HCL AppScan MCP. Audit entire app security posture instantly.
HCL AppScan MCP connects application security testing directly to your AI client. It lets you manage complex security scans across multiple applications, track vulnerabilities, and audit an entire software inventory using natural conversation. Quickly check scan statuses, list apps, or even start new dynamic analysis (DAST) tests without ever leaving your chat window.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
You list all applications in your security inventory to get their unique IDs and names.
You monitor all performed scans, checking the current status of any active security tests.
You get detailed lists and specific information about security issues found during a scan.
You start new Dynamic Analysis (DAST) scans for your web applications directly from the chat.
You list available local agents used to scan internal, non-web applications.
Ask an AI about this
Waiting for input…
What AI agents can do with HCL AppScan MCP: 10 Tools for Security Auditing
These tools let you automate complex security tasks, from listing every application in your inventory to initiating a full dynamic analysis scan.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using HCL AppScan MCPGet Account Check
Verifies that your AppScan account connection is active and ready to use.
Get Account Info
Retrieves specific information about the user who authenticated to the service.
Get App
Pulls detailed data for one specific application within your inventory.
Get Issue
Gathers granular information about a single, identified vulnerability or security...
Get Scan
Retrieves the status and details for one specific scan job.
List Apps
Shows a comprehensive list of every application registered in your AppScan inventory.
List Issues
Generates a full listing of all vulnerabilities found for a given application ID.
List Presence
Lists the local agents, or Presences, that are available to scan internal...
List Scans
Provides a complete record of all scans that have ever been run in your account...
Start Dast Scan
Begins a new Dynamic Analysis (DAST) scan for a specified web application URL.
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The HCL AppScan integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with HCL AppScan, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by HCL AppScan. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Security Audits Used to Be a Dashboard Nightmare
Right now, if you want to audit an application's security status, you open the AppScan dashboard. You manually select the app. Then you check the scan history. If things look good, great; if they don't, you have to export the vulnerability list into a spreadsheet. Then you copy that data into your compliance report. That cycle takes time and introduces manual error at every step.
With this MCP, you just talk to your agent. You ask it to audit the application inventory, and it runs `list_apps` and immediately gives you all the IDs. When you need flaw details, it uses `list_issues` and presents a clean list—no exporting needed. The whole process stays within conversation.
Get Vulnerability Data with HCL AppScan MCP
You ditch the constant clicking between tabs, the copy/paste routine of moving findings from one sheet to another, and the headache of cross-referencing different scan reports.
Now, when you ask your agent to get detailed vulnerability information using `get_issue`, the data comes back structured, actionable, and ready for immediate decision-making. It's a massive shift in workflow.
What HCL AppScan MCP does for your AI
This MCP brings powerful application security testing straight to your agent. Instead of logging into separate dashboards, you can monitor vulnerabilities and audit your entire application inventory using natural conversation. Your AI client talks directly to the tools here, giving you instant insight into your security posture across HCL AppScan on Cloud (ASoC).
You can list all applications in your inventory to find their unique IDs or check the real-time status of any active scan. Need more detail? You can retrieve detailed lists of security issues found during scans, including severity and current status. If you're ready for a new audit, you can start DAST scans right from the chat interface.
All this capability is available through Vinkius, giving your agent access to industry-leading tools without needing multiple subscriptions or logins.
019d7551-001d-7171-b864-790c4c6e5e79 
How to set up HCL AppScan MCP
The bottom line is that your AI client handles the complex API calls so you just talk to it like normal.
First, your AI client uses the account tools to verify connection and retrieve basic user data.
Next, you ask it to list all applications or check a specific scan's status. The MCP runs those checks and sends back structured data about the findings.
Finally, if you need new data, you tell your agent to start a DAST scan; it executes the request and confirms when the job begins.
Who uses HCL AppScan MCP
Security Engineers, DevSecOps Teams, and Compliance Officers. This MCP helps people who get burned out logging into five different dashboards just to check if an app is compliant or secure.
You audit security findings across multiple apps in one chat session, skipping the manual process of exporting data from separate consoles.
You integrate vulnerability tracking and scan initiation into automated developer workflows without writing boilerplate code to manage API calls.
You monitor application security status across the entire portfolio, ensuring every app gets its required regular scans for audit readiness.
