What does Ferrok scan for?

Ferrok scans MCP server configurations for tool poisoning, excessive permissions, schema validation issues, and transport security risks. Every finding maps to the OWASP MCP Top 10 framework.

How much does Ferrok cost?

Ferrok offers a free tier with 100 scans per month. Paid plans start at $9/month (Starter, 500 scans) and $29/month (Pro, 5,000 scans). Enterprise pricing is custom.

Sign up for a free API key, then POST your MCP server configuration JSON to the /v1/scan endpoint. You receive a structured report with a 0-100 security score, letter grade, pass/fail verdict, and detailed findings.

v1.0 Live — Full OWASP MCP Top 10 Coverage

Stop shipping vulnerable MCP servers to production.

Ferrok is an API-first security scanner for Model Context Protocol. One API call finds tool poisoning, excessive permissions, and supply chain risks before your AI agents go live.

Get Your API Key — Free Read the Docs

terminal

# Scan an MCP server config in one call
curl -X POST https://api.ferrok.dev/v1/scan \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "config": {
      "server_url": "https://my-mcp-server.com",
      "tools": [{ ... }]
    }
  }'

# Response
{ "summary": { "score": 42, "grade": "D-", "pass_fail": "FAIL" } }
        

Features

Everything you need to ship secure agents.

Four specialized scanners working together, mapped to the OWASP MCP Top 10.

⚠

Tool Poisoning Detection

Catches hidden prompt injection, stealth instructions, data exfiltration, and zero-width character attacks in tool descriptions.

🔒

Permission Analysis

Flags code execution, filesystem access, database queries, network calls, and credential exposure. Enforces least-privilege.

📄

Schema Validation

Identifies missing schemas, unconstrained inputs, weak type definitions, and description-schema mismatches.

📡

Transport Security

Detects insecure HTTP, hardcoded secrets, npx supply chain risks, deprecated transports, and shell injection.

✅

CI/CD Gate

Returns a clear PASS or FAIL with every scan. Drop into GitHub Actions or any pipeline to block unsafe deploys.

📈

OWASP Mapping

Every finding maps to the official framework. Credible, auditable reports your security team will trust.

How It Works

Three steps. Seconds to scan.

No agents to install. No dashboards to configure. Just an API call.

Send your config

POST your MCP server JSON to the /v1/scan endpoint.

We scan everything

Four scanners analyze tools, permissions, schemas, transport, and env vars.

Get your report

Receive structured JSON with a score, grade, pass/fail verdict, and findings.

Pricing

Start free. Scale when ready.

Generous free tier for evaluation. Usage-based pricing that grows with you.

Free

$0/mo

Evaluation & personal projects

100 scans / month
All 4 scanners
JSON responses
Community support
Single API key

Get Started

Starter

$9/mo

Indie devs & small teams

500 scans / month
All 4 scanners
Up to 3 API keys
CI/CD scan reports
Email support (48h SLA)

Pro

$29/mo

Growing teams & startups

5,000 scans / month
All 4 scanners
Up to 10 API keys
Webhook notifications
CI/CD scan reports
Priority support (24h SLA)

Enterprise

Custom

Organizations needing SLAs

50,000+ scans / month
Unlimited API keys
Custom scanner rules
Webhook notifications
SLA guarantee (99.9%)
Dedicated support & onboarding