DEV Community

Mehdi BOUTAYEB
Mehdi BOUTAYEB

Posted on

MCP for offensive security: orchestrating 80+ tools through an MCP host

Model Context Protocol is becoming the clean way for an agent to call tools explicitly. Here is how an MCP host drives real offensive tooling, and how Darkmoon and HexStrike approach it.

Why MCP fits offense

MCP makes every tool call explicit, scoped and logged, which is exactly what offensive work needs for auditability.

HexStrike's approach

0x4m4/hexstrike-ai exposes 150 plus tools to an agent as an MCP server. If you want a broad tool server to plug into your own agent, it is a strong option.

Darkmoon's approach

Darkmoon is an MCP host: it runs the agent loop and the methodology playbooks itself, and drives 80 plus tools through MCP across web, cloud, AD and Kubernetes, with an evidence trail per finding.

Server versus host

A server exposes tools. A host reasons and orchestrates. Depending on whether you are building your own agent or want a ready one, you want one or the other, or both.

Try it

If you are wiring MCP into offensive security, both approaches are open source and worth reading.

Built by pentesters, open sourced for pentesters. Feedback on the methodology and the evidence trail is genuinely welcome.

Top comments (0)