Every tool call is an attack surface. VECTOR finds the gaps. Tool description poisoning, parameter injection, SSRF, data exfiltration, server impersonation, authentication bypass, and registry poisoning — weaponised for authorised red team engagements.
The Model Context Protocol is the emerging standard for AI tool integration. Every major AI framework is adopting it. Nobody is testing whether the implementations are secure. MCP servers are deployed with no authentication, no input validation, no output sanitisation, and no integrity verification. Every tool call is an attack surface — and nobody is looking.
AI agents read tool descriptions and follow them without question. A poisoned description tells the agent to exfiltrate data, read sensitive files, or override its own safety instructions. The agent complies because the description says to. No verification. No integrity check. Just trust.
MCP tool parameters flow from AI agents to system calls with zero sanitisation. Shell injection, path traversal, SQL injection, template injection, argument injection — the entire classic web application attack surface is exposed through a protocol that was never designed for adversarial input.
MCP has no mandatory authentication. Servers accept any connection. Tokens are optional. JWT validation is rare. The protocol specification focuses on capability, not security. The result: 38% of MCP servers have zero authentication.
MCP servers make HTTP requests on behalf of AI agents. Cloud metadata endpoints, internal services, Redis, Elasticsearch, Kubernetes APIs, Docker sockets — all reachable through crafted tool parameters. The MCP server becomes an unwitting proxy into your internal network.
MCP tool registries have no integrity verification. Typosquatting, version confusion, publisher impersonation, dependency confusion — every supply chain attack that plagued npm and PyPI now applies to MCP tool registries. Nobody is checking.
Burp Suite does not understand MCP. OWASP ZAP does not understand MCP. Metasploit does not understand MCP. There is no security testing tool purpose-built for the Model Context Protocol. VECTOR is the first.
VECTOR targets the Model Context Protocol — the emerging standard for AI tool integration. Every MCP server, every tool description, every parameter schema, every authentication flow — all exploitable. VECTOR finds the gaps between what MCP promises and what it actually secures.
Inject malicious instructions into MCP tool descriptions. Manipulate AI behaviour through crafted tool metadata. SHA-256 fingerprinting for tamper detection.
Inject payloads through MCP tool parameters. Exploit insufficient input validation across every classic injection class.
Force MCP servers to make unintended requests. Cloud metadata, internal services, DNS rebinding — all probed systematically.
Extract sensitive data through MCP tool responses. Tests every exfiltration channel the protocol exposes.
Impersonate legitimate MCP servers. Server profile fingerprinting, tool list diffing, and trust chain validation.
Bypass MCP authentication mechanisms. Tests every weakness in the authentication layer — from zero auth to JWT algorithm confusion.
Poison MCP tool registries. Supply chain attacks on tool packages with computational typosquat detection.
Full scan — all 7 subsystems against a target MCP server:
Or target individual subsystems:
Poisoning simulation — test detection against all 14 payloads:
VECTOR produces engagement-grade evidence. Every finding is cryptographically signed with Ed25519. Every evidence item is chained with SHA-256. Every report carries an RFC 3161 timestamp. Tamper with one finding and the entire chain breaks. Designed for court, not just dashboards.
VECTOR's exfil engine scans every MCP tool response for 9 categories of sensitive data leakage. Regex pattern matching detects API keys, bearer tokens, AWS credentials, private keys, JWT tokens, passwords, connection strings, internal paths, and private IP addresses — automatically, on every scan.
VECTOR's SSRF engine does not just probe — it understands network topology. Built-in detection for dangerous service ports, internal IP ranges, metadata endpoints, and protocol scheme abuse. Every URL parameter is analysed before any probe is sent.
VECTOR scores every MCP server with weighted severity analysis and statistical confidence intervals. Five severity levels. A+ to F grading with 13 grade thresholds. Wilson score intervals on vulnerability rates. Scipy-backed statistical rigour — not percentage guesses.
Red Specter LEVIATHAN performs MCP server security assessments — configuration audits, compliance checks, risk scoring. VECTOR is different. VECTOR is the red team tool that actually exploits MCP servers. It injects, poisons, impersonates, exfiltrates, and bypasses. Assessment tells you what could go wrong. VECTOR proves it.
VECTOR is one stage in the NIGHTFALL AI attack pipeline. VECTOR compromises the MCP protocol layer. LAZARUS persists in memory. SERPENT poisons reasoning chains. JANUS bypasses guardrails. Together, they own the entire AI tool integration stack.
Compromise MCP tools, then persist the backdoor in AI memory. The agent keeps using the poisoned tool across sessions.
Poison tool descriptions to inject reasoning corruption. The agent's chain-of-thought follows attacker-controlled logic.
Use MCP tool responses to feed guardrail bypass payloads. The tool output becomes the jailbreak delivery mechanism.
Export every finding directly to your SIEM. Native format translation. Ed25519 signatures and RFC 3161 timestamps preserved across every export. Every finding includes tool name, subsystem, severity, risk score, grade, payload, response, remediation, and full metadata.
vector scan --target http://mcp-server:3000 --export-siem splunk
Every payload, every detection pattern, every scoring algorithm, every evidence chain — written from scratch in pure Python. Pydantic configuration. httpx for async MCP client communication. Typer CLI. Rich terminal output. Zero subprocess calls. Zero external tool dependencies.
Standard mode detects. UNLEASHED exploits. Ed25519 crypto. Dual-gate safety. One operator. Every UNLEASHED finding is tagged with [UNLEASHED] prefix, dry-run flag, and full audit trail via the override context logger.
Maps MCP attack surfaces. Identifies vulnerable tool descriptions, parameter schemas, authentication gaps, and registry weaknesses. No exploitation. Reports only.
Plans full MCP exploitation campaigns. Shows exactly what would work — poisoned descriptions, injectable parameters, SSRF routes, exfiltration paths. Ed25519 required. No execution.
Cryptographic override. Private key controlled. One operator. Founder's machine only. Full exploitation with signed evidence chain and SIEM export.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
VECTOR supports all three MCP transport mechanisms. stdio for local servers. Server-Sent Events for streaming connections. Streamable HTTP for the latest MCP specification. Configurable authentication headers, custom endpoints, concurrency control, and request delays for stealth scanning.
Local MCP servers. Process stdin/stdout communication. Default transport for most MCP implementations.
Server-Sent Events. Streaming HTTP connections. Long-running tool calls with real-time progress updates.
Latest MCP spec. Full HTTP request/response with streaming support. Configurable endpoints: /tools, /execute, /sampling.
Red Specter VECTOR is intended for authorised security testing only. Unauthorised use against systems you do not own or have explicit permission to test may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Always obtain written authorisation before conducting any security assessments. Every VECTOR execution is Ed25519 signed and logged. Apache License 2.0.
7 subsystems. 75 attack vectors. 172 tests. MCP protocol exploitation. The tool that proves your AI tool integrations are not safe.