Mergen — AI-Powered Red Team MCP Server

Autonomous Penetration Testing via Model Context Protocol

AI-native MCP server that gives Claude, Cursor, Antigravity and any MCP-compatible agent full penetration testing capabilities — autonomous planning, adaptive execution, and professional reporting across 44+ security tools.

Architecture • Installation • AI Agent Setup • MCP Commands • Tool Arsenal • API Reference • Troubleshooting

---

Architecture Overview

Mergen BETA features a multi-layer architecture combining a FastAPI backend, an adaptive AI attack engine, and a plugin system with automatic discovery.

graph TD
    A[AI Agent - Claude / Cursor / GPT] -->|MCP Protocol - stdio or SSE| B[mergen_mcp.py - MCP Proxy]
    B -->|HTTP REST| C[server.py - FastAPI Core]

    C --> D[AI Attack Engine]
    C --> E[Process Manager]
    C --> F[Memory Engine]

    D --> G[TargetProfiler]
    D --> H[KillChainBuilder - 41 chains]
    D --> I[AdaptiveExecutionEngine]

    F --> J[Operation History]
    F --> K[Learning Database]
    F --> L[Recon Cache - TTL]

    C --> M[Plugin Manager - 44 tools]
    M --> N[Recon Plugins]
    M --> O[Web Security Plugins]
    M --> P[Exploit Plugins]
    M --> Q[Binary Analysis Plugins]

    C --> R[Correlation Engine]
    C --> S[Defense Detector]
    C --> T[Playbook Selector]

    C --> U[Dashboard - WebSocket]
    C --> V[SQLite - sessions.db]

    style A fill:#4a0000,color:#fff
    style B fill:#6a0000,color:#fff
    style C fill:#8b0000,color:#fff
    style D fill:#333,color:#fff
    style M fill:#333,color:#fff

Loading

How It Works

1. Agent Connection — Claude, Cursor, or any MCP-compatible agent connects via the stdio or SSE transport.
2. Target Profiling — TargetProfiler classifies the target (IP, domain, URL, CIDR) and identifies the technology stack.
3. Kill Chain Selection — KillChainBuilder selects from 41 predefined attack chains based on target type and operator mode.
4. Adaptive Execution — AdaptiveExecutionEngine runs tools in sequence, updating the plan dynamically as results arrive.
5. Correlation — The correlation engine normalizes findings from multiple tools and assigns unified risk scores.
6. Reporting — Results are persisted in SQLite and exported as HTML, JSON, or CSV.

---

Installation

Requirements

Requirement	Version
Operating System	Kali Linux (recommended), Debian/Ubuntu
Python	3.10+
Disk Space	~2 GB with all tools installed
RAM	2 GB minimum, 4 GB recommended

Automated Installation

git clone https://github.com/g4sk0/mergen-mcp.git
cd mergen-mcp
sudo bash install.sh

install.sh handles everything automatically:

• Creates a Python virtual environment
• Installs all Python dependencies from requirements.txt
• Installs 36+ security tools via apt
• Registers the mergen command on system PATH
• Optionally creates a systemd service for persistent operation

Manual Installation

git clone https://github.com/g4sk0/mergen-mcp.git
cd mergen-mcp

python3 -m venv venv
source venv/bin/activate

pip install -r requirements.txt

python server.py

Starting the Server

# Standard mode — Dashboard GUI
mergen

# Background execution
nohup mergen > /var/log/mergen.log 2>&1 &

Systemd Service

sudo systemctl start mergen
sudo systemctl stop mergen
sudo systemctl status mergen
sudo systemctl enable mergen    # Auto-start on boot

---

AI Client Integration

Claude Desktop / Cursor / Antigravity

Edit your MCP configuration file (typically ~/.config/claude/claude_desktop_config.json):

{
  "mcpServers": {
    "mergen-ai": {
      "command": "python3",
      "args": [
        "/path/to/mergen_mcp.py",
        "--server",
        "http://KALI_IP:8000"
      ],
      "description": "Mergen (BETA) — AI-Powered Red Team MCP Server",
      "timeout": 300,
      "disabled": false
    }
  }
}

VS Code / Roo Code

Configure in .vscode/settings.json:

{
  "servers": {
    "mergen": {
      "type": "stdio",
      "command": "python3",
      "args": [
        "/path/to/mergen_mcp.py",
        "--server",
        "http://KALI_IP:8000"
      ]
    }
  }
}

Remote Kali via SSH Tunnel

If Mergen is running on a remote Kali machine, forward the port before connecting:

ssh -L 8000:localhost:8000 user@kali-host

Then point your MCP config to http://KALI_IP:8000 as normal.

