⚡ TL;DR
- MCP (Model Context Protocol) bridges Claude AI with Kali Linux and Burp Suite, enabling natural-language-driven pentesting
- PortSwigger's official MCP extension and six2dez's Burp AI Agent are the two primary integration paths for Burp Suite
- Kali's mcp-kali-server package (officially documented Feb 2026) exposes Nmap, Metasploit, SQLMap, and 10+ tools to Claude
- The architecture is: Claude Desktop/Code → MCP → Kali/Burp → structured output → Claude analysis
- Critical OPSEC warnings: prompt injection, tool poisoning, and cloud data leakage are real risks — treat MCP servers as untrusted code
Introduction: Why This Matters Now
In February 2026, Kali Linux officially documented a native AI-assisted penetration testing workflow using Anthropic's Claude via the Model Context Protocol (MCP). Weeks earlier, PortSwigger shipped their official MCP Server extension for Burp Suite. These aren't experimental toys — they represent a fundamental shift in how offensive security practitioners interact with their tooling.
Instead of memorising Nmap flags, crafting SQLMap syntax, or manually triaging hundreds of Burp proxy entries, you describe what you want in plain English. Claude interprets, plans, executes, and analyses — then iterates if needed. The entire recon-to-report loop becomes conversational.
This article walks you through the complete setup, the two Burp Suite integration paths, the Kali MCP architecture, practical prompt workflows, and — critically — the security risks you must understand before deploying this anywhere near a real engagement.
1. Understanding the Architecture
All three integration paths (Burp MCP, Burp AI Agent, Kali MCP) share the same core pattern: Claude communicates with your tools through MCP, a standardised protocol that Anthropic open-sourced in late 2024. Think of MCP as a universal API bridge that lets LLMs call external tools while maintaining session context.
Structured Output ← Claude Analysis ← Tool Results
The three components in every setup are:
2. Path A: Burp Suite + Claude via PortSwigger's Official MCP Extension
PortSwigger maintains the official MCP Server extension in the BApp Store. It works with both Burp Pro and Community Edition.
Setup Steps
1Install the MCP Extension — Open Burp Suite → Extensions → BApp Store → search "MCP Server" → Install.
2Configure the MCP Server — The MCP tab appears in Burp. Default endpoint: http://127.0.0.1:9876. Enable/disable specific tools (send requests, create Repeater tabs, read proxy history, edit config).
3Install to Claude Desktop — Click "Install to Claude Desktop" button in the MCP tab. This auto-generates the JSON config. Alternatively, manually edit:
// Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"burp": {
"command": "<path-to-java>",
"args": [
"-jar",
"/path/to/mcp-proxy-all.jar",
"--sse-url",
"http://127.0.0.1:9876/sse"
]
}
}
}
4Restart Claude Desktop — Fully quit (check system tray), then relaunch. Verify under Settings → Developer → Burp integration active.
5Start Prompting — Claude now has access to your Burp proxy history, Repeater, and can send HTTP requests directly.
3. Path B: Burp AI Agent (six2dez) — The Power Option
The Burp AI Agent by six2dez is a more feature-rich alternative. It goes significantly beyond the official extension.
Setup
git clone https://github.com/six2dez/burp-ai-agent.git
cd burp-ai-agent
JAVA_HOME=/path/to/jdk-21 ./gradlew clean shadowJar
# Or download the JAR from Releases
# Load in Burp: Extensions → Add → Select JAR
Claude Desktop config for Burp AI Agent:
"mcpServers": {
"burp-ai-agent": {
"command": "npx",
"args": [
"-y",
"supergateway",
"--sse",
"http://127.0.0.1:9876/sse"
]
}
}
}
4. Kali Linux + Claude via mcp-kali-server
Officially documented by the Kali team in February 2026, mcp-kali-server is available via apt and exposes penetration testing tools through a Flask-based API on localhost:5000.
Supported Tools
Setup
sudo apt update
sudo apt install mcp-kali-server kali-server-mcp
# Start the MCP server
mcp-kali-server
# Runs Flask API on localhost:5000
Claude Desktop connects over SSH using stdio transport. Add to your config:
"mcpServers": {
"kali": {
"command": "ssh",
"args": [
"kali@<KALI_IP>",
"mcp-server"
]
}
}
}
5. Practical Prompt Workflows — Optimising Your Skills
The integration is only as good as how you prompt it. Here are real-world workflow patterns that maximise Claude's value.
5.1 Recon Triage (Kali MCP)
Claude will chain: verify tool availability → execute nmap -sV → parse open ports → conditionally run gobuster → produce a structured summary with prioritised findings. One prompt replaces 3-4 manual steps.
