Quickstart: Your First Scan
Get vulnerability results for your MCP server or AI agent configuration in under 60 seconds. No credit card required.
Step 1 — Create Your Account
Go to trusttrace.io/signup and create a free account. You'll need:
- An email address (verified)
- An authenticator app for MFA (Google Authenticator, Authy, or 1Password)
TrustTrace requires multi-factor authentication on all accounts — because a security platform that doesn't enforce MFA isn't one you should trust.
Step 2 — Choose Your Scan Type
Navigate to trusttrace.io/scan. You'll see two options:
Option A: Scan an MCP Server
Enter your MCP server's URL and click Scan. TrustTrace will connect to your server and:
- Enumerate all exposed tools, resources, and prompts
- Check authentication requirements
- Analyze tool descriptions for hidden instructions (tool poisoning)
- Assess transport security (TLS, HTTP)
- Evaluate scope and permissions
What you'll need: The URL of your MCP server endpoint (typically ending in /sse for SSE transport or a WebSocket URL).
Example:
https://your-mcp-server.example.com/sse
If your MCP server requires authentication, toggle "Add authentication" and provide your auth token.
Option B: Upload Configuration Files
Drag and drop your files into the upload area. TrustTrace will analyze whatever you provide:
| File Type | What Gets Scanned |
|---|---|
Tool schemas (.json) | Permission analysis, dangerous patterns, hidden instructions |
Dependency files (requirements.txt, package.json, lockfiles) | Known CVEs, unpinned versions, typosquatting |
System prompts (.txt, .yaml) | Injection vulnerability catalog, prompt leakage risks |
Agent code (.py, .js, .ts) | Hardcoded secrets, injection sinks, unsafe execution, SQL injection |
You can upload any combination. The more context you provide, the more comprehensive the results.
Step 3 — Review Your Results
When the scan completes, you'll see:
- OWASP Score — An overall security score (0–100) with a letter grade (A–F)
- Findings List — Each vulnerability detected, with severity (Critical, High, Medium, Low) and OWASP LLM Top 10 category
Free Tier Results
On the free plan, you'll see the severity and title of each finding. This tells you what's wrong and how bad it is. To see the full description, evidence, and remediation guidance, upgrade to the Developer plan ($49/mo).
Paid Tier Results
Developer and above see complete finding details:
- Description — What the vulnerability is and why it matters
- Evidence — Specific details from your scan (redacted where appropriate)
- Remediation — Concrete steps to fix the issue
- OWASP Category — Which OWASP LLM Top 10 category this falls under
- Compliance Mapping — HIPAA and SOC 2 control references (Enterprise tier)
Step 4 — Take Action
Fix Critical Issues First
Critical and High severity findings represent immediate risk. Address these before anything else. Each finding includes specific remediation guidance — follow the steps provided.
Set Up Baseline Tracking (Pro+)
If you're on the Pro plan or above, TrustTrace saves a baseline snapshot of your MCP server's tool definitions. The next time you scan the same URL, you'll see what changed — new tools added, descriptions modified, permissions expanded. This catches rug pull attacks where MCP servers change behavior after initial approval.
Add to Your CI/CD Pipeline (Team+)
Automate scans on every deployment. See the CI/CD Integration Guide for setup instructions.
Download Your Report (Developer+)
Click Download PDF Report to get a branded PDF you can share with your security team or attach to compliance documentation.
What's Next?
- Understanding Results — Deep dive into severity levels, OWASP categories, and how to prioritize
- API Reference — Automate scans programmatically
- MCP Security Guide — Understand why MCP servers are a growing attack surface
- Upgrade Your Plan — Unlock full findings, baselines, and CI/CD integration