Scan intensities
Intensity decides how far a scan reaches. Each step up runs everything the level below it does, plus more invasive checks. Passive and probe are safe anywhere; explore and adversarial reach into behaviour, so they unlock only after you verify ownership of the server.
Catalog + metadata only. No tool calls.
What the server says about itself. Reads TLS, OAuth metadata, tools/list, serverInfo. No new connections. Safe in CI on every PR.
Read-only behaviour checks. Tools inspected, never invoked.
Whether the server does what it says. Bounded, targeted requests to verify declared behavior — does an invalid token actually get rejected? Production-safe with rate-limit awareness.
Calls non-destructive tools and walks the edges.
What happens at the edges. Iterates the tool surface, walks pagination, bursts to trigger rate-limit behavior, opens many connections. Best on staging, or production with explicit opt-in.
LLM-driven, hypothesis-led exploitation.
What a determined attacker can extract. LLM-driven attack construction, prompt injection, tool poisoning, sustained exploitation chains. Opt-in per scan.