Why we built pentest-ai as an MCP server, not just a CLI
The CLI works. The MCP server is what makes it actually useful. Here's the reasoning behind the split, and what changed when we let Claude Code drive.
Notes from the team. How the agent loop works, what scanners miss, what we got wrong.
The CLI works. The MCP server is what makes it actually useful. Here's the reasoning behind the split, and what changed when we let Claude Code drive.
We pointed pentest-ai at OWASP Juice Shop. Unauthenticated, it found 58 issues. Authenticated, it found four exploit chains scanners typically can't reach. Here's what changed.
Install ptai, register the MCP server, give Claude Code a scope. That's the whole setup. Walking through it with a real target and showing what the conversation looks like.