Product Knowledge Base

Getting Access

Lorikeet Security operates two client portals. One account accesses both.

1. Sign up at /ptaas/signup

   Use a corporate email. Free providers (Gmail, Yahoo, etc.) are not accepted.

2. Verify your email

   Check your inbox for the verification link. Expires in 24 hours.

3. Log in to your chosen portal

   Use the portal toggle on the login page to switch between PTaaS and ASM.

4. Choose a plan or activate a demo

   Demo accounts can be activated instantly with a code from the pricing page.

Portals at a Glance

The PTaaS portal gives your team full visibility into every pentest Lorikeet Security runs. Track project status, review findings in real time, mark remediations, communicate with the team, and download final reports without waiting for email updates.

Projects

A Project represents a single scoped pentest engagement with a type, timeline, assets, and findings attached.

Project Lifecycle

1. Contracting

   Scope agreed, SOW being finalized.

2. Actively Pentesting

   The Lorikeet Security team is live in your environment.

3. Remediation

   Findings delivered; your team is fixing vulnerabilities.

4. Retest

   The team verifies your fixes.

5. Completed

   Final report issued. Project archived.

Project Types

Assets

Assets define the scope of your engagement what the pentest team is authorized to test.

Testing Types

Findings

Severity Levels

Finding Statuses

• Open Confirmed, not yet remediated
• Ready for Retest Fixed by your team; awaiting verification
• Remediated Fix verified by Lorikeet Security
• Accepted Risk Formally accepted by your organization
• False Positive Removed after further analysis

To request retest: click Mark Ready for Retest on the finding detail page. The Lorikeet Security team verifies and updates the status within the agreed retest window.

Reports & Deliverables

• Executive Summary Business-level risk overview for leadership and board communication
• Technical Report Full findings with reproduction steps, evidence, and remediation
• Evidence Package Raw HTTP requests/responses, screenshots, and PoC files
• Retest Attestation Issued after Critical and High findings are verified remediated
• Compliance Letter Where applicable (SOC 2, PCI DSS, ISO 27001)

Team Management

1. Settings → Organization

   Only the account owner or admins can invite members.

2. Enter the team member's email

   Must match your company domain.

3. They receive an invite email

   Invites expire after 72 hours. You can resend from the pending list.

4. Member accepts and sets a password

   Automatically added to your company workspace.

Billing

Lorikeet Security uses Stripe for payments, managed from Settings → Billing.

• All major credit cards accepted
• Invoice-based billing for enterprise accounts
• Invoices sent to your registered email automatically
• Receipts and history downloadable from the billing portal

Full Engagement Workflow

1. Sign up and create a project

   Select your project type and add assets.

2. Scope call with the team

   A Lorikeet Security engineer confirms the testing approach. Project moves to Contracting.

3. SOW signed, engagement scheduled

   You receive a start date and a dedicated point of contact.

4. Active testing

   Findings appear live in your dashboard as they are confirmed.

5. Findings delivered

   Project moves to Remediation. Mark fixed items as ready for retest.

6. Retest

   The Lorikeet Security team verifies all critical/high findings.

7. Final report

   Full PDF report available in the portal. Attestation letter issued.

The ASM portal runs ongoing security scans against your registered domains, alerting you when new subdomains appear, misconfigurations emerge, or vulnerable services are exposed.

Domain Management

Add root domains you own. The scanner discovers and monitors all subdomains automatically.

1. ASM → Domains → Add Domain

   Enter your root domain (e.g. example.com).

2. Verify ownership (some plans)

   Add a DNS TXT record to confirm ownership.

3. Domain is monitored continuously

   Scans run on schedule. Manual scans can be triggered anytime.

Domain Limits by Plan

Scan Jobs

1. Phase 1: Subdomain Enumeration

   DNS enumeration, certificate transparency logs, and brute-force wordlists.

2. Phase 2: Security Checks

   Open ports, TLS/SSL config, HTTP headers, admin panels, subdomain takeover risk, and more.

3. Phase 3: AI Enrichment + Screenshots

   Findings enriched with KB context, attack scenarios, and remediation. Screenshots captured.

