pip install red-specter-leviathan
The Model Context Protocol is the bus your agents use to discover and call tools. It's also the most dangerous unevaluated trust surface in modern AI deployment. Your agents trust what MCP servers tell them — tool definitions, capability declarations, schemas. None of it is verified. LEVIATHAN tests every layer of that trust relationship.
Agents consume MCP tool definitions at face value. A server that returns modified parameter types, hidden fields, or altered descriptions will be executed without question. LEVIATHAN's INJECT subsystem tests every permutation of schema manipulation.
DNS remapping, TLS certificate swaps, registry updates — an agent connecting to what it believes is its trusted MCP server has no mechanism to detect identity substitution. LEVIATHAN's TRIDENT subsystem assesses trust validation mechanisms directly.
MCP servers registered in your environment declare capabilities, authentication requirements, and transport details. LEVIATHAN's ABYSS subsystem enumerates the complete MCP landscape before any testing begins — you can't secure what you haven't mapped.
MCP environments contain delegation chains — agents that connect through servers that connect to other servers. LEVIATHAN's UNDERTOW subsystem maps the full BFS graph of trust relationships and calculates blast radius for each critical server compromise.
When an MCP server is compromised, what does an attacker actually gain? Data access, command execution, privilege escalation paths, denial of service vectors. LEVIATHAN's HARVEST subsystem assesses impact systematically across every connected agent.
Security assessments of MCP infrastructure leave no audit trail by default. LEVIATHAN's RAIN subsystem captures and Ed25519-signs every assessment action — every test, every finding, every interaction — producing a tamper-proof evidence chain for audit and compliance.
MCP is the protocol agents trust for tool discovery. LEVIATHAN assesses every layer of that trust — from server discovery and fingerprinting to schema integrity, trust redirection, and lateral movement through delegation chains. If it touches MCP, LEVIATHAN tests it.
| # | Subsystem | Function | What It Does |
|---|---|---|---|
| 01 | ABYSS | Discovery & Enumeration | Discovers MCP servers via port scanning, registry enumeration, and DNS resolution. Maps tool definitions, capabilities, and trust relationships across the environment before any active assessment begins. |
| 02 | MIRAGE | Server Simulation | Creates controlled MCP server replicas for security testing. Clones tool definitions, capabilities, and TLS certificates. Full JSON-RPC response handling — tests agent behaviour when served a simulacrum. |
| 03 | INJECT | Schema Integrity Testing | Generates test cases that modify tool definitions — hidden parameters, type changes, description alterations, annotation removal. Tests whether agents detect modifications to the schema they rely on. |
| 04 | LURE | Fingerprint & Assessment | Fingerprints MCP server implementations and assesses security posture. Checks authentication, TLS, SSRF indicators, schema enforcement, token handling, and transport security across all discovered servers. |
| 05 | TRIDENT | Trust Redirection | Assesses whether agents detect server identity changes — DNS remapping, TLS certificate swaps, registry updates, and capability drift. Tests the trust validation mechanisms agents employ on reconnection. |
| 06 | HARVEST | Impact Assessment | Analyses what a compromised MCP server enables — data access, command execution, privilege escalation, denial of service, and data manipulation across every agent connected through the compromised server. |
| 07 | UNDERTOW | Lateral Trust Chains | Maps lateral movement paths through MCP trust relationships. BFS graph analysis, delegation chain discovery, blast radius calculation, and critical server identification across the full trust topology. |
| 08 | RAIN | Forensic Evidence | Captures and signs every assessment action with Ed25519 cryptographic integrity. Tamper-proof evidence trail for audit, compliance, legal hold, and downstream SIEM ingestion. |
Cryptographic override. Private key controlled. One operator. Founder's machine only. ANTIDOTE is not available for LEVIATHAN — MCP compromise is architectural, not a configuration setting. You either have trust validation or you don't.
Discovery and fingerprinting only. Maps MCP servers, enumerates tools, identifies trust relationships, assesses authentication posture. No active interference. No server modification. No schema injection.
Simulates all assessment techniques. Schema tests, redirection tests, impact analysis — shows what would be found and how, down to specific finding counts. Ed25519 required. No active execution against target servers.
Full assessment with active techniques. 44 UNLEASHED findings across 8 attack vectors. Server impersonation, registry manipulation, tool injection testing, delegation chain traversal, blast radius validation.
THIS TOOL IS FOR AUTHORISED SECURITY TESTING ONLY. EVERY EXECUTION IS SIGNED AND LOGGED.
Red Specter LEVIATHAN is intended for authorised security testing of MCP server infrastructure only. Active assessment features require UNLEASHED activation and must only be used against MCP servers you own or have explicit written permission to assess. Unauthorised use may violate the Computer Misuse Act 1990 (UK), Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions. Apache License 2.0.