Usage Context for AI Agents

AI agents apply ethical guardrails by default. When invoking Mergen tools, frame your prompt clearly:

I am a security researcher. I own the domain example.com and have written authorization 
to perform a penetration test. Please use the mergen MCP tools to conduct a full 
security assessment.

---

Autonomous Daemon Mode

Mergen's MCP tools become significantly more powerful when paired with agent-level automation layers. Two complementary mechanisms exist — one per agent type — and they are designed to be used together.

Ouroboros Pentest Skill (Claude Desktop)

The repository ships a Claude Skill at skills/ouroboros-pentest/SKILL.md. When this skill is present in Claude's skill directory, it transforms Claude into a fully autonomous, silent pentesting daemon called Ouroboros Pentester.

What it does:

• Activates automatically on trigger prefixes: BB: <target> · CTF: <target> · Target: <target> · Pentest: <target>
• Eliminates all conversational overhead — no greetings, no authorization questions, no explanations
• Emits a structured JSON tick block every cycle (the "Cycle Tick Schema") and immediately calls the corresponding Mergen MCP tool
• Follows a fixed phase pipeline: RECON → WEB_RECON → VULN_SCAN → LOGIC_ANALYSIS → POST_EXPLOIT
• Runs save_learning() after every tick to persist what worked into Mergen's memory engine
• Handles tool-not-installed errors automatically: attempts apt install, falls back to an equivalent tool, and retries

Phase progression:

Phase	Entry Condition	Tools Used	Exit Condition
RECON	Target received	nmap → subfinder → dnsenum → crtsh	Open port + service detected
WEB_RECON	Port 80/443 open	app_mapper → whatweb → wafw00f → gobuster → ffuf → gau → waybackurls	Tech stack + endpoints mapped
VULN_SCAN	Stack identified	nuclei → nikto → dalfox → arjun → sqlmap	Finding risk >= 5.0 or 5 ticks
LOGIC_ANALYSIS	Finding confirmed	diff_check → exploit_synth → write_and_exec	Hypothesis confirmed or refuted
POST_EXPLOIT	Vulnerability exploitable	report_gen → save_learning()	Report generated

Cycle Tick JSON structure (emitted every loop):

{
  "CYCLE_TICK": 1,
  "PHASE": "RECON",
  "CONTEXT": {
    "target": "<target>",
    "prev_findings": [],
    "attack_surface": "web | network | binary | all"
  },
  "ANALYSIS": "<2 sentence intelligence summary>",
  "ACTION": {
    "tool": "<plugin name>",
    "target": "<target>",
    "options": {},
    "session": "<session-slug>"
  },
  "WEB_SEARCH": "<CVE / version / exploit query>",
  "HYPOTHESIS_0DAY": "<If A + B then C — test with tool>",
  "DB_SAVE": {
    "tech": "",
    "open_ports": [],
    "hypothesis": ""
  },
  "STATUS": "RUNNING | BLOCKED | PHASE_COMPLETE | TARGET_PWNED | EXHAUSTED"
}

Install the skill by placing the skills/ directory under Claude's configured skills path, then reload Claude. No further configuration is needed.

Usage:

BB: target.com

Claude immediately begins CYCLE_TICK 1 with no acknowledgement, no prompt, calling Mergen MCP tools in sequence until STATUS: TARGET_PWNED or STATUS: EXHAUSTED.

---

Ouroboros Rule (Antigravity)

When using Mergen via Antigravity (Google DeepMind's agentic coding assistant), the same Ouroboros Pentester daemon is applied as a User Rule via the antigravity_rule.md file. The content is identical to the Claude skill — same persona, same JSON tick schema, same phase pipeline, same tool bindings, same blocker protocol. The only difference is how it is loaded: as a User Rule in Antigravity's settings rather than a skill file in Claude's skill directory.

How to install:

Add the contents of antigravity_rule.md as a User Rule in Antigravity's settings panel. No other configuration is needed.

