AI agent vulnerability scanning — MCP & API

Give your AI agent the ability to run real security scans. Vulny exposes its scanner as a Model Context Protocol (MCP) server, so agents in Claude, Cursor and other MCP-compatible clients can scan the domains and IPs you own and return prioritised, CVE-matched findings — billed per scan with prepaid credits. No dashboard, no account setup: the agent does everything through a few tools.

Connect your agent (MCP)

Add the Vulny MCP server to any MCP-compatible client and authenticate with your API key:

MCP endpoint:  https://agent-api.vulny.app/mcp
Authorization: Bearer vlna_your_key

To get a key, your agent calls the register tool with your company email; Vulny emails a one-time link that reveals the key. The same tools are also available as a plain REST API at the same host if you prefer raw HTTP.

Skill files and install docs (SKILL.md, README) are open-source on GitHub: github.com/vulny-app/vulny-agent-scan.

What your agent can do

The server exposes a small set of tools the agent calls directly — it follows the status returned by run_scan until a scan starts:

run_scan(target) — start a scan; walks the agent through domain verification and payment, then returns a scan id
get_scan_status(scan_id) — poll progress through each phase (ports → web → API discovery)
get_scan_report(scan_id, format) — fetch findings as a colour table, JSON or PDF
buy_credits(package) — buy a credit pack upfront (returns a Stripe checkout link)
get_balance() — remaining credits and verified domains
register / recover_key — obtain or rotate your API key by email

You can only scan what you own

Before the first scan of a domain, Vulny verifies you control it — by a DNS TXT record, a /.well-known/vulny.txt file, or a one-time link emailed to an address on that domain. Your account email must match the domain being scanned, and public email providers are rejected. IP scans are allowed only after the matching domain is verified.

Scans are non-destructive. You may only scan assets you own or are authorised to test — see our Terms of Service and Acceptable Use Policy.

Pricing — 1 credit = 1 scan

Credits are prepaid and one credit runs one full scan. Larger packs cost far less per scan:

Single — 1 scan — €159
Starter — 10 scans — €299
Pro — 50 scans — €499
Business — 100 scans — €699
Enterprise — 500 scans — €1,599

What a scan finds

Each scan maps open ports and running services, matches them against a detection database of 357,755+ vulnerability tests — enriched with CVSS severity, CISA KEV (known-exploited) and EPSS exploit probability — and tests web apps and APIs for OWASP-class issues, exposed files, shadow endpoints and weak TLS. Findings come back prioritised by real-world risk.

Payment is handled by Stripe; a saved card lets your agent top up automatically when it runs out of credits. A credit is refunded if a scan fails on our side. Prefer CI/CD or raw HTTP? See the API documentation and DevSecOps pipeline.

Frequently asked questions

What is MCP vulnerability scanning?

MCP (Model Context Protocol) is an open standard for connecting tools to AI agents. Vulny runs an MCP server so an LLM agent can start a real vulnerability scan, track its progress and fetch a report without leaving the conversation. You connect it once with an API key and the agent calls the scan tools directly.

How do I add Vulny scanning to my Claude or Cursor agent?

Add the MCP server URL https://agent-api.vulny.app/mcp to your MCP-compatible client and set an Authorization: Bearer header with your API key. To get a key, the agent calls the register tool with your company email and you open the one-time link Vulny sends you.

How much does an agent scan cost?

Scans use prepaid credits where 1 credit = 1 scan. A single scan is €159, and larger packs are cheaper per scan: 10 scans for €299, 50 scans for €499, 100 scans for €699, 500 scans for €1,599. Payment is via Stripe and a saved card can top up automatically.

Can an AI agent scan any website?

No. You can only scan domains and IPs you own or are authorised to test. Vulny verifies domain ownership once — via a DNS TXT record, a /.well-known/vulny.txt file or an emailed link — requires your account email to match the domain, and rejects public email providers. IP scans need a verified matching domain first.

What does an agent scan detect?

Open ports and service versions matched against 357,755+ vulnerability tests enriched with CVSS, CISA KEV and EPSS, plus web and API tests for OWASP-class issues, exposed files, shadow APIs and weak SSL/TLS — all returned prioritised by real-world risk.

Is the API only usable through an AI agent?

No. The MCP server is the easiest way to use it from an agent, but every tool is also a plain REST endpoint on https://agent-api.vulny.app, so you can call it from scripts or your own backend with the same API key.

See it on your own site — free

Run a safe, instant security check and get a branded PDF report.

Scan my site — free →