Blog · AI & MCP
Driving bug bounty recon from Claude or Cursor with MCP
Most recon is repetitive: find fresh scope, add a target, run a scan, read back what it found, decide what's worth testing. That loop is exactly the kind of work an AI client can drive for you — if your tooling speaks the Model Context Protocol. Here is what that looks like in practice, and where the AI genuinely helps versus where you still do the real work.
What MCP actually is
The Model Context Protocol (MCP) is a standard way to expose a set of tools to an AI client like Claude or Cursor. Instead of copy-pasting output between a terminal and a chat window, you connect an MCP server once and the client can call its tools directly, in plain language, as part of a conversation. For recon, that means the AI can run the discovery-and-triage loop itself and hand you the result, rather than you orchestrating each step by hand.
Connecting a recon platform over MCP
ASMHunter ships an MCP server (asmhunter-mcp, published on PyPI). Connecting it is one config block:
{
"mcpServers": {
"asmhunter": {
"command": "uvx",
"args": ["asmhunter-mcp"],
"env": {
"ASMHUNTER_TOKEN": "asm_live_YOUR_TOKEN_HERE"
}
}
}
}
Once it's in your client, your entire workspace becomes a toolset the AI can call — 34 tools spanning program intel, scanning, hunt sessions, entries, reports, and attribution. Full setup is in the MCP & API docs.
What the loop looks like
You don't call tools by hand. You describe the outcome you want:
“Show me programs with recent scope changes. Pick one with genuinely fresh scope, add its new domain as a target, list the available scan workflows and run a recon and subdomain-enum scan. When it finishes, summarize the newly-discovered assets and any findings by severity, flag which ones are worth manual testing, and draft a report skeleton for the most promising one.”
The AI chains the underlying tools — get scope changes, create the target, list workflows, trigger the scan, poll its status, read back assets and findings, log a lead, draft a report — and hands you a prioritized surface. Because sessions are goal-driven, you can set an objective (“find IDOR in billing”) and the AI keeps every step pointed at what actually pays.
Where AI helps — and where it doesn't
Be honest with yourself about the split. AI-driven recon is genuinely good at the ~80% grind: discovering fresh scope, spinning up targets, running scans, reading back the attack surface, organizing a hunt, and drafting the boilerplate of a report. That's real time saved on work that was never the fun part.
What it does not do is find the high-value manual bugs for you. IDOR, business-logic flaws, auth bypasses, and clever chains are still your job — they require the intuition and creativity a tool can't fake. The point of driving recon from an AI client isn't to replace your testing; it's to buy back the hours you'd otherwise spend on setup and triage, so you can spend them on the manual work that actually earns bounties.
Why this pairs with continuous monitoring
Ad-hoc AI recon is useful, but it's most powerful on top of continuous attack surface monitoring. Keep your targets under continuous sweeps, let the alerts tell you when something changes, and use the AI client to investigate the moment you're pinged: “a new subdomain just landed on this target — pull its assets and tell me what's worth looking at.” The monitoring finds the change; the AI triages it; you test it.
ASMHunter's MCP server is available from the Hunter tier up. Start free, then mint a Personal Access Token from Settings and read the MCP & API docs to connect it to Claude or Cursor.