MCP server

What is MCP?

MCP (Model Context Protocol ) is a communication standard that allows AI assistants (e.g., Claude, ChatGPT, Gemini) to connect with external tools and services.

What is the Fluid Attacks MCP server?

Fluid Attacks’ MCP implementation is a software component that allows AI systems to connect and work with the Fluid Attacks platform over the Internet. Thanks to this integration, you can query the platform using natural language without leaving your preferred AI tool. Examples of what you can do with it:

• Monitor your security posture: Get real-time information about vulnerabilities in your applications
• Run security scans: Execute automated security tests on your code
• Investigate vulnerabilities: Dive deep into security issues and understand them better
• Get remediation guidance: Receive step-by-step instructions to fix security problems
• Access knowledge base: Search through Fluid Attacks’ security documentation
• Manage your projects: View and organize your security testing projects

Key terms

• Group: A security testing project (e.g., “MobileApp” or “WebPortal”)
• Weakness: A type of vulnerability (e.g., SQL Injection)
• Vulnerability: A specific instance of a security issue in your code
• Root: What you’re testing (code repo, website, IP address)
• SAST: Scanning source code for security issues
• SCA: Checking dependencies for known vulnerabilities
• Forces: Automated security checks in your CI/CD pipeline
• Treatment: How you’re handling a vulnerability (fixing, accepting, etc.)

Core architecture

MCP Server (mcp/)

Exposes the Fluid Attacks platform capabilities as MCP tools:

• Vulnerability management (query, filter, analyze)
  • fetch_group_weaknesses
  • fetch_weakness_vulnerabilities
  • get_vulnerability_details
  • get_group_weaknesses_report
• Analytics and reporting (risk metrics, trends)
  • get_organization_analytics
  • get_group_analytics
• Asset discovery (Git roots, IP roots, URL roots)
  • get_group_git_roots
  • get_group_ip_roots
  • get_group_url_roots
  • fetch_group_root_vulnerabilities
• DevSecOps integration (Forces agent, CI/CD)
  • get_devsecops_agent_executions
  • get_unsolved_events
• Organization and group management
  • get_organization_groups
  • get_organization_groups_information
  • get_group_information
  • get_group_remediation_information
  • get_group_weaknesses_overview
• Knowledge base search (Kendra integration)
  • search_related_articles
  • get_articles
• Prompts for common workflows (scanners, reports, GitHub CI)
  • run_sca_scanner
  • run_sast_scanner
  • run_sca_and_sast_scanners
• GraphQL queries to the Fluid Attacks API
  • query
  • describe_graphql_type

FastAPI application (app/)

REST API endpoints:

• /streaming - Streaming conversation endpoint
• /conversation_context_request - Retrieve conversation history
• /reset_conversation_context - Clear conversation history
• /_used_tools - Get tools used in conversations (Used for evaluation)
• /health - Health check

MCP server mounted at /mcp

AI Agent system (agent/)

• Streaming conversation handling
• Memory management with chat caching (Valkey/Glide)
• Conversation resumption
• Guardrails for safe interactions
• Multi-model support (Claude Sonnet 4.5, Sonnet 4, Haiku)

Key features

• Read-only access: queries platform data; no modifications
• Multi-language support: responds in the user’s language
• Conversation memory: maintains context across interactions
• Streaming responses: real-time streaming
• Observability: Logfire tracing and Bugsnag error tracking
• Security: token-based authentication with user validation

Key capabilities of our MCP

• Analytics: See security trends and metrics
  • Usage example: “Show risk over time for the organization ORGANIZATION_NAME.”
• Vulnerabilities: Find and track security issues
  • Usage example: “List all XSS-related vulnerabilities in the group GROUP_NAME.”
• Projects: Manage security testing projects
  • Usage example: “What is the configuration of each group in the organization ORGANIZATION_NAME?”
• Assets: View tested applications and code
  • Usage example: “List Git repositories of the group GROUP_NAME that are being scanned for security issues.”
• Scanning: Run automated security tests
  • Usage example: “Scan my dependencies.”
• DevSecOps: Monitor pipeline security checks
  • Usage example: “Show the latest scan results for the group GROUP_NAME.”
• Knowledge: Search security documentation
  • Usage example: “How to fix SQLi reported in the group GROUP_NAME?”

More usage examples

You can ask our AI Agent  or configure our MCP server  to perform the following actions (we list the objective along with which prompt to use):

• Check daily status: “Show me today’s security summary for the organization ORGANIZATION_NAME.”
• Before deploying: “Run a complete security scan.”
• Assign work to team: “List all untreated vulnerabilities by priority for the group GROUP_NAME.”
• Learn about an issue: “Explain [vulnerability type] reported in the group GROUP_NAME.”
• Track progress: “Show remediation metrics for this sprint for the group GROUP_NAME.”
• Compliance reporting: “Generate a vulnerability report by severity for the group GROUP_NAME.”
• Verify automation: “Show latest CI/CD security scan results in the group GROUP_NAME.”
• Understand a finding: “Get details for vulnerability VULNERABILITY_UUID/NAME in the group GROUP_NAME.”
• Check dependencies: “Scan my packages for vulnerabilities.”
• Review a project: “Show me all information for the group GROUP_NAME.”

Technology stack

• FastAPI for the web framework
• http-mcp for the MCP server implementation
• Pydantic AI with Bedrock for LLM integration
• Rath for GraphQL client operations
• Valkey/Glide for conversation caching
• LangSmith for tracing and monitoring

Further reading

• How to install the MCP  and how to integrate our scanners into your SDLC using AI 
• MCP capabilities and how to use them 
• How to install Docker  (prerequisite to run the scanners)