ASM Findings

• TLS/SSL Expired certificates, weak ciphers, missing HSTS
• Security Headers Missing CSP, X-Frame-Options, CORP, etc.
• Exposed Services Admin panels, databases, RDP/SSH exposed to the internet
• Subdomain Takeover Dangling DNS records pointing to unclaimed cloud resources
• Open Ports Unexpected services on non-standard ports
• Outdated Software Detected versions with known CVEs
• Misconfiguration Public S3 buckets, exposed environment files

Each finding includes an AI Chat assistant ask "How do I fix this in nginx?", "What's the CVSS score?", or "What's the real-world impact?" and get contextual answers grounded in your specific finding.

Vulnerability Knowledge Base

ASM findings are enriched against nearly 2,000 KB entries sourced from:

• OWASP ASVS Application Security Verification Standard
• OWASP WSTG Web Security Testing Guide
• OWASP Top 10 Most critical web application risks
• MITRE CWE Common Weakness Enumeration
• MITRE CAPEC Common Attack Pattern Enumeration

Plans & Limits

ASM is available as a standalone subscription. See /asm#pricing for current pricing.

Lory is Lorikeet Security's AI assistant, trained on our full service catalog, pricing, methodology, and a knowledge base of nearly 2,000 vulnerability entries from OWASP, MITRE, and industry frameworks. Lory helps visitors understand cybersecurity concepts in plain English, find the right service, compare pricing, and navigate the platform. In the authenticated portal, Lory has live access to your projects, findings, and assets for personalized security guidance.

Response Types

Lory replies with structured content blocks for a richer experience than plain text.

Where to Find Lory

• Dedicated page /lory for a full-screen chat experience with voice input and output
• Widget The floating chat bubble on every page of the website
• Dashboard Authenticated Lory inside the PTaaS and ASM portals with live access to your projects, findings, and assets

Model Context Protocol is an open standard for connecting LLMs to external data and tools. Lorikeet Security implements MCP over streamable HTTP: your AI client opens an authenticated HTTP connection, the server responds with JSON-RPC 2.0, and tool calls return structured results.

Once connected, your AI can answer questions like “list all critical findings from this month,” “is api.acme.io in scope for testing?,” or “find KB entries about SSRF” without you copying anything in or out of the portal. Every request is authenticated — either with a per-company bearer token you issue yourself, or via OAuth 2.1 for remote and hosted connectors — and is scoped to read-only permissions by default.

Endpoint & Authentication

Endpoint

All MCP traffic is JSON-RPC 2.0 over HTTPS to a single base URL:

https://lorikeetsecurity.com/ptaas/mcp/

An unauthenticated GET on this URL returns a discovery payload — server name, version, transport, the list of tool names exposed, and the catalogue of available scopes. Use it to sanity-check the URL before you issue a token. A POST with a JSON-RPC body dispatches a method call (initialize, tools/list, tools/call, …). The protocol version is 2025-06-18.

{
  "name": "lorikeet-mcp",
  "version": "0.2.0",
  "protocol": "mcp",
  "transport": "streamable-http",
  "docs": "https://lorikeetsecurity.com/ptaas/dashboard/mcp-docs",
  "tools":  ["asm.assets", "findings.get", "findings.list", "kb.search", "ping", "scope.check"],
  "scopes": ["findings:read", "findings:write", "kb:read", "compliance:read", "retest:request", "tickets:write"]
}

Authentication

There are two ways to authenticate, and both end up presenting a bearer token in the Authorization header:

• Static tokens — you issue a long-lived lkmcp_ token yourself on the MCP Server page (the bearer string is shown only once) and paste it into your client's config. Best for local tools like Claude Code and Cursor. Covered below.
• OAuth 2.1 — remote and hosted connectors (e.g. the Claude.ai / Claude Desktop connector and the Anthropic MCP Directory) self-register and run an authorization-code flow, so no token is ever copied by hand. See OAuth & Connectors.

Either way the token is scoped to a set of permissions — see Tools & Scopes below. All access tokens are prefixed lkmcp_.

