LEVIATHAN Documentation
MCP Server Security Assessment Framework — Tool #27
v1.0.0
8 Subsystems
| # | Subsystem | Function |
|---|
| 01 | ABYSS | MCP server discovery and enumeration (port scanning, registry, DNS) |
| 02 | MIRAGE | MCP server simulation for controlled testing (clone, response templates) |
| 03 | INJECT | Tool definition integrity testing (hidden params, type changes, description alteration) |
| 04 | LURE | MCP server fingerprinting and vulnerability assessment (auth, TLS, SSRF, tokens) |
| 05 | TRIDENT | Trust redirection assessment (DNS remap, TLS swap, registry remap, capability drift) |
| 06 | HARVEST | Post-compromise impact assessment (data access, command execution, privilege escalation) |
| 07 | UNDERTOW | Lateral trust chain assessment (BFS graph, delegation chains, blast radius) |
| 08 | RAIN | Forensic evidence capture (Ed25519 signed, tamper-proof, exportable) |
Attack Vectors
| Vector | What LEVIATHAN Assesses |
|---|
| Server Impersonation | DNS redirection, TLS interception, transparent proxy to redirect agent traffic |
| Registry Poisoning | Rogue server insertion, namespace squatting, cache poisoning in MCP registries |
| Tool Definition Injection | Hidden parameters, type confusion, description prompt injection, tool shadowing |
| Response Manipulation | Data injection, prompt injection via responses, selective filtering |
| Server Compromise | SSRF, command injection, auth bypass, path traversal, OAuth redirect manipulation |
| Delegation Chain Abuse | Lateral movement via trust chains, credential relay, privilege escalation |
| Trust Redirection | Agent traffic redirection, token theft, certificate swap, multi-server takeover |
| Agent Command Hijack | Command injection via responses, data exfiltration, persistent backdoor, multi-agent hijack |
UNLEASHED Techniques
8 stages, 44 findings. Each finding includes evidence, remediation, CWE mapping, and breach assessment.
| Stage | Name | Findings | Subsystem |
|---|
| L-01 | IMPERSONATION | 6 | MIRAGE |
| L-02 | REGISTRY | 5 | ABYSS |
| L-03 | INJECTION | 6 | INJECT |
| L-04 | RESPONSE | 5 | MIRAGE |
| L-05 | COMPROMISE | 6 | LURE |
| L-06 | DELEGATION | 5 | UNDERTOW |
| L-07 | REDIRECTION | 5 | TRIDENT |
| L-08 | HIJACK | 6 | HARVEST |
UNLEASHED Gate
| Mode | Flags | What It Does |
|---|
| Standard | (none) | Discovery and fingerprinting only. No active interference with servers. |
| Dry Run | --override | Simulates all techniques. 44 findings logged but not executed. Ed25519 required. |
| Live | --override --confirm-destroy | Full assessment. Active server interaction. ANTIDOTE not available. |
ANTIDOTE is NOT available for LEVIATHAN. Once agents have executed commands through a compromised MCP server, the damage is architectural. Restoration requires manual reconfiguration of MCP infrastructure and agent trust relationships.
CLI Reference
| Command | Description |
|---|
leviathan assess <target> | Full MCP server security assessment |
leviathan discover <target> | Discover MCP servers only (no assessment) |
leviathan version | Show version |
leviathan assess --override | UNLEASHED dry run (Ed25519 required) |
leviathan assess --override --confirm-destroy | UNLEASHED live (no ANTIDOTE) |
leviathan assess -p 3000,8080 | Custom port list |
leviathan assess -r <url> | Include registry enumeration |
leviathan assess -o report.json | Save report to file |
Integration
| Tool | Integration |
|---|
| IDRIS | LEVIATHAN uses IDRIS to discover MCP servers in the environment |
| ORION | ORION's reconnaissance can identify exposed MCP servers and their versions |
| NEMESIS | NEMESIS can incorporate LEVIATHAN as a weapon for MCP-layer assessment |
| HYDRA | HYDRA's supply chain analysis can be combined with LEVIATHAN for upstream poisoning |
| GLASS | GLASS can intercept MCP traffic to analyse protocols and prepare payloads |
| AI Shield M87 | M87 is the MCP Security Gateway — LEVIATHAN red-teams it |
Pipeline Position
Tool #27. Sits at the infrastructure trust layer, attacking the protocol agents rely on to function. Can be used before NEMESIS to give the reasoning engine a backdoor into all agent operations, or after IDRIS to pivot from discovery to control.
IDRIS discovers. LEVIATHAN subverts. NEMESIS exploits.