Equixly MCP. Automate API security auditing via natural language.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Equixly. Automate API security testing and vulnerability management directly from your AI client. Manage target services, trigger autonomous AI pentests, and pull detailed reports on exploitable flaws (BOLA, IDOR, injection) using natural conversation.
What your AI agents can do
Create service
Registers a new API target service for autonomous pentesting using a human-readable name and base URL.
Delete service
Removes an API service and all its scan history from Equixly. This action is permanent.
Get scan
Gets the detailed status and summary of a specific pentest scan, including total requests and severity breakdowns.
Registers a new API service by providing a human-readable name and its live base URL.
Uploads API specs (OpenAPI, GraphQL, Postman, etc.) to expand the scope of the automated vulnerability search.
Initiates a new, autonomous penetration test against a registered service to look for specific security flaws.
Retrieves configuration metadata for a specific API service, useful before changing scan behavior.
Gets a detailed report on a completed scan, including total requests, endpoints explored, and severity breakdowns.
Retrieves a list of confirmed, exploitable security flaws, including OWASP mapping and specific fix guidance.
Retrieves a list of every API service currently configured for continuous security monitoring.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
019d7591create service
Registers a new API target service for autonomous pentesting using a human-readable name and base URL.
019d7591delete service
Removes an API service and all its scan history from Equixly. This action is permanent.
019d7591get scan
Gets the detailed status and summary of a specific pentest scan, including total requests and severity breakdowns.
019d7591get scan findings
Downloads a list of all exploitable vulnerabilities found in a pentest scan, including remediation guidance.
019d7591get service
Retrieves the detailed configuration of a specific API service, which is needed before modifying scan behavior.
019d7591list api specs
Lists all API specifications (OpenAPI, Postman, etc.) uploaded to a service for the AI Hacker to use.
019d7591list scans
Lists all pentest scan sessions for an API service, showing status, timestamps, and vulnerability counts.
019d7591list services
Lists all registered API services in Equixly, showing their name, URL, and endpoint count.
019d7591trigger scan
Launches a new autonomous AI penetration test against a specified service, checking for common security flaws.
019d7591upload api spec
Uploads an API specification file (OpenAPI, GraphQL, etc.) to a service, expanding the attack surface for scans.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Equixly, then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
Yo, you wanna run autonomous API security tests and manage vulnerabilities? Just connect your AI client to Equixly. You'll treat your agent like a dedicated security analyst. create_service lets you register a new API target service, giving it a name and a base URL. delete_service permanently removes an API service and all its scan history. get_service retrieves the detailed configuration for an API service, which you need before you mess with scan behavior. list_services gives you a list of every API service you've got configured, showing the name, URL, and endpoint count.
You can expand the scope of the attack using upload_api_spec, uploading API specs like OpenAPI, GraphQL, or Postman files to a service. You can then launch a new autonomous AI penetration test using trigger_scan against a specified service, which checks for common security flaws. To see what's going on with a scan, list_scans shows all pentest sessions for an API service, listing the status, timestamps, and vulnerability counts. get_scan provides the detailed status and summary of a specific pentest scan, including the total requests and severity breakdowns.
When you're done, get_scan_findings downloads a list of all exploitable vulnerabilities found, complete with remediation guidance. You can also see all the API specs uploaded to a service by calling list_api_specs.
How Equixly MCP Works
- 1 First, use
create_serviceto register the API target with its base URL. Then, upload all relevant API specs usingupload_api_specto maximize the attack surface. - 2 Next, call
trigger_scanto launch the autonomous pentest. This starts the AI Hacker exploring and testing the API for flaws like IDOR and BOLA. - 3 Finally, use
list_scansto track progress, and thenget_scanto pull the summary orget_scan_findingsto download the actual list of vulnerabilities.
The bottom line is: you define the scope, trigger the scan, and then pull the evidence of what broke.
Who Is Equixly MCP For?
Security Engineers and DevSecOps teams. If you're the engineer who has to manually run security checks, wait for reports, and then file a Jira ticket—this is for you. You get to run the whole process, from defining the API scope to downloading the final exploit evidence, all via natural conversation. It cuts out the dashboard clicking.