OAuth & Remote Connectors

For hosted clients that can't ship a hand-pasted token — the Claude.ai / Claude Desktop connector, the Anthropic MCP Directory, and similar — the MCP endpoint is a full OAuth 2.1 resource and authorization server with Dynamic Client Registration. You don't configure any of this by hand: point the connector at the base URL and it walks the flow for you, finishing on a Lorikeet consent screen where you approve the requested scopes.

How a connector discovers us

An unauthenticated JSON-RPC request returns 401 with a WWW-Authenticate header that points at our protected-resource metadata, which in turn points at the authorization server:

WWW-Authenticate: Bearer realm="lorikeet-mcp",
  resource_metadata="https://lorikeetsecurity.com/ptaas/mcp/.well-known/oauth-protected-resource"

• GET /ptaas/mcp/.well-known/oauth-protected-resource — RFC 9728 metadata; names the authorization server and supported scopes.
• GET /ptaas/mcp/.well-known/oauth-authorization-server — RFC 8414 metadata; advertises the register, authorize, and token endpoints, the authorization_code + refresh_token grants, and S256 as the only PKCE method.

The flow

1. Register — POST /ptaas/mcp/oauth/register (RFC 7591). The connector self-registers and receives a client_id. Public PKCE clients get no secret. Registration is open but rate-limited per IP.
2. Authorize — GET /ptaas/mcp/oauth/authorize with PKCE (S256) required. The human-auth step reuses your dashboard session (bouncing through /ptaas/login if you're not signed in), then shows a consent screen listing the exact scopes being granted. Approve to be redirected back with an authorization code.
3. Token — POST /ptaas/mcp/oauth/token exchanges the code (grant_type=authorization_code) for an access token plus a refresh token.

Token lifetimes

• Access tokens are short-lived (1 hour) lkmcp_ bearers — identical in shape to a manually issued token, so every tool behaves the same regardless of how you authenticated.
• Refresh tokens last 60 days and rotate on every use via grant_type=refresh_token. Reuse of an already-rotated refresh token is treated as compromise and revokes the whole token family.

Client Setup

Claude Code

Add the server to ~/.claude/mcp.json (user-level) or your project's .mcp.json:

{
  "mcpServers": {
    "lorikeet": {
      "type": "http",
      "url": "https://lorikeetsecurity.com/ptaas/mcp/",
      "headers": {
        "Authorization": "Bearer lkmcp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }
    }
  }
}

Then in any Claude Code session run /mcp to confirm the connection — you should see lorikeet with a green status.

Claude Desktop

Open the app, go to Settings → Developer → Edit Config, and add:

{
  "mcpServers": {
    "lorikeet": {
      "transport": {
        "type": "http",
        "url": "https://lorikeetsecurity.com/ptaas/mcp/",
        "headers": { "Authorization": "Bearer lkmcp_..." }
      }
    }
  }
}

Quit and re-open Claude Desktop. The Lorikeet Security tools will appear in the tool picker.

Cursor

In Cursor: Settings → MCP → Add new MCP server. Pick the http transport, paste the endpoint URL, and add the bearer header.

Other MCP-Aware Clients

Any client that supports the streamable-HTTP transport from the MCP spec will work. Provide the endpoint URL plus an Authorization: Bearer lkmcp_... header.

Tools & Scopes

Tools are advertised via the standard tools/list JSON-RPC method and invoked via tools/call. The currently published surface:

Scope Strings

Tokens are issued with a comma-separated scope string. Read-only scopes are the default:

• findings:read — list and fetch PTaaS findings, list ASM assets, check scope
• kb:read — query the vulnerability KB
• compliance:read — read GRC control state (planned)

Write scopes — findings:write, tickets:write, retest:request — require a separate explicit grant from your account manager and are off by default.

Example Calls

If you'd rather talk to the server directly than through an agent, here's the raw JSON-RPC. The full POST envelope is shown for the first example; the rest are just JSON bodies.

1. Handshake (initialize)

The first call your client makes after connecting. Returns the negotiated protocol version, server capabilities, and an instructions string that tells the agent how to behave inside the Lorikeet Security surface.

