Detectify brings security testing into AI-assisted coding workflows via MCP

On Tuesday, May 26th, SC Media reported that Detectify, the Swedish attack surface management (EASM) platform, has released an official MCP server. The integration allows AI-assisted coding tools, including Claude Code, to directly invoke Detectify's security analysis capabilities without leaving the development environment.

This is significant: previously, the typical workflow meant writing code, committing it, waiting for an external scanner to report findings, and then returning to the editor to fix them. With an MCP server in place, that cycle can be compressed to the moment when the model is generating or reviewing code.

What the Detectify MCP server actually does

The server exposes Detectify's tools as standard MCP calls. This means a compatible agent or assistant can, for example, request a scan of a domain, retrieve active findings from an attack surface, or check the status of a specific vulnerability, all as part of a conversation or automated workflow in Claude Code.

In practice, a developer working with Claude Code could ask the assistant to check whether a subdomain they just configured has known exposures, and the model would invoke the Detectify MCP server to get that information in real time, without opening another tab or manually authenticating to another platform.

Configuration follows the standard MCP pattern: you declare the server in `claude_desktop_config.json` or in Claude Code's configuration, provide Detectify API credentials, and the server becomes available as an invokable tool.

Why this matters for the broader ecosystem

Anthropc's MCP has been attracting integrations across all kinds of services—databases, project management platforms, productivity APIs—but security tools have been slower to appear. The reason is understandable: exposing vulnerability data through a channel that passes through a language model requires careful thought about what information is shared, at what level of detail, and under what access controls.

That Detectify has taken this step suggests the industry is beginning to accept that AI-assisted coding workflows are not a marginal experiment, but the environment where much of the new code will be written in the coming years. Ignoring that reality means security gets left out of the conversation entirely.

That said, the integration has obvious limits. An MCP server retrieves and presents information; it doesn't replace a bug bounty programme, manual auditing, or deep static code analysis. What it can do is reduce friction so that information reaches the developer at the moment they can still act on it.

Who should adopt this now

The integration makes most sense for teams already using Detectify as part of their security programme and who have incorporated Claude Code into their daily workflow. For them, adding the MCP server is relatively low-cost and can speed up triage of findings during development.

For teams that don't yet have either tool, the case is less compelling: adopting an EASM platform just to get the MCP integration would be putting the cart before the horse. The integration has value as a complement, not as an entry point.

The governance angle also deserves attention: before setting up the server in team environments, it's worth reviewing what Detectify data gets exposed to Claude Code's logs and whether that aligns with internal policies for handling vulnerability information.

---

We've been waiting for some time to see more security tools adopting MCP natively. Detectify's move is a concrete step in that direction, though the real maturity of the ecosystem will be measured when these kinds of integrations are auditable, role-configurable, and don't depend on each developer managing their own API credentials.