Skip to main content
CounterAgent is an offensive security tool. It connects to MCP servers, sends adversarial payloads, intercepts traffic, and probes for vulnerabilities. These capabilities are powerful and potentially disruptive.

Authorized Testing Only

Only test systems you own or have explicit written authorization to test. This means:
  • MCP servers you built and control
  • Servers in lab environments you operate
  • Third-party servers where you hold a written testing agreement or bug bounty scope that covers them
Running CounterAgent against a system without authorization may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws in other jurisdictions. Unauthorized testing is illegal regardless of intent.

What Authorized Looks Like

If you are unsure whether you have authorization, you do not have authorization. Authorization requires explicit, documented permission — not implied permission, not assumed permission because you have credentials, and not retroactive permission after testing has begun. For bug bounty programs, verify that MCP servers and AI agent infrastructure are explicitly in scope before running any active scans or injection tests.

Responsible Disclosure

If you use CounterAgent to find a genuine vulnerability in a third-party system and have authorization to test, follow responsible disclosure:
  1. Notify the vendor before publishing — provide reproduction steps, evidence, and affected versions
  2. Allow reasonable time to patch — 90 days is the standard baseline; critical infrastructure may warrant an extension
  3. Coordinate publication — publish technical details after the vendor has had opportunity to respond, whether or not they do
For vulnerabilities in CounterAgent itself, see SECURITY.md.

Intended Use

CounterAgent is a security testing tool analogous to Burp Suite, Metasploit, or Nmap — purpose-built for authorized penetration testing and security research. It is not a general-purpose automation tool and should not be used to attack systems outside a controlled testing context. Use findings to improve the security posture of the systems you are responsible for protecting.