# Levo.ai Security MCP

> Levo.ai (API Security & Observability) MCP helps you audit and secure your APIs using natural conversation. It maps out every API endpoint—even undocumented ones—and flags vulnerabilities like BOLA or broken authentication. You can monitor for sensitive data (PII/PHI) exposure, generate live OpenAPI specs from actual traffic, and get detailed diagnostic evidence on security flaws.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** api-security, observability, vulnerability-scanning, pii-detection, openapi, threat-detection

## Description

You run into a wall when trying to secure your APIs because the documentation is outdated, and the runtime environment is too complex. This MCP lets you hand off that complexity to your AI client. You stop manually sifting through millions of lines of logs or running separate compliance tools. Instead, you ask natural questions about your API structure and security posture.

Your agent can immediately list every single endpoint—whether it was documented years ago or if a developer just spun up a 'shadow' service last week. It checks those endpoints for sensitive data exposure, flagging anything containing PII or PHI. Need to know if an API is vulnerable? Your client runs checks against OWASP standards and gives you specific details on broken authentication instances. You can even get a live OpenAPI specification derived from actual observed traffic patterns; it's precise, not theoretical. This capability makes Levo.ai the ultimate security layer for your APIs, connecting directly to your operational data via Vinkius.

## Tools

### list_applications
Lists all services and applications tracked by Levo.ai for monitoring.

### list_catalog_endpoints
Identifies every API endpoint type—REST, GraphQL, gRPC, SOAP—including undocumented shadow APIs.

### get_endpoint_details
Provides the complete schema structure for a specific discovered API endpoint.

### list_environments
Lists all deployment boundaries that Levo's active monitoring sensors are covering.

### export_openapi_spec
Automatically generates a live OpenAPI payload specification for any given application.

### get_observation
Retrieves detailed information about a specific runtime anomaly detected by the sensors.

### get_vulnerability
Pulls diagnostic exploitation evidence for a single, identified API vulnerability.

### list_observations
Gathers a list of all runtime API behavior observations detected by the Levo sensors.

### list_sensitive_data
Lists which API endpoints handle or expose sensitive, regulated data flows.

### list_vulnerabilities
Gathers a comprehensive list of all active security vulnerabilities found across your applications.

## Prompt Examples

**Prompt:** 
```
List all discovered API endpoints in our Levo catalog
```

**Response:** 
```
I've found 24 total endpoints across 3 applications. Highlights include '/v1/users' (REST), '/graphql' (GraphQL), and 5 undocumented shadow APIs discovered in the 'Payments' service. Would you like to inspect the sensitive data status for these?
```

**Prompt:** 
```
Show me the active OWASP vulnerabilities for the 'Checkout' application
```

**Response:** 
```
Retrieving vulnerabilities for 'Checkout'… I've identified 2 High impact issues: 1) BOLA (Broken Object Level Authorization) on '/api/v1/orders/{id}', 2) Broken User Authentication. I can provide the diagnostic exploitation evidence for both.
```

**Prompt:** 
```
Generate a live OpenAPI spec for the 'User Management' service
```

**Response:** 
```
Generating OpenAPI spec based on live traffic… Done. I've successfully exported the specification for the User Management service. It includes 12 verified endpoints and mapped request/response schemas. Would you like the JSON payload?
```

## Capabilities

### Map all API endpoints
List every REST, GraphQL, gRPC, and SOAP endpoint, including any undocumented or unused shadow services.

### Audit sensitive data flows
Identify which APIs handle regulated data, like PII (names, emails) or PHI (medical records).

### Detect API vulnerabilities
Check for active security flaws against OWASP standards, such as broken object-level authorization.

### Generate live OpenAPI specs
Create accurate OpenAPI specifications based on the traffic your APIs are actually receiving right now.

### Analyze runtime behavior
Monitor API usage patterns and spot anomalies, like unexpected changes in data structure (schema drift).

### Retrieve vulnerability evidence
Get deep diagnostic reports explaining exactly how a specific security flaw was exploited.

## Use Cases

### The compliance officer needs to prove PHI handling across all regions.
Instead of manually pulling reports from five different regional databases, the agent runs `list_sensitive_data` and filters results for 'PHI' exposure. It delivers a consolidated list of endpoints that need immediate policy review.

### The developer suspects an old API is leaking data.
The developer asks the agent to check endpoint details using `get_endpoint_details` on a legacy service, confirming it's improperly exposing names and emails, leading to immediate remediation.

### The security team needs an instant audit of all APIs.
The engineer runs `list_catalog_endpoints` to get a full inventory, then uses `list_vulnerabilities` to cross-reference the entire set for active OWASP flaws in one go.

### A new microservice is deployed and needs immediate schema validation.
The team runs `export_openapi_spec` against the live service. The agent generates a verified, accurate OpenAPI payload that the documentation team can use immediately.

## Benefits

- Spot undocumented APIs: Use the `list_catalog_endpoints` tool to find 'shadow' or 'zombie' endpoints that nobody knows about, eliminating hidden security risks.
- Ensure compliance effortlessly: The `list_sensitive_data` tool checks every endpoint for regulated data flows (PII/PHI), giving you instant audit reports.
- Stop guessing on specs: Instead of writing OpenAPI definitions by hand, use `export_openapi_spec` to generate a specification based on real-time traffic observation. It's always accurate.
- Deep dive into flaws: When a vulnerability is found, the `get_vulnerability` tool provides diagnostic evidence, telling you exactly what went wrong and how to fix it.
- Catch behavioral drift: The `list_observations` tool tracks runtime changes in API traffic patterns. This alerts you when an endpoint's structure unexpectedly changes.
- Understand scope quickly: Use `list_applications` and `list_environments` to map out exactly which services and deployment stages are currently under threat.

## How It Works

The bottom line is you get real-time security answers for your API stack without writing a single log query.

1. First, subscribe to the Levo.ai MCP and input your API token and organization ID.
2. Next, tell your AI client what you need—for instance, 'List all applications that handle PHI.'
3. Your agent runs the query against Levo's live sensors and returns a clean list of endpoints, vulnerabilities, or data flows.

## Frequently Asked Questions

**How does Levo.ai (API Security & Observability) MCP find shadow APIs?**
The MCP uses the `list_catalog_endpoints` tool to dynamically map all traffic, not just documented routes. This means it finds 'shadow' or undocumented endpoints that are actively being used by your services.

**Is this better than traditional API gateway monitoring?**
Yes. While gateways monitor traffic flow, the Levo MCP analyzes *what* is in the traffic—specifically checking for PII/PHI and running deep OWASP vulnerability scans that go beyond simple rate limiting.

**What if I only need to check one endpoint's schema?**
You can use `get_endpoint_details` to pull the precise, detailed schema structure for any single API endpoint you discover in your catalog. It provides a deep dive into how that specific resource is built.

**Can Levo.ai (API Security & Observability) MCP help with compliance reporting?**
Absolutely. By listing sensitive data flows using `list_sensitive_data`, you automatically gather the evidence needed to prove regulatory adherence, simplifying your audit process.

**Does this tool support multiple environments (staging/prod)?**
Yes. You can use `list_environments` and then query specific data or vulnerabilities across those distinct deployment boundaries monitored by the sensors.