Semgrep
GitHub
Snyk
AWS
Microsoft
StackHawk Platform
API Attack Surface Discovery
Runtime Application Security Testing
Application Security Oversight
Integrations
Modern DAST
Shift-Left API Security Testing
Code-Based Sensitive Data Detection
gRPC Security Testing
GraphQL Security Testing
Healthcare
FinServ
Docs
Technical Blogs
Getting Started
Watch a Demo
Blog
Shift-Left Maturity Model
All Resources
Customers
Partners
Contact
Careers
News
Today, we’re excited to announce the StackHawk MCP server—bringing enterprise-grade application security testing directly into AI coding assistants like Cursor, Claude Code, and Windsurf. AI is fundamentally changing how enterprises build applications, and at StackHawk we’re excited to push forward the next evolution of security alongside these new workflows.
What is the StackHawk MCP Server?
The StackHawk MCP server is an open-source integration that connects AI coding assistants with StackHawk’s dynamic application security testing (DAST) platform. Using Anthropic’s Model Context Protocol, developers can now run DAST, analyze vulnerabilities, and implement fixes—all without leaving their AI code editor.
Instead of context switching to security dashboards or command-line tools, developers can simply ask their AI assistant to “scan my API for vulnerabilities” or “check if my authentication is secure.” StackHawk provides the security expertise and AI handles the complexity of the natural language feedback loop.
Why This Matters for Security and Engineering Teams
Developers using Cursor or Windsurf can build features 10x faster than before. Application security teams were already resource-constrained and buried by security alerts. This unprecedented speed exacerbates that challenge: how do you maintain security rigor without hindering innovation?
This is where the StackHawk MCP server becomes critical. It enables both security and engineering teams not only to find and fix vulnerabilities, but also scale their security expertise at the pace of AI.
Find Vulnerabilities Where They Live
With StackHawk’s MCP, security testing happens directly in developers’ AI coding environments. When an engineer asks their AI to test a new feature, StackHawk runs real DAST scans against the running application—finding SQL injections, authentication bypasses, and API vulnerabilities that only appear at runtime that SAST can’t detect.
Fix Issues in the Flow of Development
Here’s what makes this transformative: developers can find vulnerabilities—and fix them immediately. No switching to a security dashboard. No reading documentation. The AI assistant receives StackHawk’s findings and generates contextual remediation specific to the codebase. A SQL injection is not only just identified, it’s fixed with properly parameterized queries that match the application’s patterns, and validated for both security and functionality.
This find-and-fix workflow is at the core of StackHawk’s philosophy. Now it happens seamlessly within AI-assisted development, turning security from a blocker into an enabler.
Scale Security Expertise
Every developer gets access to enterprise-grade security testing through simple conversation. StackHawk has always been a leader in embedding security into developers’ workflows via seamless CI/CD workflows, and this takes that ethos to the next level. Security teams can ensure consistent testing across the organization without becoming a bottleneck, while developers get immediate feedback without needing deep security expertise.
Getting Started
The StackHawk MCP server is now available for our existing customers. Installation takes minutes:
1. Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
2. Add your API key to mcp.json in your project.
"mcpServers": {
{
"stackhawk": {
"command": "uvx stackhawk-mcp",
"env": {
"STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}"
}
}
}
}Once connected, developers can start testing immediately with natural language commands like:
- “Test my application for security vulnerabilities”
- “Scan my API endpoints on localhost:3000”
What’s Next: Building the Future of Application Security
Our MCP server is just the beginning of our AI-powered security vision. We’re building toward a future where security is shifted beyond left and woven into the fabric of how software gets built.
StackHawk already offers API Discovery from source code, automatically mapping your attack surface before a single line deploys. Combined with AI-assisted documentation, testing, and remediation, we’re creating a world where:
- Security vulnerabilities are caught and fixed as code is written
- Every developer has access to expert security knowledge through their AI assistant
- Security teams can focus on strategy while AI handles implementation
- The speed of development accelerates rather than slows with proper security
We’re excited to share more of what we’re building in the coming months. The future of application and API security is conversational, contextual, and continuous—and it’s arriving faster than ever.
Try It Today
Existing customers can start using the StackHawk MCP server immediately. Visit our documentation to get started, or reach out to your customer success team to learn more about integrating AI-powered security testing into your development workflow.
For builders interested in our new Vibe plan, designed specifically for individual developers using AI coding platforms, learn how to fix vibe coding security vulnerabilities.
