PostmanFor Postman Agent Mode

Rogue MCP Server Detection
& API Security Testing

Rogue MCP audits local MCP servers to expose supply-chain risks and excessive privileges, then runs safe, passive API security testing on Postman collections to find auth gaps and data leaks. Agent-native security, minus the drama.

Key Features

Security checks run conversationally inside Agent Mode—no separate tools, proxies, or configuration required.

MCP Security Scanner

Audits all installed MCP servers (Postman, Cursor, VS Code, Claude, etc.). Verifies provenance against Postman's trusted MCP registry.

API Security Testing

Analyzes Postman collections and OpenAPI specs. No attack payloads, no traffic replay, no production risk. Runtime ~2–3 minutes.

LLM-Assisted Findings

Summarized risks, explanations, and remediation guidance. Designed for developers, not security specialists.

God-Mode Detection

Flags MCPs with unrestricted filesystem access, arbitrary command execution, and full user permissions.

Lockfile Generation

Generates a locked-down mcp.json + lockfile with pinned versions, hashes, and allowlist for secure deployments.

Agent-Native UX

Local MCP over STDIO, fully compatible with Postman Agent Mode. Security checks run conversationally inside your workflow.

Types of Issues Detected

Comprehensive security scanning for both MCP servers and API endpoints

MCP Security Scanner

MCP Security Scanner

  • Full filesystem access and credential exposure risk
  • SSH, cloud credential, and browser data access
  • Arbitrary command execution ("god-mode" MCPs)
  • Unpinned or drifting dependencies
  • Suspicious network behavior and package provenance gaps
API Security Testing

API Security Testing

  • API key and secret leaks
  • Missing or weak authentication
  • Over-permissive endpoints
  • Schema violations and drift
  • Sensitive data exposure
  • Basic BOLA / BOPLA indicators

How It Works

1

Register & Subscribe

Sign up for $5/month to get full access to the Rogue MCP Server.

2

Configure in Postman

Add the Rogue MCP Server to your Postman Agent Mode configuration.

3

Run Security Checks

Use natural language in Agent Mode to scan MCPs and test API security—no extra tools needed.

CLI Usage & Commands

Run without arguments to start as an MCP server (stdio transport), or use CLI commands directly.

Usage as MCP Server

Run without arguments to start as an MCP server (stdio transport). The server provides scan, audit, fix, and export tools.

rogue-mcp

Quick CLI Commands

rogue-mcp scan     # Discover MCP servers
rogue-mcp audit    # Run security audit
rogue-mcp fix      # Generate safe configs
rogue-mcp export   # Export results
rogue-mcp rogue    # Blast radius reconnaissance

All Available Commands

scanDiscover all MCP servers on this machine
auditRun security audit on discovered servers (SAST)
deep-probeRun deep dynamic analysis on servers (DAST)
scan-depsScan dependencies of MCP server packages
analyze-sourceAnalyze source code for security issues
fixGenerate safe configurations
exportExport results (json, markdown, sarif)
owaspShow OWASP Agentic AI Top 10 information
trustedManage trusted server catalog
historyShow scan history and storage info
autodiscoverAuto-discover MCP servers, Postman collections, and API specs
rogueRogue MCP Mode - Analyze blast radius of running privileges
helpPrint this message or the help of the given subcommand(s)

Simple, Transparent Pricing

$5/month

Unlock full access for API Security Testing by signing up for a $5 paid subscription.

400 credits included for LLM-based API Security Testing.

Credits are only consumed for API Security Testing for Postman Collections.

You can always switch later to another plan with more monthly credits.

Get Started Today

Loading...