AWS Lambda functions exposing pentest tools as MCP servers via HTTP (Function URLs).
Each lambda is a lightweight container image built on Amazon Linux 2023, grouped by tool stack and function. Deployed independently — scale each group based on demand, charge clients per request.
adversary portal
│
▼
lambdaclaw (MCP client)
│
├── lambda-recon-passive (amass, assetfinder, crt.sh, waybackurls, alterx, shuffledns)
├── lambda-recon-active (nmap, masscan, httpx, sslscan, http-headers-security)
├── lambda-crawl-discovery (katana, ffuf, arjun)
├── lambda-vuln-scan (nuclei + templates auto-updated)
├── lambda-exploit (sqlmap, hydra, mimikatz)
├── lambda-cloud-audit (scoutsuite)
└── lambda-mobile (mobsf)
Each lambda exposes an SSE MCP endpoint via AWS Function URL.
| Lambda | Tools | Stack | Use case |
|---|---|---|---|
recon-passive |
amass, assetfinder, crt.sh, waybackurls, alterx, shuffledns | Go / Node | Passive recon: subdomains, historical URLs, permutations |
recon-active |
nmap, masscan, httpx, sslscan, http-headers-security | Go / C | Active recon: ports, HTTP probing, SSL/TLS, security headers |
crawl-discovery |
katana, ffuf, arjun | Go / Python | Web crawling, directory fuzzing, parameter discovery |
vuln-scan |
nuclei | Go | Vulnerability scanning with auto-updated templates |
exploit |
sqlmap, hydra, mimikatz | Python / C | SQL injection, brute force, credential extraction |
cloud-audit |
scoutsuite | Python | Cloud security audit (AWS, Azure, GCP) |
mobile |
mobsf | Python | Mobile app security analysis (Android/iOS) |
GitHub Actions workflow (.github/workflows/rebuild.yml):
- Runs daily + on push to
main - Pulls latest tool versions
- Rebuilds and pushes each container image to ECR
- Ensures nuclei templates are always up to date
All lambdas use public.ecr.aws/lambda/nodejs:22-arm64 (Amazon Linux 2023) as base.
Tools compiled statically where possible (Go tools work great for this).
Each lambda reads tool paths from env vars:
NMAP_PATH,NUCLEI_PATH,FFUF_PATH, etc.AWS_LAMBDA_FUNCTION_URL— exposed as MCP SSE endpoint
docker compose upThis starts all lambdas locally on ports 9001-9007 using the AWS Lambda RIE (Runtime Interface Emulator).