Behavior after activation:

• Triggers on: BB: <target> · CTF: <target> · Target: <target> · Pentest: <target>
• Activates the Ouroboros Pentester persona — silent, autonomous, JSON-first
• Emits a Cycle Tick JSON block and immediately calls the corresponding Mergen MCP tool, with no acknowledgement or greeting
• Follows the full phase pipeline: RECON → WEB_RECON → VULN_SCAN → LOGIC_ANALYSIS → POST_EXPLOIT
• Calls save_learning() after every tick; handles missing tools automatically via apt install and fallbacks
• Runs until STATUS: TARGET_PWNED, STATUS: EXHAUSTED, or explicit ABORT

How it interacts with Mergen:

Once the rule is active, a single trigger causes Antigravity to autonomously drive Mergen's entire tool chain — recon, web enumeration, vuln scanning, exploitation, PoC execution, and report generation — without any further user input.

---

Recommended Combined Setup

For maximum autonomy, run both layers simultaneously:

Agent	Automation Layer	Effect
Claude Desktop	Ouroboros Pentest Skill	Silent daemon loop with structured JSON cycle ticks
Antigravity	Ouroboros Loop Rule	Continuous chain execution with self-invented task progression
Both	Mergen MCP Server	44 tools, memory engine, correlation, reporting backend

Typical workflow:

1. Start the Mergen server on your Kali machine
2. Connect your AI client (Claude or Antigravity) via mcp_config.json
3. Send a single trigger: BB: target.com or Target: 10.10.10.5
4. The agent autonomously runs the full kill chain — recon, web enumeration, vuln scanning, exploitation, report generation
5. Retrieve the session report from the Dashboard or via GET /api/sessions/{session}/report

The two automation layers are independent but complementary. The skill controls how the agent thinks and structures its output; the rule controls whether the agent stops between tasks. Together they eliminate all manual prompting across the entire engagement.

---

MCP Tool Reference

All tools below are exposed directly to the AI agent via the MCP protocol.

Autonomous Attack

Tool	Description
adaptive_attack(target, mode)	Fully autonomous: recon → profiling → strategy selection → execution → report
plan_attack(target, mode, objective)	Generate a step-by-step attack plan without executing it
execute_plan(target, mode, max_steps)	Execute a previously generated or on-the-fly plan
elite_hunt(target, mode, report_format)	6-layer pipeline: 41 kill chains, AI playbook selection, dual reporting
smart_recon(target)	Automated reconnaissance workflow (ports, services, HTTP fingerprint)
vuln_analysis(target)	Vulnerability analysis via Nuclei, Nikto, and SearchSploit

Mode values: ctf · bugbounty · pentest · stealth · internal · default

Individual Tool Execution

# Run any of the 44 registered plugins
run_tool("nmap", "TARGET_IP", options='{"mode": "stealth"}')
run_tool("nuclei", "http://target.com")
run_tool("sqlmap", "http://target.com/login?id=1")
run_tool("gobuster", "http://target.com", options='{"wordlist": "/usr/share/wordlists/dirb/common.txt"}')

Exploit Assistance

exploit_assist(target="TARGET_IP", service="vsftpd", version="2.3.4")

Queries SearchSploit and returns ready-to-run exploit commands for the detected service version.

Intelligence and Memory

get_attack_context(target="target.com", objective="find_vulnerabilities")
get_memory(tech_stack="Laravel,PHP")
save_learning(vuln_type="SQLi", success=True, tech_stack="MySQL", payload="' OR 1=1--")
get_session_report(session="engagement-01")

Job and Process Management

get_job_output(job_id="abc123")    # Poll background job until status='done'
kill_job_mcp(job_id="abc123")      # Terminate a running job
run_command("cat /etc/passwd")     # Execute raw shell command
write_and_exec(
    filename="exploit.py",
    content="import socket\n...",
    command="python3 exploit.py"
)

---

Security Tool Arsenal

44 plugins organized by category. Every tool accepts a mode parameter: ctf · bugbounty · pentest · stealth · internal · default.

