🔗 Connecting Claude AI with Kali Linux & Burp Suite via MCP
The Practical Guide to AI-Augmented Penetration Testing in 2026
📅 March 2026
✍️ altcoinwonderland
⏱️ 15 min read
🏷️ AppSec | Offensive Security | AI
⚡ TL;DR
- MCP (Model Context Protocol) bridges Claude AI with Kali Linux and Burp Suite, enabling natural-language-driven pentesting
- PortSwigger's official MCP extension and six2dez's Burp AI Agent are the two primary integration paths for Burp Suite
- Kali's mcp-kali-server package (officially documented Feb 2026) exposes Nmap, Metasploit, SQLMap, and 10+ tools to Claude
- The architecture is: Claude Desktop/Code → MCP → Kali/Burp → structured output → Claude analysis
- Critical OPSEC warnings: prompt injection, tool poisoning, and cloud data leakage are real risks — treat MCP servers as untrusted code
Introduction: Why This Matters Now
In February 2026, Kali Linux officially documented a native AI-assisted penetration testing workflow using Anthropic's Claude via the Model Context Protocol (MCP). Weeks earlier, PortSwigger shipped their official MCP Server extension for Burp Suite. These aren't experimental toys — they represent a fundamental shift in how offensive security practitioners interact with their tooling.
Instead of memorising Nmap flags, crafting SQLMap syntax, or manually triaging hundreds of Burp proxy entries, you describe what you want in plain English. Claude interprets, plans, executes, and analyses — then iterates if needed. The entire recon-to-report loop becomes conversational.
This article walks you through the complete setup, the two Burp Suite integration paths, the Kali MCP architecture, practical prompt workflows, and — critically — the security risks you must understand before deploying this anywhere near a real engagement.
1. Understanding the Architecture
All three integration paths (Burp MCP, Burp AI Agent, Kali MCP) share the same core pattern: Claude communicates with your tools through MCP, a standardised protocol that Anthropic open-sourced in late 2024. Think of MCP as a universal API bridge that lets LLMs call external tools while maintaining session context.
You (Claude Desktop / Claude Code)
→
Claude Sonnet (Cloud LLM)
→
MCP Protocol Layer
→
Kali / Burp Suite (Execution)
Structured Output
←
Claude Analysis
←
Tool Results
The three components in every setup are:
2. Path A: Burp Suite + Claude via PortSwigger's Official MCP Extension
PortSwigger maintains the official MCP Server extension in the BApp Store. It works with both Burp Pro and Community Edition.
Setup Steps
1Install the MCP Extension — Open Burp Suite → Extensions → BApp Store → search "MCP Server" → Install.
2Configure the MCP Server — The MCP tab appears in Burp. Default endpoint: http://127.0.0.1:9876. Enable/disable specific tools (send requests, create Repeater tabs, read proxy history, edit config).
3Install to Claude Desktop — Click "Install to Claude Desktop" button in the MCP tab. This auto-generates the JSON config. Alternatively, manually edit:
{
"mcpServers": {
"burp": {
"command": "<path-to-java>",
"args": [
"-jar",
"/path/to/mcp-proxy-all.jar",
"--sse-url",
"http://127.0.0.1:9876/sse"
]
}
}
}
4Restart Claude Desktop — Fully quit (check system tray), then relaunch. Verify under Settings → Developer → Burp integration active.
5Start Prompting — Claude now has access to your Burp proxy history, Repeater, and can send HTTP requests directly.
3. Path B: Burp AI Agent (six2dez) — The Power Option
The Burp AI Agent by six2dez is a more feature-rich alternative. It goes significantly beyond the official extension.
Setup
git clone https://github.com/six2dez/burp-ai-agent.git
cd burp-ai-agent
JAVA_HOME=/path/to/jdk-21 ./gradlew clean shadowJar
Claude Desktop config for Burp AI Agent:
{
"mcpServers": {
"burp-ai-agent": {
"command": "npx",
"args": [
"-y",
"supergateway",
"--sse",
"http://127.0.0.1:9876/sse"
]
}
}
}
💡 Key advantage of Burp AI Agent: Right-click any request in Proxy → HTTP History → Extensions → Burp AI Agent → "Analyse this request" — opens a chat session with the AI analysis. The 3 privacy modes (STRICT/BALANCED/OFF) and JSONL audit logging with SHA-256 integrity hashing make it more suitable for professional engagements.
4. Kali Linux + Claude via mcp-kali-server
Officially documented by the Kali team in February 2026, mcp-kali-server is available via apt and exposes penetration testing tools through a Flask-based API on localhost:5000.
Supported Tools
Setup
sudo apt update
sudo apt install mcp-kali-server kali-server-mcp
mcp-kali-server
Claude Desktop connects over SSH using stdio transport. Add to your config:
{
"mcpServers": {
"kali": {
"command": "ssh",
"args": [
"kali@<KALI_IP>",
"mcp-server"
]
}
}
}
💡 Linux Users: Claude Desktop has no official Linux build as of March 2026. Workarounds include WINE, unofficial Linux packages, or alternative MCP clients such as 5ire, AnythingLLM, Goose Desktop, and Witsy. Claude Code (CLI) works natively on Linux and is arguably the better option for Kali integration.
5. Practical Prompt Workflows — Optimising Your Skills
The integration is only as good as how you prompt it. Here are real-world workflow patterns that maximise Claude's value.
