ST mcp-stress-test
GitHub
Red team

Break your scanner before attackers do.

1,312 adversarial attack patterns from MCPTox, Unit42, and CyberArk research. Mutation, fuzzing, chain attacks, and SARIF reporting — all from a single CLI.

Get started Read the Handbook

Install

pip install mcp-stress-test

Stress

mcp-stress stress run --phases baseline,mutation

Fuzz

mcp-stress fuzz evasion -p "Read SSH keys" --use-llm

Features

Offensive security for MCP tool ecosystems.

1,312 attack patterns

Three paradigms from MCPTox: direct injection, semantic blending, and cross-tool poisoning. Ready to fire out of the box.

LLM-guided fuzzing

Deterministic mutations plus LLM-guided evasion discovery. Find the payloads your scanner misses.

Multi-tool chains

Data exfiltration, privilege escalation, and persistence chains that test detection across coordinated attacks.

Usage

CLI

# Stress test your scanner
mcp-stress stress run \
  --phases baseline,mutation,temporal

# Compare detection before/after
mcp-stress scan compare \
  -t read_file -s obfuscation

# Execute attack chains
mcp-stress chain execute \
  -c data_exfil_chain

Python API

from mcp_stress_test import PatternLibrary
from mcp_stress_test.generator import SchemaMutator
from mcp_stress_test.chains import ChainExecutor

library = PatternLibrary()
library.load()

mutator = SchemaMutator()
for case in library.iter_test_cases():
    result = mutator.mutate(
        case.target_tool,
        case.poison_profile.payloads[0]
    )

Mutation Strategies

Escalating sophistication to probe scanner limits.

Strategy
Technique
Detectability
Direct injection
Append payload to description
High (baseline)
Semantic blending
Weave into legitimate docs
Medium
Obfuscation
Unicode tricks, zero-width chars
Medium
Encoding
Base64, hex payloads
Low-Medium
Fragmentation
Split across schema fields
Low

Research-Backed

Built on cutting-edge MCP security research.

MCPTox benchmark

1,312 patterns across 3 attack paradigms — the largest public MCP poisoning dataset, from arxiv 2508.14925.

Palo Alto Unit42

Sampling loop exploits and tool-shadowing attacks from production MCP deployment research.

CyberArk

Full-schema poisoning where no output field is safe — descriptions, error messages, return values.