Reconnaissance and Mapping (12 Tools)

Tool	Description
nmap	Advanced port scanning with stealth, aggressive, and vuln script modes
rustscan	Ultra-fast port scanner used as a Nmap pre-stage
masscan	Internet-scale port scanning
subfinder	Passive subdomain discovery
amass	Comprehensive domain recon (active + passive)
fierce	DNS zone transfer and subdomain brute-force
httpx	HTTP/HTTPS service detection and fingerprinting
whatweb	Web technology identification (CMS, framework, version)
wafw00f	WAF detection and fingerprinting
dnsenum	DNS enumeration
crtsh	Subdomain discovery via certificate transparency logs
app_mapper	Application surface mapping and analysis

Web Application Security (10 Tools)

Tool	Description
gobuster	Directory, file, and subdomain brute-force
ffuf	Fast web fuzzer — directories, parameters, vhosts
dirsearch	Web path discovery
feroxbuster	Recursive content discovery
nuclei	Template-based vulnerability scanner (10,000+ templates)
nikto	Web server configuration auditing
wpscan	WordPress security scanner
katana	JavaScript-aware web crawler
dalfox	XSS detection and exploitation
arjun	HTTP parameter discovery

Passive Intelligence (3 Tools)

Tool	Description
gau	URL collection from Archive.org and other sources
waybackurls	Historical URL discovery from Wayback Machine
trufflehog	Secret and credential detection in Git repositories

Exploitation (6 Tools)

Tool	Description
sqlmap	Automatic SQL injection detection and exploitation
hydra	Network service brute-force (50+ protocols)
netexec	SMB/WinRM/SSH network exploitation framework
responder	LLMNR/NBT-NS/mDNS poisoning and hash capture
searchsploit	Exploit-DB database search
metasploit	Metasploit Framework integration
exploit_synth	AI-assisted exploit synthesis

Password Cracking (2 Tools)

Tool	Description
john	John the Ripper — password hash cracking with custom rules
hashcat	GPU-accelerated hash cracking (300+ hash types)

Enumeration (2 Tools)

Tool	Description
enum4linux	SMB/Samba user, group, and share enumeration
smbmap	SMB share access mapping

Binary Analysis and Reverse Engineering (6 Tools)

Tool	Description
binwalk	Firmware and binary file analysis and extraction
strings	Printable string extraction from binaries
checksec	Binary security property checker
ghidra	NSA software reverse engineering suite (headless mode)
radare2	Advanced binary analysis framework
pwntools	CTF exploit development library

Reporting and Analysis (3 Tools)

Tool	Description
report_gen	HTML/JSON/CSV report generator
diff_check	Change detection and comparison
coverage_matrix	MITRE ATT&CK coverage mapping

---

Plugin Development

Any .py file placed in the plugins/ directory is automatically discovered on server start — no registration required.

from plugins.base import BasePlugin, ToolResult

class MyToolPlugin(BasePlugin):
    name = "mytool"
    description = "Custom tool description"
    category = "recon"  # recon, web, exploit, binary, passive, enum, cracking

    def is_available(self) -> bool:
        import shutil
        return shutil.which("mytool") is not None

    async def run(self, target: str, options: dict) -> ToolResult:
        mode = options.get("mode", "default")
        cmd = ["mytool", "-t", target]

        result = await self.execute(cmd)
        findings = self.parse_output(result.stdout)

        return ToolResult(
            tool=self.name,
            target=target,
            success=result.returncode == 0,
            findings=findings,
            risk_score=self.calculate_risk(findings),
            raw_output=result.stdout,
        )

---

Dashboard GUI

Access the web dashboard at:

http://<KALI_IP>:8000/dashboard

Tab	Description
Operations	Live job tracking with real-time terminal output. Kill any job instantly.
Plugins	All 44 plugins, their categories and installation status
Sessions	Full scan history and findings. Download HTML reports per session.
System	Real-time CPU and RAM usage via WebSocket

---

API Reference

Core Endpoints

Method	Endpoint	Description
GET	/api/plugins	List all plugins with availability status
POST	/api/tools/execute	Run a tool synchronously
POST	/api/tools/execute_async	Run a tool in background, returns job_id
GET	/api/jobs	List all active and completed jobs
GET	/api/jobs/{job_id}	Get job details and output
DELETE	/api/jobs/{job_id}	Terminate a running job
POST	/api/command	Execute raw shell command
POST	/api/write_and_exec	Write file to disk and execute

Session and Reporting

Method	Endpoint	Description
GET	/api/sessions	List all sessions
GET	/api/sessions/{session}	Get all findings for a session
GET	/api/sessions/{session}/report	Download HTML report
GET	/api/sessions/{session}/report/json	Download JSON report
GET	/api/sessions/{session}/report/csv	Download CSV report

Memory and Intelligence

Method	Endpoint	Description
GET	/api/memory	Full operation history
POST	/api/memory/learn	Record a successful technique
GET	/api/memory/learnings	Retrieve all recorded learnings
GET	/api/memory/playbook/{tech}	Get attack playbook for a technology
GET	/api/system	Real-time system metrics (CPU, RAM)