Runs autonomous pentests against newly deployed APIs. They use the agent to trigger scans and then use get_scan_findings to validate remediation advice against the live API.
Verifies security fixes immediately after a deployment. They use the agent to trigger a scan and check the output for specific flaws, validating the patch before merging code.
Integrates security testing into CI/CD pipelines. They use the agent to automate the sequence: create_service, upload_api_spec, and trigger_scan.
What Changes When You Connect
- You get immediate visibility into attack vectors. Instead of guessing, the agent runs
trigger_scanand checks for BOLA, IDOR, and mass assignment flaws. - You manage the entire API surface from one place. Use
list_servicesandcreate_serviceto register new endpoints, ensuring the scanner knows exactly what to hit. - You don't just get a list of problems; you get fixes.
get_scan_findingsprovides specific remediation guidance and OWASP mapping for every vulnerability. - You keep track of everything. Use
list_scansto see the history of all pentests run against a service, andget_scanfor the latest summary metrics. - You control the scope.
upload_api_speclets you feed the scanner complex specs—OpenAPI, GraphQL, etc.—so it doesn't miss any part of your API surface. - You validate the fix. After a developer patches a flaw, you can run a targeted scan and use
get_scan_findingsto confirm the vulnerability is gone.
Real-World Use Cases
Reviewing a new microservice deployment
A backend developer just deployed the 'User Profile v2' service. Instead of manually setting up a test environment and running a script, they tell their agent: 'Run a full pentest on User Profile v2.' The agent uses create_service to register the endpoint, upload_api_spec to feed it the latest spec, and then calls trigger_scan. Finally, it uses get_scan_findings to deliver a clean list of critical flaws and fixes.
Finding forgotten endpoints
A security engineer suspects the 'Billing' API has forgotten endpoints. They run list_services to see all registered endpoints. They then use get_service to check the configuration and list_api_specs to confirm all API definitions are uploaded, making sure the scanner covers the entire surface.
Comparing scan results over time
A DevSecOps team needs to prove that a fix worked. They run trigger_scan today, get the findings via get_scan_findings, and save the report. Next week, they re-run the scan and compare the results to prove the previous critical flaw is gone, using list_scans to manage the history.
Cleaning up old test APIs
An ops engineer is decommissioning an old 'Legacy Payment' API. Instead of logging into the dashboard and manually unchecking boxes, they simply tell the agent to delete_service. The service and all associated scan data are removed in one step.
The Tradeoffs
Treating API security as a one-off event
Running a manual, single-endpoint test only when a major feature launches. This misses flaws in related, unmonitored endpoints or business logic.
→
Use the agent to continuously monitor. First, run list_services to catalog all APIs. Then, use upload_api_spec to feed the agent all specs, and use trigger_scan to automate continuous, full-surface testing.
Ignoring API versioning drift
A developer updates the code, but forgets to update the API specification file that the security team uses for scanning. The scanner tests the old contract, missing new attack surface areas.
→
Whenever you update an API, immediately call upload_api_spec with the new spec. This ensures the scanner knows the full, current API contract before you run trigger_scan.
Sticking to dashboard UI workflows
Having to jump between the Equixly dashboard, the version control system, and a CI/CD pipeline just to get a scan started and the results into a ticket.
→
Keep it all in your chat. Use the agent to manage the sequence: list_services $\to$ upload_api_spec $\to$ trigger_scan $\to$ get_scan_findings.
When It Fits, When It Doesn't
Use this MCP Server if your primary job is validating the security posture of APIs across multiple services. You need to prove that your API surface is fully covered and that known vulnerabilities (BOLA, IDOR, injection) are patched.
Don't use it if:
* You only need to check one single, stable endpoint (use standard unit testing).
* Your goal is merely to track deployment status (use your CI/CD system's native logging).
When to use it: You need to run autonomous, deep-dive penetration tests that simulate an attacker's mindset. The tools trigger_scan, get_scan, and get_scan_findings give you the evidence needed for compliance and pre-deployment gates.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Equixly. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Security auditing shouldn't require logging into a separate dashboard.
