Integrations

MCP Server

Overview

Pensar provides a remote Model Context Protocol (MCP) server that lets AI tools interact directly with your Pensar workspace. Through MCP, you can list projects, launch pentests, review security issues, and retrieve auto-generated fixes using tools like Claude Code, Desktop, or Web, or even directly in Slack.

MCP is an open standard that allows AI assistants to connect to external tools and data sources. Pensar’s MCP server implements the Streamable HTTP transport so it works with any MCP-compatible client.

Prerequisites

Before connecting an MCP client to Pensar you need:

  • A Pensar Console account at console.pensar.dev
  • At least one workspace with a connected project
  • An MCP-compatible client (e.g., Claude Desktop, Claude Code, Cursor, Windsurf)

Server URL

The Pensar MCP server is available at:

https://api.pensar.dev/mcp

Authentication

The Pensar MCP server uses OAuth 2.0 for authentication, following the MCP Authorization specification (2025-03-26). When you first connect, your MCP client will open a browser window where you sign in with your Pensar Console credentials. After signing in, the client receives a token and uses it automatically for all subsequent requests.

Most MCP clients handle the OAuth flow automatically. You do not need to create or manage API keys, just sign in.

Setup

  1. Open Claude Code by running claude in your terminal
  2. Add the Pensar MCP server:
$claude mcp add Pensar --transport http https://api.pensar.dev/mcp
  1. Run the /mcp command, you’ll see Pensar with a needs authentication status
  2. Select it and choose Authenticate to sign in with Pensar in your browser

Available Tools

The Pensar MCP server exposes the following tools to your AI coding agent:

Projects

List all projects in your workspace.

Parameters: None

Returns: A list of projects with their IDs, names, and sources.

Example prompt: “List all my Pensar projects.”

Scans

List all scans for a given project.

Parameters:

ParameterTypeRequiredDescription
projectIdstringYesProject ID to list scans for

Returns: A list of scans with their IDs, labels, statuses, scan types, branches, and timestamps.

Example prompt: “Show me the scans for project abc-123.”

Get detailed information about a specific scan.

Parameters:

ParameterTypeRequiredDescription
scanIdstringYesScan ID to retrieve details for

Returns: Detailed scan information including project name, status, error messages, issue count, and whether a report is ready.

Example prompt: “What’s the status of scan xyz-789?”

Launch a Pensar security pentest against a project. The scan is queued and executed asynchronously.

Parameters:

ParameterTypeRequiredDescription
projectIdstringYesProject ID (UUID). Use list_projects to find it.
branchstringNoTarget branch to scan. Defaults to the repository’s default branch.
scanLevelstringNoScan depth: "priority" for a quick check or "full" for comprehensive analysis. Defaults to "priority".

Returns: The queued scan’s ID, label, and status.

Example prompt: “Run a full pentest on my backend project against the main branch.”

Issues

List security issues with optional filtering.

Parameters:

ParameterTypeRequiredDescription
projectIdstringYesProject ID to list issues from
scanIdstringNoFilter by scan ID
statusstringNoFilter by issue status (e.g., "open", "closed")
severitystringNoFilter by severity ("critical", "high", "medium", "low")
branchstringNoFilter by git branch

Returns: A list of issues with their IDs, titles, severities, statuses, and file locations.

Example prompt: “Show me all critical open issues for project abc-123.”

Get detailed information about a specific security issue.

Parameters:

ParameterTypeRequiredDescription
issueIdstringYesIssue ID to retrieve details for

Returns: Full issue details including description, affected file and line range, CWE classification, branch, endpoint, proof-of-concept, and project information.

Example prompt: “Give me the details on issue def-456.”

Fixes

List all available fixes for a security issue.

Parameters:

ParameterTypeRequiredDescription
issueIdstringYesIssue ID to list fixes for

Returns: A list of fixes with their IDs and affected file paths.

Example prompt: “Are there any fixes for issue def-456?”

Get detailed information about a specific fix, including the code diff.

Parameters:

ParameterTypeRequiredDescription
fixIdstringYesFix ID to retrieve details for

Returns: The fix details including the file path, a unified diff of the changes, an explanation of what the fix does, and the related issue ID.

Example prompt: “Show me the diff for fix ghi-789.”

Usage Examples

Once connected, you can interact with Pensar through natural language in your AI coding agent. Here are some common workflows:

Run a Security Scan

Ask your agent to launch a pentest and then check the results:

“Run a Pensar pentest on my project and let me know when it finishes.”

The agent will use list_projects to find your project, dispatch_pentest to start the scan, and get_scan to poll for completion.

Review Security Issues

Ask your agent to summarize findings from a recent scan:

“Show me all high and critical issues from my latest scan.”

The agent will use list_scans to find the most recent scan, then list_issues with severity filters to retrieve the relevant findings.

Apply a Fix

Ask your agent to retrieve and apply a recommended fix:

“Get the fix for issue abc-123 and apply it to my codebase.”

The agent will use list_fixes to find available fixes, get_fix to retrieve the diff, and then apply the patch to your local files.

Supported Clients

The Pensar MCP server works with any client that supports the Streamable HTTP transport and OAuth-based authorization. Tested clients include Claude Code, Claude Desktop, Cursor, and Windsurf.

If your preferred client is not listed above, consult its documentation on adding a remote MCP server.

Next Steps

Hybrid Testing

Learn about Pensar’s hybrid testing methodology that powers MCP issue and fix data.

Auto-Remediation

Understand how Pensar generates fixes you can retrieve via MCP.

CI/CD Integration

Automate pentesting in your pipeline alongside MCP-driven workflows.

Getting Started

Set up your workspace and connect your first project.