decoy-redteam
v0.4.1
Published
Autonomous red team tool for MCP servers. Finds exploitable vulnerabilities before attackers do.
Maintainers
ad30joneReadme
Autonomous red team for MCP servers. Finds exploitable vulnerabilities before attackers do. Zero dependencies. Zero setup.
Works with: Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, Cline
🚀 Get Started
npx decoy-redteam # Dry-run — show attack plan
npx decoy-redteam --live # Execute attacks against your MCP serversDecoy Red Team connects to every MCP server on your machine, sends adversarial payloads to their tools, and reports what's exploitable. Not a scanner — an attacker.
🧑💻 Install
No install required — run directly with npx. Requires Node.js 18+.
Or pin it in your CI:
- name: Red team MCP servers
uses: decoy-run/decoy-redteam@v1
with:
target: my-server
token: ${{ secrets.DECOY_TOKEN }}
sarif: true🎓 Docs
🗂 What it tests
54 attack patterns across 6 categories:
| Category | What it tests | |----------|---------------| | Input injection | SQL injection, command injection, path traversal, SSRF, template injection | | Prompt injection | Instruction override, role hijack, indirect injection, encoding bypass, multi-turn | | Credential exposure | .env files, cloud credentials, SSH keys, git tokens, shell history | | Protocol attacks | Malformed JSON-RPC, capability escalation, replay attacks, method injection | | Schema boundary | Type coercion, null bytes, overflow, prototype pollution, NoSQL operators | | Privilege escalation | Scope escape, undeclared access, dotfile enumeration, argument smuggling |
Every finding maps to OWASP Top 10 for Agentic Applications 2026.
🛡 Safety
Dry-run by default. Running npx decoy-redteam without --live shows what would be tested without executing anything.
Confirmation required. --live prompts for explicit confirmation before executing. No --yes bypass flag.
Safe mode default. Live execution only runs read-only and protocol attacks. Destructive attacks require --live --full with an additional warning.
Browser-automation tools are skipped in safe mode. Tools matching browser_*, navigate, goto, open_url, open_browser, open_tab, open_page, open_window, take_screenshot, screenshot, or screencapture are excluded by default — otherwise SSRF URL payloads cause real browser windows to flicker open for each attack. Opt in with --full.
🛠 Usage
# Dry-run — show attack plan without executing anything
npx decoy-redteam
# Execute attacks against your MCP servers
npx decoy-redteam --live
# Target a specific server
npx decoy-redteam --live --target=my-server
# JSON output for scripting
npx decoy-redteam --live --json
# SARIF output for GitHub Security / CI
npx decoy-redteam --live --sarif
# Only test specific categories
npx decoy-redteam --live --category=input-injection,credential-exposureExit codes
| Code | Meaning | |------|---------| | 0 | No critical or high findings | | 1 | High-risk findings | | 2 | Critical findings |
🤖 Advanced AI-powered red team (paid plans)
Free decoy-redteam runs 54 deterministic attack patterns. The paid tiers on Decoy Guard (Team $29/user/mo, Business $99/user/mo) add:
- AI-adaptive attacks — LLM-generated payloads specific to your tool schemas
- Encoding bypass suite — 25+ encoding variants per injection vector
- Cross-server chain discovery — finds attack paths across multiple servers
- Exportable HTML reports — branded, print-ready security assessments
- Continuous red teaming — scheduled runs against your live MCPs
Run with --team --token=YOUR_TOKEN.
📚 Library
import {
discoverConfigs,
probeServers,
planAttacks,
executeAttacks,
buildStories,
calculateCoverage,
toSarif,
toJson,
ATTACKS,
ENCODINGS,
} from 'decoy-redteam';🚢 Release Notes
See the hosted changelog.
🤝 Contribute
See CONTRIBUTING.md.
🔗 Related
- decoy-scan — MCP vulnerability scanner (static analysis)
- decoy-tripwire — Tripwire detection for AI agents
- Decoy Guard — Dashboard, monitoring, threat intelligence
📝 License
MIT — see LICENSE.