StackShield

MCP Server

New

Connect AI agents to StackShield using the Model Context Protocol. Your agent can manage checks, trigger scans, review findings, and resolve issues — all from within your development workflow.

What is MCP?

The Model Context Protocol (MCP) is an open standard that lets AI agents connect to external tools and data sources. Instead of manually copying data between your security dashboard and your AI assistant, MCP lets the agent interact with StackShield directly.

When you connect StackShield's MCP server to your agent, the agent automatically discovers all available capabilities — it can list your domains, trigger scans, read test results, resolve issues, and more. No extra configuration or prompt engineering needed.

Supported Agents

Any MCP-compatible agent can connect, including:

  • Claude Code (Anthropic's CLI)
  • Claude Desktop
  • Cursor
  • Windsurf
  • VS Code (with Copilot MCP extension)
  • Any agent that supports remote MCP servers via HTTP

How Discovery Works

When an agent connects to the MCP server, it automatically discovers all available tools, resources, and prompts through the MCP protocol handshake. The agent receives:

  • The name and description of every tool
  • The parameter schema for each tool (types, required fields, allowed values)
  • Tool annotations (which tools are read-only, which are destructive)
  • Available resources and prompt templates

You don't need to describe the tools to your agent — it already knows what's available and how to use each one.

Setup

Prerequisites

  • A StackShield account on the Professional or Business plan
  • A team API key (generate one from Team Settings)

Server URL

The MCP server endpoint is:

https://stackshield.io/mcp

Authentication uses a Bearer token — the same API key you use for the REST API. Agents that support headers should pass Authorization: Bearer YOUR_API_KEY. Alternatively, you can pass the key as an api_key query parameter.

Claude Desktop

Add the following to your claude_desktop_config.json:

{
  "mcpServers": {
    "stackshield": {
      "url": "https://stackshield.io/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Config file location:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json

Claude Code

Add the server from the command line:

claude mcp add stackshield \
  --transport http \
  --url "https://stackshield.io/mcp" \
  --header "Authorization: Bearer YOUR_API_KEY"

Or add it to your project's .mcp.json:

{
  "mcpServers": {
    "stackshield": {
      "type": "url",
      "url": "https://stackshield.io/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Cursor

Add to your .cursor/mcp.json in your project root:

{
  "mcpServers": {
    "stackshield": {
      "url": "https://stackshield.io/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

VS Code

Add to your .vscode/mcp.json:

{
  "servers": {
    "stackshield": {
      "type": "http",
      "url": "https://stackshield.io/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Keep your API key secret

Do not commit MCP config files containing API keys to version control. Add .mcp.json, .cursor/mcp.json, and .vscode/mcp.json to your .gitignore.

Available Tools

The MCP server exposes 16 tools organized into five groups. Your agent discovers these automatically on connection. Tools annotated as read-only only retrieve data. Destructive tools may prompt for confirmation in your agent.

Checks (Monitored Domains)

Tool Description Type
list_checksList all monitored domains with optional filtering and sortingRead
get_checkGet detailed info about a domain including schedule and latest scanRead
create_checkAdd a new domain to monitorWrite
update_checkUpdate check settings (schedule, tests, active status)Write
delete_checkRemove a monitored domainDestructive

Scans

Tool Description Type
list_scansList scans with filters by check, status, and critical issuesRead
get_scanGet scan status and all individual test resultsRead
trigger_scanStart a new security scan for a domainWrite

Scan Tests

Tool Description Type
get_scan_testGet detailed test result with findings, remediation steps, and technical detailsRead

Issues

Tool Description Type
list_issuesList issues with filters (severity, status, domain, test type, search)Read
get_issueGet issue details with related scansRead
resolve_issueMark an issue as resolved with optional notesWrite
unresolve_issueRe-open a resolved issueWrite
bulk_resolve_issuesResolve or unresolve multiple issues at onceWrite
export_issues_csvExport all issues as CSV textRead

Dashboard

Tool Description Type
get_dashboard_statsSecurity posture overview: domains, active scans, priority issues, domains at riskRead

Resources

MCP resources are read-only data your agent can pull at any time. They're useful for giving the agent background context without explicitly calling a tool.

URI Description
stackshield://checksAll monitored domains with their active status and latest scan results
stackshield://issues/criticalAll unresolved critical and high severity security issues
stackshield://statsDashboard statistics: total domains, active scans, priority issues, domains at risk

Prompts

MCP prompts are pre-built templates your agent can use to perform common multi-step workflows. They guide the agent through a sequence of tool calls to produce a useful result.

security_review

Reviews the security posture of a domain and provides actionable recommendations.

ArgumentRequiredDescription
domainYesThe domain to review (e.g. "example.com")

The agent will look up the check, list all unresolved issues, and produce a prioritized remediation plan grouped by severity.

scan_report

Generates a comprehensive report of the latest security scan for a domain.

ArgumentRequiredDescription
domainYesThe domain to report on (e.g. "example.com")

The agent will retrieve the latest scan, inspect each failed test, and produce a structured report with executive summary, detailed findings, and next steps.

Example Conversations

Here are examples of what you can ask your agent once StackShield is connected.

Check your security posture

You:

"What's the security status of my domains?"

The agent will:

  1. Call get_dashboard_stats to get the overview
  2. Call list_issues with status=unresolved and severity=critical
  3. Summarize your posture and highlight anything urgent

Scan and review a domain

You:

"Run a security scan on example.com and tell me what failed"

The agent will:

  1. Call list_checks to find the check for example.com
  2. Call trigger_scan to start the scan
  3. Poll get_scan until the scan completes
  4. Call get_scan_test for each failed test to get findings and fixes
  5. Present a summary of what failed and how to fix each issue

Resolve issues in bulk

You:

"I've fixed all the SSL issues, mark them as resolved"

The agent will:

  1. Call list_issues with test_type=ssl_certificate and status=unresolved
  2. Call bulk_resolve_issues with all the matching issue IDs
  3. Confirm how many issues were resolved

Add a new domain

You:

"Add staging.example.com with daily scans and all tests enabled"

The agent will:

  1. Call create_check with the domain, DAILY frequency, and all tests set to true
  2. Confirm the check was created and show the schedule

Authentication & Security

  • API key required — every MCP connection must include a valid team API key
  • Team scoped — all data is automatically scoped to the team that owns the API key. You cannot access other teams' data.
  • Plan gated — MCP access requires the Professional or Business plan. Free trial teams receive a 403 error.
  • Same key as REST API — your existing API key works for both the REST API and MCP server

Troubleshooting

Agent can't connect

  • Verify your API key is correct and active in Team Settings
  • Check that your team is on the Professional or Business plan
  • Ensure the URL includes the full path: https://stackshield.io/mcp
  • Test the connection with the MCP Inspector: npx @modelcontextprotocol/inspector "https://stackshield.io/mcp" --header "Authorization: Bearer YOUR_KEY"

Tools not appearing

  • Restart your agent after adding the MCP configuration
  • Check the agent's MCP logs for connection errors
  • In Claude Desktop: Settings > Developer > MCP Servers to see connection status

"Does not belong to your team" errors

All data is team-scoped. If you're getting ownership errors, make sure the check, scan, or issue ID belongs to the team associated with your API key.