POST https://lorikeetsecurity.com/ptaas/mcp/
Authorization: Bearer lkmcp_...
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "initialize",
  "params": {
    "protocolVersion": "2025-06-18",
    "capabilities": {},
    "clientInfo": { "name": "my-agent", "version": "1.0.0" }
  }
}

2. List available tools (tools/list)

{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/list"
}

3. List the latest critical findings

{
  "jsonrpc": "2.0",
  "id": 3,
  "method": "tools/call",
  "params": {
    "name": "findings.list",
    "arguments": {
      "severity": "critical",
      "status":   "open",
      "limit":    20
    }
  }
}

4. Search the KB for a topic

{
  "jsonrpc": "2.0",
  "id": 4,
  "method": "tools/call",
  "params": {
    "name": "kb.search",
    "arguments": {
      "q": "server side request forgery",
      "source": "MITRE-CWE",
      "limit": 5
    }
  }
}

5. Confirm a target is in scope

{
  "jsonrpc": "2.0",
  "id": 5,
  "method": "tools/call",
  "params": {
    "name": "scope.check",
    "arguments": { "target": "api.acme.io" }
  }
}

Every tools/call response wraps the tool's payload in result.content[0].text as a pretty-printed JSON string — that's the standard MCP shape.

Rate Limits & Errors

Rate Limits

Per-token, soft limits apply:

• 60 requests / minute on read calls
• 10 requests / minute on search calls (kb.search)
• Burst capacity: 20 requests in a 5-second window

Exceeding the limit returns HTTP 429 with a Retry-After header. Well-behaved MCP clients back off automatically.

JSON-RPC Error Codes

Errors follow JSON-RPC 2.0 (error.code + error.message). The codes you'll see:

Troubleshooting

401 Unauthorized. Token is missing, malformed, expired, or revoked. Confirm the Authorization: Bearer lkmcp_... header is present and current. A WWW-Authenticate: Bearer realm="lorikeet-mcp" header is returned.

JSON-RPC -32001 with data.code: "scope_denied". Your token doesn't include the scope required by that tool. Ask your account manager to re-issue with the right scopes.

Tools don't show up in Claude Code. Run claude mcp list to confirm the server is registered, then call tools/list directly with curl. If the endpoint returns 200 but the tools list is empty, the token may not have any read scopes attached.

Integrations

Connect Lorikeet Security to your existing toolchain from Dashboard → Workspace → Marketplace (or Attack Surface → Marketplace for ASM enrichment). We ship 13 production integrations across four categories. View the full marketplace.

Notifications & Messaging

Ticketing, Code & DevOps

Threat Intelligence (Attack Surface)

Enable these from Attack Surface → Marketplace to enrich ASM scans with reputation, port, certificate, and DNS data.

Request an integration if you don't see your tool listed — we prioritize the marketplace based on customer demand.

For full webhook payload format and signature verification, see the Developer Documentation.

Webhooks

• finding.created New confirmed finding added to a project
• finding.updated Finding severity or status changes
• finding.resolved Finding marked remediated by the pentest team
• scan.started / scan.completed ASM scan job lifecycle
• asset.discovered New asset found during ASM enumeration
• ticket.created / ticket.updated Support/retest ticket changes

FAQ

Can I use both portals with one account?

Yes. One Lorikeet Security account grants access to both. Use the portal toggle on the login page.

How long do findings take to appear after a scan?

PTaaS findings appear in real time. ASM scan jobs complete in 3–10 minutes for small-to-medium attack surfaces.

Can I export findings to CSV or PDF?

PDF export is available from the findings dashboard. JSON/CSV export is available via the API.

What domains can I add to ASM?

Only domains and IP ranges you own or have written authorization to test.

How do I request a retest?

Click Mark Ready for Retest on the finding detail page. The team is notified automatically.

Can I invite my developers?

Yes. From Settings → Organization you can invite any number of team members. All members see the same workspace data.

Contact Support

Last updated: May 2026  ·  Lorikeet Security