Wraps OWASP ZAP in an MCP interface so agents can run web security scans without writing glue scripts. Ships with Docker Compose for self-hosting, includes guided tools for spider, active scan, passive scan, API imports, and report generation, plus lower-level ZAP context and user controls when you need them. Uses API key or JWT auth by default, enforces rate limits and URL validation to block private networks, and stores scan history in Postgres for multi-replica deployments. Reach for this when you want Claude to orchestrate security testing workflows against authorized targets with operator guardrails, not full ZAP API access.
claude mcp add --transport stdio dtkmn-mcp-zap-server uvx mcp-zap-server