mcp-fortress

MCP Fortress is a security scanner and runtime protection tool for MCP servers. It provides automated security scanning across dependencies, runtime protection of MCP servers, and a set of MCP tools that can be surfaced to AI assistants like Claude Code, Cursor, and Windsurf. The server exposes three core tools: scan_mcp_server for comprehensive security scanning of MCP servers and their dependencies, analyze_prompt_injection for detecting prompt injection and related manipulation attempts, and detect_tool_poisoning for identifying typosquatting or misleading tool names. In practice, you can run a local Fortress instance, connect it to your Claude/Cursor workflow, and perform on-demand security scans or real-time monitoring of active MCP servers. The CLI supports starting the server, scanning packages, monitoring running servers, and managing a quarantine list of flagged MCPs. When integrated with Claude Code or other assistants, you can issue natural language prompts like Scan <server> for security issues, and Fortress will return risk scores and actionable findings.

Prerequisites:

• Node.js (v14+ recommended) and npm installed on your machine
• Internet access to install the npm package

Install the Fortress CLI globally:

npm install -g mcp-fortress

Start the standalone Fortress server (default port 3001, adjust as needed):

mcp-fortress start

If you prefer to run directly from the project, install dependencies locally and invoke the binary:

npm install
node ./node_modules/mcp-fortress/bin/mcp-fortress.js start

Usage examples:

• Scan a package:

mcp-fortress scan express

• Run the daemon and view logs:

mcp-fortress start --daemon
mcp-fortress logs --lines 100

• Monitor a running server:

mcp-fortress monitor <server-name>

• Manage quarantine:

mcp-fortress quarantine list
mcp-fortress quarantine release <server-name>

Note: You can optionally configure Fortress to expose its tools to Claude Code or other assistants through the MCP Server Mode integration described in the documentation. The default data directory is ~/.mcp-fortress and Fortress uses a local SQLite database for storage.

Tips and notes:

• The MCP Fortress web UI and CLI provide a comprehensive view of risks, quarantines, and activity feeds.
• Default API port is 3001; use the -p flag to override.
• If you encounter false positives, adjust the risk thresholds in your environment or update to the latest v0.x release to benefit from improved detectors.
• For Claude/AI integration, you can expose Fortress tools to your assistant using the MCP Server Mode features described in the readme, enabling real-time security analysis within AI-assisted development workflows.
• Ensure your environment allows outbound access for dependency scanning (NPM/PyPI databases) and updates.