Today, running a full security audit means navigating to a specialized security dashboard. You have to manually find the service ID, click 'start test,' wait for the results to process, then download a PDF report, and finally copy the critical findings into your Jira ticket. It's a lot of tabs and copy-pasting.
With the Equixly MCP Server, you tell your agent to run the pentest. The agent handles the service ID and the execution. You get the status and findings directly in the chat, complete with OWASP mapping and remediation steps. You don't leave the conversation.
Equixly MCP Server: Get detailed vulnerability reports.
You don't have to manually pull the full API spec into the testing tool, then manually run the test, and then manually compile the results. The agent orchestrates the whole process: it uses `list_services` to confirm the target, `upload_api_spec` to feed the full contract, and then `trigger_scan` to start the attack.
Now, you define the scope and the test type, and the agent handles the entire lifecycle. It's a single command that manages the service, runs the scan, and delivers the evidence.
Common Questions About Equixly MCP
How do I run an Equixly scan for a service? +
You run a scan by telling your agent to trigger_scan against the target service. Before you do that, make sure you've run create_service to register the service and upload_api_spec with the correct contract.
What information does `get_scan_findings` provide? +
get_scan_findings downloads a list of exploitable vulnerabilities. Each finding includes a severity rating, the OWASP category, the affected path, and actionable steps to fix it.
Can I see the status of previous Equixly scans using `list_scans`? +
Yes, list_scans lists all pentest sessions for a service. The entries show the status (running, completed, failed) and how many total vulnerabilities were found in that session.
How do I expand the attack surface for Equixly? +
You expand the attack surface by using upload_api_spec. You can upload multiple formats—OpenAPI, GraphQL, Postman, etc.—to ensure the scanner has the fullest view of your API.
Is `get_service` necessary before running a scan? +
It's best practice to run get_service first. It retrieves the current, detailed configuration of the API service, letting you verify settings before you modify scan behavior.
How do I update my target API service using `create_service` or `get_service`? +
You must first use get_service to retrieve the current configuration and identify the service ID. Then, you can modify the service details through the Equixly platform's API interface.
What format should I use when calling `upload_api_spec`? +
You need to pass the raw content of the API specification string, along with its format type. Equixly supports OpenAPI (JSON/YAML), Postman, GraphQL, WSDL, and HAR files.
If a scan fails, what information can `get_scan` provide? +
The get_scan tool shows the overall outcome, including the total requests made, endpoints explored, and a summary of the failure. It helps you diagnose why the scan didn't complete.
Can my agent trigger an autonomous penetration test on a specific API? +
Yes. Use the 'trigger_scan' tool with the target Service ID. The Equixly AI Hacker will begin an autonomous session, learning and attacking the API for various flaws including BOLA and business logic errors.
How do I see the security vulnerabilities found in the last scan via chat? +
Use the 'get_scan_findings' tool. Provide the Service and Scan IDs. The agent will retrieve a detailed list of confirmed security flaws, including severity levels and actionable remediation guidance.
Can I upload an OpenAPI specification to improve scan coverage through the agent? +
Absolutely. Use the 'upload_api_spec' tool. Provide the spec content and format (e.g., 'openapi'). This allows the AI Hacker to understand the full attack surface and maximize vulnerability discovery.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Drone CI
Automate your CI/CD workflows with Drone CI—manage repositories, monitor builds, and handle secrets directly from your AI agent.
Scrollscan
Explore the Scroll L2 blockchain — check account balances, track transactions (normal, internal, ERC20/721/1155), and inspect contract ABIs directly from your AI agent.
FlowiseAI
Build LLM orchestration flows visually with a drag-and-drop interface for creating AI chatbots, agents, and RAG pipelines.
You might also like
JokeAPI Alternative
Access thousands of jokes — audit categories and flags via AI.
GoTo Meeting
Host reliable video conferences with screen sharing, recording, and transcription for productive remote team meetings.
FishBase
Access the world's largest database of fish species. Query common names, database versions, and technical documentation for FishBase and SeaLifeBase.