Fray — WAF Security Testing MCP Server
Fingerprint WAFs and run large payload libraries against your staging URL before launch without leaving the agent IDE.
Overview
Fray is a MCP server for the Ship phase that runs WAF recon, fingerprinting, and thousands of security payloads against authorized web targets.
What is this MCP server?
- 5,500+ WAF-oriented test payloads in the Fray toolkit
- 25 WAF vendor fingerprints to identify what sits in front of your app
- 21 recon checks to map exposure before bypass attempts
- Bypass-oriented AI assistance bundled in Fray MCP v3.0.1
- PyPI stdio package fray for local agent-driven runs
- 5,500+ payloads per registry description
- 25 WAF fingerprints
What problem does it solve?
You shipped behind a WAF but never verified whether common bypass payloads still reach your origin.
Who is it for?
Solo full-stack builders running authorized pre-launch WAF checks on staging or bug-bounty-in-scope hosts.
Skip if: Builders without explicit permission to test a target, or teams wanting SOC2 paperwork instead of technical WAF trials.
What do I get? / Deliverables
You get structured WAF identification, recon signals, and payload trial results your agent can turn into fix tickets before go-live.
- WAF vendor fingerprint results from 25 supported signatures
- Recon output from 21 documented checks
- Payload trial feedback usable in security fix lists before launch
Recommended MCP Servers
Journey fit
How it compares
Offensive WAF lab MCP server, not a passive dependency vulnerability scanner.
Common Questions / FAQ
Who is Fray for?
Developers and indie security-minded builders who need agent-driven WAF testing on apps they control or are authorized to assess.
When should I use Fray?
Use it during Ship security work when a staging URL is live and you want fingerprints, recon, and payload trials before production launch.
How do I add Fray to my agent?
Install the PyPI package fray, configure it as a stdio MCP server in your agent, and aim tools only at in-scope hosts per your security policy.