5.2 Proxy History Analysis (Burp MCP)
Claude reads your proxy history, filters by content type and method, identifies parameter patterns, and flags candidates for manual testing. This alone saves hours on large applications.
5.3 Automated Test Plan Generation (Burp MCP)
5.4 Collaborator-Assisted SSRF Testing (Burp MCP + Claude Code)
5.5 Full Report Generation (Post-Engagement)
• Be specific with scope — "scan ports 1-1000" not just "scan the target"
• Chain conditional logic — "if you find X, then do Y" leverages Claude's reasoning
• Request structured output — "format as a markdown table" or "create Repeater tabs for each finding"
• Use Claude Code over Desktop for Kali — CLI-native, works on Linux, better for multi-step chains
• Iterate — Claude maintains session context, so you can refine: "now test that endpoint for SQLi"
6. Security Risks — Read This Before Deploying
This is where most guides stop. Don't be that person. MCP-enabled AI workflows introduce real, documented attack surfaces.
Three vulnerabilities were disclosed in Anthropic's official Git MCP server, directly demonstrating that MCP servers are exploitable via prompt injection:
CVE-2025-68143 Path traversal via arbitrary path acceptance in
git_initCVE-2025-68144 Argument injection via unsanitised git CLI args in
git_diff / git_checkoutCVE-2025-68145 Path validation weakness around repository scoping
Researchers demonstrated chaining these with a Filesystem MCP server to achieve code execution. This is not theoretical.
Threat Model for MCP-Assisted Pentesting
Prompt Injection: Malicious content in target responses (HTML, headers, error messages) can feed instructions back into Claude's reasoning loop. A target application could craft responses that manipulate Claude's next actions — classic "data becomes instructions" routed through a new control plane.
Tool Poisoning: CyberArk and Invariant Labs have documented scenarios where malicious instructions embedded in tool descriptions or command output can manipulate the LLM into unintended actions, including data exfiltration.
Cloud Data Leakage: Every prompt and tool output transits through Anthropic's cloud infrastructure. For client engagements with confidentiality requirements, this likely violates your engagement letter. Sending target data to a third-party API is a non-starter for most professional pentests.
Over-Permissioned Execution: The mcp-kali-server can execute terminal commands. A poorly scoped setup with root access is a catastrophic vulnerability if the LLM is manipulated.
Hardening Checklist
[ ] Run Kali in an isolated VM or container — disposable, no shared credentials
[ ] No SSH agent forwarding to the Kali execution host
[ ] Minimal outbound network — open only what you need
[ ] Use Burp AI Agent's STRICT privacy mode for client work
[ ] Enable JSONL audit logging with integrity hashing
[ ] Human-in-the-loop approval for destructive or high-risk commands
[ ] Never use on real client targets without explicit written authorisation for AI-assisted testing
[ ] Review all Claude-generated commands before execution on production targets
[ ] Treat MCP servers as untrusted third-party code — test for command injection, path traversal, SSRF
[ ] For air-gapped requirements: use Ollama + local models via Burp AI Agent instead of cloud Claude
7. Which Path Should You Choose?
✅ BApp Store install
❌ Fewer features
❌ No privacy modes
π― Best for: lab work, CTFs, learning
✅ 3 privacy modes + audit logging
✅ 7 AI backends (inc. local)
❌ Requires Java 21 build
π― Best for: professional engagements
✅ Official Kali package
❌ Cloud dependency
❌ No Linux Claude Desktop
π― Best for: recon, enumeration, CTFs
✅ Burp for web + Kali for infra
❌ Complex setup
❌ Largest attack surface
π― Best for: comprehensive assessments
8. Conclusion: AI Won't Replace You — But It Will Change How You Work
Let's be clear about what this is and what it isn't. Claude + MCP is not autonomous pentesting. It doesn't exercise judgement, assess business impact, or make ethical decisions. What it does is eliminate the repetitive friction of context switching, command crafting, output parsing, and report formatting — the tasks that consume 60-70% of a typical engagement.
The practitioners who will thrive are those who use AI as an intelligent assistant while maintaining the critical thinking, methodology discipline, and OPSEC awareness that no LLM can replicate. Start with lab environments and CTFs. Build confidence with the tooling. Understand the security risks deeply. Then — and only then — consider how it fits into your professional workflow.
The command line remains powerful. Now it has a conversational layer. Use it wisely.
Sources & Further Reading
PortSwigger MCP Server Extension • Burp AI Agent (six2dez) • Kali Official Blog — LLM + Claude Desktop • mcp-kali-server Package • SecEngAI — AI-Assisted Web Pentesting • PortSwigger MCP Server (GitHub) • CybersecurityNews — Kali Integrates Claude AI • Model Context Protocol (Official) • Penligent — Critical Analysis of Kali + Claude MCP
