monitoring → findings summary → report download
`analyze_findings`	Deep-dive analysis of a single pentest's findings, producing a prioritized remediation plan with effort estimates and retest commands
`compare_pentests`	Diff two pentests on the same target — shows what's new, what's been fixed, and what's still unresolved
`security_posture`	Executive briefing across your 5 most recent pentests: risk trends, highest-risk targets, and top 3 recommended actions

Scan tiers

Tier	Agents	Duration	Price
Recon	1	~30 min	$49
Standard	4	~1 hour	$99
Deep	10	~2 hours	$299
Blitz	20	~4 hours	$699

Default tier is standard. Use recon for a quick surface sweep or blitz for maximum coverage on critical assets.

Blockchain attestation

Every completed pentest is anchored on-chain as a tamper-proof attestation. The SHA-256 hash is included in the report and can be independently verified — by you, your customers, or auditors — with no API key required:

You:  "Verify attestation abc123def456..."

turbopentest_verify_attestation returns the scan metadata (tier, agents, duration, risk score, findings summary) alongside the blockchain proof (chain ID, transaction hash, block number, merkle root).

Configuration

Variable	Required	Default	Description
`TURBOPENTEST_API_KEY`	Yes	—	API key from turbopentest.com/settings/api-keys
`TURBOPENTEST_API_URL`	No	`https://turbopentest.com/api`	Override the API base URL (for testing)

Requirements

Node.js 18+
A TurboPentest account with at least one verified domain

License

MIT

Reviews

5.01 rating

integsec1 month ago

Pretty amazing what can be done with AI these days. I just ran a fully automated pentest for $49 that would have easily cost $10k just 2 years ago. Now mom and pop can get enterprise level security at low prices. The best part is after the test was done, I was able to utilize this MCP server to analyze the results and come up with a customized remediation plan. Cool stuff!

More Security MCP Servers

Toleno

Free

by Toleno · Developer Tools

Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.

mcp-creator-python

Free

by mcp-marketplace · Developer Tools

Create, build, and publish Python MCP servers to PyPI — conversationally.

MarkItDown

Free

by Microsoft · Content & Media

Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption

mcp-creator-typescript

Free

by mcp-marketplace · Developer Tools

Scaffold, build, and publish TypeScript MCP servers to npm — conversationally

FinAgent

Free

by mcp-marketplace · Finance

Free stock data and market news for any MCP-compatible AI assistant.

Google Workspace MCP

Free

by Taylorwilsdon · Productivity

Control Gmail, Calendar, Docs, Sheets, Drive, and more from your AI

Turbopentest MCP Server

About

Security Report

Findings (1)

Permissions Required

What You'll Need

How to Install

Documentation

@turbopentest/mcp-server

What it does

Quick start

1. Get your API key

2. Verify a domain

3. Add the server to your MCP client

Example session

White-box scanning

Tools

Prompts

Scan tiers

Blockchain attestation

Configuration

Requirements

License

Reviews

More Security MCP Servers

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

Google Workspace MCP

Turbopentest MCP Server

About

Security Report

Findings (1)

Permissions Required

What You'll Need

How to Install

Documentation

@turbopentest/mcp-server

What it does

Quick start

1. Get your API key

2. Verify a domain

3. Add the server to your MCP client

Example session

White-box scanning

Tools

Prompts

Scan tiers

Blockchain attestation

Configuration

Requirements

License

Reviews

More Security MCP Servers

Toleno

mcp-creator-python

MarkItDown

mcp-creator-typescript

FinAgent

Google Workspace MCP