---

Attack Mode Profiles

Mode	Noise Level	Speed	Focus
ctf	High	Fast	Exploit, binary, web exploitation
bugbounty	Low	Moderate	Passive recon, subdomain, API, IDOR
pentest	Moderate	Moderate	Full coverage, internal and external
stealth	Very Low	Slow	Evasion, minimal footprint
internal	High	Fast	Active Directory, SMB, lateral movement
default	Moderate	Moderate	General-purpose

---

Project Structure

mergen/
├── server.py                  # Core server — FastAPI + MCP integration
├── mergen_mcp.py              # MCP proxy client for AI agents
├── install.sh                 # Automated installer
├── requirements.txt           # Python dependencies
├── mcp_config.example.json    # AI client configuration template
│
├── server/
│   ├── attack_planner.py      # TargetProfiler, KillChainBuilder, AdaptiveExecutionEngine
│   ├── process_manager.py     # Background job manager
│   ├── memory.py              # Operation memory and learning engine
│   ├── correlation_engine.py  # Multi-tool finding correlation
│   ├── defense_detect.py      # WAF/IDS/CDN detection
│   ├── playbook_selector.py   # AI-driven playbook selection
│   ├── playbooks.py           # Attack playbook database
│   ├── mode_profiles.py       # Mode profile definitions
│   ├── reporter.py            # HTML/JSON/CSV report generator
│   ├── web_intel.py           # Web intelligence and priority hints
│   └── coverage_matrix.py     # MITRE ATT&CK mapping
│
├── plugins/                   # 44 tool plugins (auto-discovered)
│   ├── base.py                # BasePlugin and ToolResult classes
│   ├── __init__.py            # Plugin discovery engine
│   └── *.py                   # Individual tool plugins
│
├── dashboard/
│   └── index.html             # Single-page app (WebSocket-enabled)
│
└── data/
    └── sessions.db            # SQLite — findings, operations, learnings

---

Technology Stack

Component	Technology	Purpose
Language	Python 3.10+	Core runtime
Web Framework	FastAPI 0.111+	REST API and WebSocket server
ASGI Server	Uvicorn 0.29+	Production-grade async server
MCP Runtime	MCP SDK 1.0+	Model Context Protocol integration
Database	SQLite + aiosqlite	Findings, operations, learnings
Async HTTP	aiohttp 3.9+	Outbound HTTP requests
Real-time	websockets 12.0+	Live dashboard updates
System Metrics	psutil 5.9+	CPU and memory monitoring
Async I/O	anyio 4.3+	Async abstraction layer

---

Troubleshooting

Plugins not appearing in the dashboard?

# Check plugins/ directory contains .py files
ls /opt/mergen/plugins/*.py

# Restart the server to trigger auto-discovery
sudo systemctl restart mergen

Tool not found error?

# Install the missing tool
sudo apt install <tool-name>

# Or re-run the full installer
sudo bash /opt/mergen/install.sh

AI agent cannot connect?

# Verify the server is reachable
curl http://<KALI_IP>:8000/api/plugins

# Check your mcp_config.json path is correct
cat ~/.config/claude/claude_desktop_config.json

# If using a remote Kali host, ensure the SSH tunnel is active
ssh -L 8000:localhost:8000 user@kali-host

Database errors?

rm /opt/mergen/data/sessions.db
sudo systemctl restart mergen

---

Legal and Ethical Use

This tool is designed exclusively for authorized security testing.

Permitted use:

• Penetration testing with written authorization
• Bug bounty programs within defined scope
• CTF competitions and lab environments
• Security research on owned or authorized systems
• Red team exercises with organizational approval

Prohibited use:

• Testing systems without explicit written permission
• Any unauthorized access or data exfiltration
• Malicious or illegal activities of any kind

The authors bear no responsibility for unauthorized or illegal use of this software.

---

Contributing

Contributions are welcome from the security and AI community.

# Fork and clone
git clone https://github.com/g4sk0/mergen-mcp.git
cd mergen-mcp

# Set up development environment
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Run the development server
python server.py

Priority contribution areas:

• New tool plugin integrations
• Attack playbook additions
• Performance and caching improvements
• Documentation and usage examples
• Test coverage

---

License

MIT License — see LICENSE for details.

---

Mergen — from Turkish, meaning wise or skilled.

Star this repository • Report an issue • Contribute