Decoy Red Team
Autonomous adversarial testing for MCP servers. 53 attack patterns across 6 categories, mapped to OWASP Agentic Top 10.
Decoy Red Team connects to every MCP server on your machine, sends adversarial payloads to their tools, and reports what's exploitable. Not a scanner — an attacker. Every finding maps to OWASP Top 10 for Agentic Applications 2026.
What it tests
53 attack patterns across 6 categories:
| Category | What it tests |
|---|---|
| Input injection | SQL injection, command injection, path traversal, SSRF, template injection |
| Prompt injection | Instruction override, role hijack, indirect injection, encoding bypass, multi-turn |
| Credential exposure | .env files, cloud credentials, SSH keys, git tokens, shell history |
| Protocol attacks | Malformed JSON-RPC, capability escalation, replay attacks, method injection |
| Schema boundary | Type coercion, null bytes, overflow, prototype pollution, NoSQL operators |
| Privilege escalation | Scope escape, undeclared access, dotfile enumeration, argument smuggling |
Usage
Dry run by default — --live is required to actually execute anything.
# Show the attack plan without executing (safe, always)
npx decoy-redteam
# Execute attacks — prompts for confirmation
npx decoy-redteam --live
# Target a specific server
npx decoy-redteam --live --target=my-server
# Only test specific categories
npx decoy-redteam --live --category=input-injection,credential-exposure
# SARIF for CI
npx decoy-redteam --live --sarif > redteam.sarifSafety
- Dry-run by default.
npx decoy-redteamplans but does not execute. - Live mode prompts for confirmation. No
--yesbypass. - Safe by default. Live mode runs read-only and protocol attacks only.
Destructive attacks (file writes, etc.) require
--live --fullwith a second confirmation.
CI/CD
- uses: decoy-run/decoy-redteam@v1Runs in safe mode against your MCP servers and uploads SARIF to the GitHub Security tab.
Upgrading to full coverage
Free mode tests the 53 deterministic patterns (Layer 1). Guard Pro unlocks ~198 AI-adaptive and encoding variants (Layer 2) — plans generated from your latest scan, adapted to each server's actual tool surface.
npx decoy-redteam --live --pro --token=$DECOY_TOKEN