## https://sploitus.com/exploit?id=FC680F1F-BC43-53D0-AA72-216012BA3A1E
# sec-recon-agent
Type-safe security triage built on Pydantic AI and a custom Model Context Protocol server.
The agent answers vulnerability questions ("Is CVE-X exploitable?", "What CVEs affect Apache 2.4.49?", "Triage this Nmap output") by calling typed tools exposed over MCP:
- `cve_lookup` โ async NVD API client, rate-limited, returns a structured `CVEDetail`
- `cve_semantic_search` โ vector retrieval over a local ChromaDB index of recent high-severity CVEs
- `exploit_check` โ public-exploit availability (ExploitDB + GitHub PoC search)
- `nmap_parse_xml` โ pure parser, structured port/service extraction
The agent never produces free-text guessing. Its only output is a `TriageReport` Pydantic model: severity, exploit availability, recommended action, and the full reasoning chain.
## Why this exists
Most LLM "security assistants" hallucinate CVEs and exploit details. This one is a deliberate exercise in:
- **Strict typing on the model boundary**: every tool I/O is a Pydantic model. The LLM never sees raw JSON, only structured contracts
- **MCP as the integration layer**: tools live in a separate process, callable from any MCP-compatible client (Claude Desktop, a custom client, this agent)
- **Streaming UX**: tool calls and intermediate reasoning are streamed via Server-Sent Events
- **Security-aware AI engineering**: untrusted tool content (CVE descriptions from third parties) is fenced in the prompt; the agent has no out-of-band tools beyond the declared MCP surface
## Architecture
```
client --SSE--> agent API (FastAPI :8000)
โ
โ Pydantic AI tool calls
โผ
MCP client --HTTP--> MCP server (:8001)
โ
โโโ NVD API (cve_lookup)
โโโ ChromaDB (semantic search)
โโโ ExploitDB + GitHub (exploit_check)
โโโ XML parser (nmap_parse)
```
## Stack
Python 3.12+ ยท Pydantic AI ยท MCP (Anthropic SDK) ยท FastAPI (SSE) ยท ChromaDB (ONNX MiniLM embedder) ยท httpx ยท structlog ยท uv
## Running
```bash
uv sync
cp .env.example .env # add ANTHROPIC_API_KEY (and optionally NVD_API_KEY)
uv run sec-recon-seed # seed ChromaDB with recent high-severity CVEs (~1k)
uv run sec-recon-mcp # terminal 1: MCP server on :8001
uv run sec-recon-api # terminal 2: agent API on :8000
curl -N -X POST http://localhost:8000/v1/triage \
-H "Content-Type: application/json" \
-d '{"query": "Apache 2.4.49 on port 80. Risk?"}'
```
## Status
All four MCP tools, the Pydantic AI agent, and the FastAPI SSE surface have landed. Test suite: 35 passed. See:
- `docs/design.md` โ architecture decisions, threat model, and the security review findings applied to the code.
- `examples/triage_walkthrough.md` โ three real sessions against the live agent (specific CVE, product description, Nmap XML), captured 2026-05-18.
## License
MIT.