# Equixly MCP

> Equixly MCP automates API security testing directly through your AI agent. Manage target services, upload OpenAPI specs, and run autonomous pentests to find critical vulnerabilities like BOLA and IDOR without manual configuration. It delivers detailed reports on exploitable flaws from any compatible client.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** api-security, penetration-testing, autonomous-testing, vulnerability-management, cybersecurity, logic-errors

## Description

Connect your Equixly account via Vinkius and give your AI client full control over API security testing and vulnerability management through natural conversation. You can start by registering a new target service, defining the base URL you want to protect. Next, upload comprehensive API specifications—OpenAPI or Postman files work great—to expand what the autonomous hacker knows about your system. When ready, simply trigger an attack session for BOLA, IDOR, and common injection flaws across all defined endpoints. Your agent tracks progress and lets you pull detailed lists of confirmed vulnerabilities, including severity ratings and remediation steps. You don't have to jump between a dashboard and your IDE; the process happens entirely through conversation with your AI client.

## Tools

### create_service
Registers a brand new API service target by providing its readable name and live base URL for testing.

### delete_service
Permanently removes an existing API service and all associated scan history from the system.

### get_scan_findings
Downloads a detailed report of every exploitable vulnerability found during a pentest, including severity and how to fix it.

### get_scan
Retrieves the overall summary of a specific scan, showing total requests made and a breakdown by flaw severity.

### get_service
Fetches the current configuration details for a specific API service before you adjust its testing behavior.

### list_scans
Lists all recorded pentest sessions for an API, providing status, timestamps, and how many vulnerabilities were found in each run.

### list_services
Gets a list of every API service currently registered with the platform, including their base URL and endpoint count.

### list_api_specs
Shows all API specifications that have been uploaded to a service, helping you track coverage for the autonomous hacker.

### trigger_scan
Launches an immediate, autonomous penetration test against a registered service to check for common security flaws.

### upload_api_spec
Adds full API documentation (like OpenAPI or Postman) to a service, maximizing the scope of potential vulnerability discovery.

## Prompt Examples

**Prompt:** 
```
Trigger a security scan for API service 'Billing-v1'
```

**Response:** 
```
Pentest initiated! I've triggered an autonomous attack session for 'Billing-v1' (ID: svc_123). The AI Hacker is now exploring and testing your API. I'll notify you when the results are ready.
```

**Prompt:** 
```
Show me the critical findings from the latest scan of service 'Payments'
```

**Response:** 
```
Retrieving findings for 'Payments'... I found 2 critical vulnerabilities: 'Unauthenticated IDOR on /users/me' and 'BOLA on /orders/{id}'. Would you like the remediation guidance for these?
```

**Prompt:** 
```
List all registered API target services
```

**Response:** 
```
I found 3 registered services: 'Billing-v1' (https://api.billing.com), 'Payments' (https://pay.example.com), and 'Auth-Service'. Each is configured for continuous security monitoring.
```

## Capabilities

### Registering API Targets
You can establish new API services by defining their base URLs for continuous security monitoring.

### Expanding the Attack Surface
Upload OpenAPI, GraphQL, or Postman specifications to ensure the autonomous AI hacker has a complete map of your API endpoints.

### Running Automated Penetration Tests
Initiate comprehensive security scans designed to find specific flaws like Broken Object Level Authorization (BOLA) and IDORs.

### Analyzing Vulnerability Reports
Retrieve detailed lists of confirmed, exploitable security flaws, complete with OWASP mapping and suggested fixes.

### Monitoring Scan Progress
Track the real-time status of a test, seeing metrics like total requests made or endpoints explored.

### Retrieving Service Metadata
Fetch configuration details for any API service, including authentication hooks and safety settings.

## Use Cases

### Post-Deployment Security Check
A backend developer just pushed a new API endpoint. They ask their agent to run an audit on the service, triggering `trigger_scan` immediately. The agent confirms the scan is running and notifies them when they can use `get_scan_findings` to review any critical flaws before deployment.

### Auditing a Legacy System
A security engineer needs to check an old, undocumented API. They use `list_services` to confirm the base URL and then manually feed documentation using `upload_api_spec`, ensuring the agent knows exactly what surface area to test.

### Comparing Test Runs
A QA engineer needs to prove that a patch fixed a vulnerability. They use `list_scans` to find the previous failed scan and then run a new one, comparing the total flaw count using `get_scan`.

### Decommissioning an API
The team is retiring an old payment gateway. Instead of manually deleting it from multiple systems, they use `delete_service`, ensuring all scan history and the service itself are cleanly removed.

## Benefits

- You eliminate manual setup. Instead of configuring tools, you simply use `create_service` to define a new target URL and start monitoring its security posture instantly.
- Maximized coverage means fewer blind spots. By using `upload_api_spec`, you feed the autonomous AI hacker every piece of documentation—OpenAPI, GraphQL, etc.—so no endpoint is missed.
- Get actionable results immediately. Rather than just finding a flaw, `get_scan_findings` gives you the OWASP category and direct remediation guidance for fixing it.
- Manage complexity with one command. Instead of running separate scripts for different types of tests, use `trigger_scan` to launch a comprehensive attack session covering BOLA, IDOR, and more.
- Maintain audit trails easily. With `list_scans`, you track every test session, seeing the status and total vulnerability count without opening a dashboard.

## How It Works

The bottom line is that you manage the entire lifecycle of security testing—from definition to discovery—without ever leaving your chat window.

1. First, subscribe to this MCP and provide your Equixly API Token in the Vinkius setup.
2. Next, tell your AI client which APIs need protection; you can do this by using `create_service` or uploading specs via `upload_api_spec`.
3. Finally, use `trigger_scan` to start testing, and then ask for findings using `get_scan_findings`.

## Frequently Asked Questions

**How do I start using Equixly MCP for basic testing?**
You must first register the API service using `create_service` with its base URL. Once that's done, you can use `list_services` to confirm it's ready for initial scans.

**Can I test an API without having OpenAPI documentation? Using Equixly MCP?**
Yes, but coverage will be limited. While you should always upload specs using `upload_api_spec`, the agent can still run tests based only on the service URL defined by `create_service`.

**What is the difference between getting scan data and finding flaws with Equixly MCP?**
The `get_scan` tool gives you the summary metrics—total requests, endpoints explored. The `get_scan_findings` tool drills down to give you specific details about every confirmed vulnerability.

**If I update my API, do I have to re-register it with Equixly MCP?**
No. You can use `get_service` to check the existing configuration and then simply run a new scan using `trigger_scan` against the established service.

**Which tool should I use if I want to see what endpoints are available?**
Start by running `list_services`. This will provide you with all registered API services and their corresponding unique IDs, which helps guide your next actions.