Benefits of connecting HCL AppScan MCP
You don't waste time manually exporting vulnerability reports. By using list_issues and get_issue, your agent compiles all the data you need into a clean summary, saving hours of spreadsheet work.
Start new audits on demand. Instead of navigating to the web console, just ask your agent to run a DAST scan using start_dast_scan. The whole process happens through conversation.
Get full visibility across all assets. You can use list_apps to see every single application ID in your inventory at a glance, ensuring no critical piece of software is forgotten during an audit.
Check the status without logging in. Need to know if last night's scan finished? Use get_scan and list_scans to get instant updates on running or completed jobs.
Manage internal systems easily. The list_presence tool shows you which local agents are available, letting you plan scans for apps that don't have a public URL.
HCL AppScan MCP use cases
Pre-Compliance Audit Check
A compliance officer needs to prove that all 40 internal applications were scanned this quarter. They ask their agent to run list_apps first, then use list_scans for each app ID to confirm coverage and gather proof of regular auditing.
Immediate Flaw Discovery
A developer asks the agent to check a newly deployed service. The agent uses start_dast_scan, waits for completion, and then runs list_issues to immediately report any high-severity flaws found.
Deep Dive into One Vulnerability
A security engineer finds a suspicious vulnerability ID. They ask the agent to run get_issue with that ID. The tool returns detailed context, including remediation steps and severity scores, allowing for immediate triage.
Inventory Cleanup
An ops team member suspects an old application is forgotten. They use list_apps to verify the existence of the app ID, then run get_app to check its details before deciding if it needs to be decommissioned.
HCL AppScan MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Assuming AppScan knows everything
Telling your agent 'Tell me about the security of the Customer Portal.' The agent can't guess; it needs specific instructions and IDs.
First, use list_apps to get the exact app ID. Then, tell your agent: 'Use this ID with get_app, then run list_issues for that result.' This gives you targeted data.
Running scans without knowing targets
Just telling the tool to 'Scan everything.' The process fails because it needs a specific URL or application ID to start DAST.
Use list_apps to find the correct target. Then, initiate the scan by explicitly asking your agent: 'Start a new DAST scan for this app with this URL,' triggering start_dast_scan.
Overloading the chat session
Asking to list all apps, then check 20 scans, and finally start 5 new ones in one prompt. The agent gets bogged down.
Break it up. Use list_apps first. Then, dedicate a separate turn to checking the status of the most critical scan using get_scan. Keep your requests focused.
When to use HCL AppScan MCP
Use this MCP if you manage security across numerous applications and need to automate repetitive auditing tasks—like listing vulnerabilities or starting scans—without leaving your chat window. It's built for deep, technical security work. Don't use it if you simply need a high-level dashboard summary of risk; the tool provides granular data that requires interpretation (e.g., using get_issue to understand severity). If you only need simple compliance reports based on date ranges and don't care about application IDs, a general reporting tool might suffice. But when your job revolves around checking specific vulnerabilities or managing complex scan cycles, this MCP is essential.
Frequently asked questions about HCL AppScan MCP
How do I list all applications with HCL AppScan MCP? +
You simply ask your agent to list the apps using list_apps. This tool immediately shows you every application ID currently tracked in your security inventory.
Can I start a scan without knowing the URL? (HCL AppScan MCP) +
No. The start_dast_scan tool requires a specific URL to run the dynamic analysis test. You must first find the target URL and pass it to the agent.
What if I need details on one vulnerability? (HCL AppScan MCP) +
You use get_issue and provide the specific ID of the issue you care about. The tool returns detailed context, including severity and how to fix it.
Does HCL AppScan MCP track old scans? (HCL AppScan MCP) +
Yes. You can use list_scans or list_issues to view historical data, helping you audit past performance and ensure compliance over time.
What is the difference between listing apps and getting app details? (HCL AppScan MCP) +
Using list_apps gives a simple roster of all IDs. Using get_app retrieves deep, detailed information for one specific app ID you've already identified.
How do I get my AppScan API Key ID and Secret? +
Log in to the AppScan on Cloud console, go to your User Profile (top right), and select API Keys. You can generate a new Key ID and Key Secret there.
Does this server support the EU region? +
Yes, you can configure the APPSCAN_REGION environment variable to eu to connect to the European data center (eu.cloud.appscan.com).
Can I start a scan for an internal application? +
Yes, provided you have an AppScan Presence (local agent) configured. You can use the list_presence tool to check their availability before starting a scan.