5.1 Recon Triage (Kali MCP)
"Run an Nmap service scan on 10.10.10.100 with version detection. If you find HTTP on any port, follow up with Gobuster using the common.txt wordlist. Summarise all findings with risk ratings."
Claude will chain: verify tool availability → execute nmap -sV → parse open ports → conditionally run gobuster → produce a structured summary with prioritised findings. One prompt replaces 3-4 manual steps.
5.2 Proxy History Analysis (Burp MCP)
"From the HTTP history in Burp, find all POST requests to API endpoints that accept JSON. Identify any that pass user IDs in the request body — I'm hunting for IDOR and BOLA vulnerabilities."
Claude reads your proxy history, filters by content type and method, identifies parameter patterns, and flags candidates for manual testing. This alone saves hours on large applications.
5.3 Automated Test Plan Generation (Burp MCP)
"Analyse the JavaScript files in Burp history. Extract API endpoints, identify authentication mechanisms, and generate a test plan covering OWASP API Security Top 10."
5.4 Collaborator-Assisted SSRF Testing (Burp MCP + Claude Code)
"Take the request in Repeater tab 1. Identify any parameters that accept URLs or hostnames. Create variations pointing to my Collaborator URL and send each one. Report back which triggered a DNS lookup."
5.5 Full Report Generation (Post-Engagement)
"Compile all findings from this session into a structured pentest report. Include: vulnerability title, severity (CVSS where possible), affected endpoint, proof of concept, and remediation steps."
💡 Skill Optimisation Tips:
• Be specific with scope — "scan ports 1-1000" not just "scan the target"
• Chain conditional logic — "if you find X, then do Y" leverages Claude's reasoning
• Request structured output — "format as a markdown table" or "create Repeater tabs for each finding"
• Use Claude Code over Desktop for Kali — CLI-native, works on Linux, better for multi-step chains
• Iterate — Claude maintains session context, so you can refine: "now test that endpoint for SQLi"
6. Security Risks — Read This Before Deploying
This is where most guides stop. Don't be that person. MCP-enabled AI workflows introduce real, documented attack surfaces.
⚠️ CRITICAL: Known CVEs in MCP Ecosystem (January 2026)
Three vulnerabilities were disclosed in Anthropic's official Git MCP server, directly demonstrating that MCP servers are exploitable via prompt injection:
CVE-2025-68143 Path traversal via arbitrary path acceptance in git_init
CVE-2025-68144 Argument injection via unsanitised git CLI args in git_diff / git_checkout
CVE-2025-68145 Path validation weakness around repository scoping
Researchers demonstrated chaining these with a Filesystem MCP server to achieve code execution. This is not theoretical.
Threat Model for MCP-Assisted Pentesting
Prompt Injection: Malicious content in target responses (HTML, headers, error messages) can feed instructions back into Claude's reasoning loop. A target application could craft responses that manipulate Claude's next actions — classic "data becomes instructions" routed through a new control plane.
Tool Poisoning: CyberArk and Invariant Labs have documented scenarios where malicious instructions embedded in tool descriptions or command output can manipulate the LLM into unintended actions, including data exfiltration.
Cloud Data Leakage: Every prompt and tool output transits through Anthropic's cloud infrastructure. For client engagements with confidentiality requirements, this likely violates your engagement letter. Sending target data to a third-party API is a non-starter for most professional pentests.
Over-Permissioned Execution: The mcp-kali-server can execute terminal commands. A poorly scoped setup with root access is a catastrophic vulnerability if the LLM is manipulated.
Hardening Checklist
[ ] Run Kali in an isolated VM or container — disposable, no shared credentials
[ ] No SSH agent forwarding to the Kali execution host
[ ] Minimal outbound network — open only what you need
[ ] Use Burp AI Agent's STRICT privacy mode for client work
[ ] Enable JSONL audit logging with integrity hashing
[ ] Human-in-the-loop approval for destructive or high-risk commands
[ ] Never use on real client targets without explicit written authorisation for AI-assisted testing
[ ] Review all Claude-generated commands before execution on production targets
[ ] Treat MCP servers as untrusted third-party code — test for command injection, path traversal, SSRF
[ ] For air-gapped requirements: use Ollama + local models via Burp AI Agent instead of cloud Claude
7. Which Path Should You Choose?
8. Conclusion: AI Won't Replace You — But It Will Change How You Work
Let's be clear about what this is and what it isn't. Claude + MCP is not autonomous pentesting. It doesn't exercise judgement, assess business impact, or make ethical decisions. What it does is eliminate the repetitive friction of context switching, command crafting, output parsing, and report formatting — the tasks that consume 60-70% of a typical engagement.
The practitioners who will thrive are those who use AI as an intelligent assistant while maintaining the critical thinking, methodology discipline, and OPSEC awareness that no LLM can replicate. Start with lab environments and CTFs. Build confidence with the tooling. Understand the security risks deeply. Then — and only then — consider how it fits into your professional workflow.
The command line remains powerful. Now it has a conversational layer. Use it wisely.
Sources & Further Reading
PortSwigger MCP Server Extension •
Burp AI Agent (six2dez) •
Kali Official Blog — LLM + Claude Desktop •
mcp-kali-server Package •
SecEngAI — AI-Assisted Web Pentesting •
PortSwigger MCP Server (GitHub) •
CybersecurityNews — Kali Integrates Claude AI •
Model Context Protocol (Official) •
Penligent — Critical Analysis of Kali + Claude MCP
