AUDIT MCP: Prompt-driven Security for Developers

When HCL AppScan introduced AUDIT, the AppScan Unit-level DAST Intelligent Tester, the objective was simple: Let developers test individual endpoints and application behavior earlier, directly from their IDE or CI/CD pipeline. Instead of waiting for late-stage scans or security reviews, they can run unit-level DAST tests while code is still being written and fixes are inexpensive. 

With the latest addition of the MCP server, we’re taking the next step in simplifying the testing journey for our developers. They can now generate unit-level DAST tests with a simple prompt, augmenting manually written test cases and accelerating security testing with minimal effort.

What is AUDIT MCP

AUDIT MCP builds on the original promise of AUDIT—unit-level DAST—but eliminates the learning overhead and manual steps required to create tests. To understand how, let’s first understand the Model Context Protocol (MCP).

MCP acts as a translation layer between product APIs and Large Language Models (LLMs). It allows AI agents to interact directly and conversationally with real product capabilities, giving AI systems a native understanding of how a product works.

In the context of security testing, AUDIT MCP gives AI coding agents full contextual awareness of AUDIT, enabling them to design and generate unit-level tests from simple prompts directly within the workspace. This lets developers focus on reviewing and running tests rather than writing them manually.

Built for Developer Workflows

AUDIT MCP sits at the intersection of code, the IDE, and the AUDIT engine, fitting naturally into existing developer workflows. Developers can use their existing IDEs that already work with .NET-based environments (like Visual Studio, VS Code, Cursor, Rider, Windsurf, or even Google Gravity). It can also work without an IDE by using Claude Code or OpenAI Codex from the terminal or dedicated apps. The main prerequisites are a coding agent with MCP support and a configured .NET environment to run the tests.

Developers have full control over how security tests are executed, choosing which severity levels matter—low, high or critical—and defining when a scan should fail a build. When deeper insight is needed, detailed reports provide enough context to understand the issue, fix it, and rerun the test with confidence. 

The prompt-driven approach also makes it easier to turn technical findings into clear business risk, supporting faster, more informed decisions without adding friction to the developer workflow.

Generating Unit-Level DAST Tests in Minutes

• Developer selects code – Pick an endpoint or a section of your code you want to test.
• Prompt the AI – Type a simple instruction like:
  “Generate a unit test for the selected lines using AUDIT.”
• AI generates the test – Using AUDIT MCP and knowledge of the code, the AI agent generates a fully formed, compilable unit-level DAST test.
• Test execution – The generated test can be run immediately within the developer’s environment, helping identify vulnerabilities while the code is still fresh.
• Reporting and iteration – Executed tests generate results and reports based on the generated code. Developers can review findings, modify as needed and rerun tests in a tight feedback loop.

In Short: AUDIT MCP enables AI agents to autonomously create and set up AUDIT tests directly within the workspace. The AI agent doesn’t rely on guesswork or invent test structures. Guided by MCP, it uses a structured understanding of how AUDIT works and how to apply it correctly.

This is shift-left security made frictionless—no deep dives into documentation, no manual test writing, just prompt-driven execution. For developers, this means more precise, immediately compilable AUDIT unit test code generated on demand, with less uncertainty and guesswork.

Evolving Developer-First Security

AUDIT MCP represents a significant advancement in HCL AppScan’s DAST for Developers journey, which began by making DAST accessible earlier in the development workflow and helping developers catch vulnerabilities sooner. The introduction of AUDIT added unit-level granularity, letting developers test individual endpoints. 

AUDIT MCP now combines AUDIT with AI-native, prompt-driven workflows so developers no longer write tests—they simply express intent. This seamlessly integrates security into everyday coding and makes the developer experience faster, simpler and more intuitive.

Read our user guide or reach out to us if you’d like to see it in action. 

Want to know more about the MCP server and how it works? Check out our blog post on its integration with HCL AppScan on Cloud.