Run a security scan from Claude Code
Connect the AuditWard MCP server to Claude Code, then ask the agent to audit a URL you own. One qa_test call runs a real Chromium QA pass and a security scan with pentest tooling. From there you poll status, pull screenshots and findings, then generate the PDF without leaving your terminal.
Add the MCP server to Claude Code.
Create an MCP token in the dashboard under Settings, API and MCP. The token shows once, so copy it right away. Then register the AuditWard server with Claude Code using the command below. After that the six AuditWard tools are available in any session.
claude mcp add auditward --transport http https://platform-api.auditward.com/mcp/ \
--header "Authorization: Bearer YOUR_MCP_TOKEN"Prefer OAuth?
Clients that support OAuth-based MCP connections can skip the manual token. Point them at https://platform-api.auditward.com/mcp/ and you will be redirected to AuditWard to sign in and approve access. AuditWard supports OAuth 2.0 client registration with the authorization-code flow and PKCE. Approved connections show up as revocable grants on your account.
Ask in plain language.
You do not call the tools by hand. Describe the target and what you care about, and Claude Code picks qa_test to kick off the scan. The call is asynchronous and returns a session id straight away, so the agent can keep working while the audit runs.
Run a security scan of https://staging.example.com with AuditWard.
Focus on TLS, security headers, and the login flow. When it finishes,
list the high and critical findings and generate the PDF report.Under the hood, an LLM Planner reads the URL and your instructions and builds a checklist. An Explorer agent walks the site in a real Chromium browser while curl, testssl.sh, Nuclei, Nmap, Gobuster, nslookup, and WhatWeb probe the target. An Analyst then triages the evidence into confidence-scored, compliance-tagged findings.
Poll, answer, and pull evidence.
Once the scan is running, the agent moves through the same four tools every time. Check progress with qa_status, answer any paused questions with qa_provide_context, fetch evidence with qa_get_artifacts, and build the report with qa_report.
| Step | Tool | What happens |
|---|---|---|
| 01 | qa_test | Starts the combined QA and security scan and returns a session id right away. |
| 02 | qa_status | Polls progress, checklist state, and findings so far for the running session. |
| 03 | qa_provide_context | Answers any structured questions a paused scan asks, such as login credentials. |
| 04 | qa_get_artifacts | Returns presigned URLs for screenshots, video, and the report files. |
| 05 | qa_report | Generates the pentest-style PDF report once the session completes. |
| -- | qa_cancel | Cancels a running scan if you no longer need the result. |
Scans behind a login
If the target sits behind a login wall, the scan pauses and returns structured questions instead of guessing. Answer them with qa_provide_context from the agent, or fill them in from the dashboard, and the scan resumes. Your answers are KMS-encrypted before storage. Credential question and answer support is on Starter and above.
What you get back.
The audit returns triaged findings rather than raw tool dumps. Each finding carries a severity, a confidence score, a written impact and remediation, and tags for the frameworks it touches. You also get the visual evidence and a report you can hand to a stakeholder.
Artifacts
qa_get_artifacts returns presigned URLs for annotated screenshots and video from the browser session, so the agent can cite exactly what it saw.
PDF report
qa_report generates a pentest-style PDF with findings, evidence, and remediation steps once the session completes.
Compliance tags
Findings are tagged per item to PCI DSS 4.0, SOC 2, GDPR, OWASP Top 10, HIPAA, and ISO 27001, so you can see which framework each issue maps to.
What to know before you run it.
AuditWard finds and evidences real issues fast, but it has clear edges. Read these before you point it at a target so the result matches what you expect.
Authorized public URLs only
Scans run against public URLs you are authorized to test, with the same DNS TXT domain verification and authorization audit trail as dashboard scans. The agent cannot reach localhost or internal hosts. The scanner respects robots.txt, rate limits itself, and honors the global opt-out registry.
Plan and quota
MCP access starts on Starter ($49/month). Scans started over MCP count against your plan quota the same as dashboard scans. The free Basic plan does not include MCP and shows only the first three findings per scan.
Not a manual pentest
AuditWard does not replace a manual penetration test, and it is not a PCI ASV scan. It complements that work by catching issues early and giving you evidence between engagements. It never runs denial-of-service tests, and takeover weaknesses are reported, never exploited.
It is QA too
The same run also QA-tests the site in a real browser, so broken flows, console errors, and UX defects show up alongside the security findings. One qa_test call covers both.
Common questions.
How do I run a pentest-style scan from Claude Code?
Add the AuditWard MCP server with the claude mcp add command, then ask the agent in plain language to scan a URL you control. It calls qa_test to start the run, polls qa_status, and generates the PDF with qa_report. Note this complements a manual pentest, it does not replace one.
Do I have to call the MCP tools myself?
No. You describe the target and what you want checked, and Claude Code chooses the right tools. You can name a tool if you want precise control, but a natural-language request is enough to start, poll, and report on a scan.
Can the agent scan a site behind a login?
Yes. When the scan hits a login wall it pauses and returns structured questions. Answer them with qa_provide_context or in the dashboard and the scan resumes. Your answers are KMS-encrypted before storage. This is available on Starter and above.
What does the security scan actually run?
It drives a real Chromium browser for QA and runs curl, testssl.sh, Nuclei, Nmap, Gobuster, nslookup, and WhatWeb against the target. An Analyst then turns the evidence into triaged, confidence-scored findings tagged to PCI DSS 4.0, SOC 2, GDPR, OWASP Top 10, HIPAA, and ISO 27001.
Is this an ASV or PCI-certified scan?
No. AuditWard is not a PCI Approved Scanning Vendor and the scan is not certified. It helps you find and evidence issues, including ones mapped to PCI DSS 4.0, but it does not make you compliant on its own.