MCP Server Reference
Drive HailBytes SAT campaigns from Claude, Cursor, Windsurf, or any MCP-compatible AI assistant. 14 tools covering the full simulation lifecycle.
Overview
Every HailBytes SAT instance ships with a built-in Model Context Protocol (MCP) server. AI assistants speak to it directly: create groups, generate templates, launch campaigns, and pull results without ever opening the dashboard. The MCP server uses Streamable HTTP transport, is stateless, and authenticates with the same API key as the REST API.
At a Glance
- Endpoint:
https://<your-sat-host>:3333/api/mcp/ - Transport: Streamable HTTP (stateless)
- Auth: Bearer token (same API key as the REST API)
- Tools: 14 (campaigns, templates, landing pages, groups, sending profiles)
- Compatible clients: Claude Desktop, Claude Code, Cursor, Windsurf, any Anthropic SDK with MCP support
Authentication
Pull your API key from the HailBytes SAT dashboard at Settings → API Key. Every MCP request must carry it in an Authorization: Bearer header. The MCP endpoint sits behind the same RequireAPIKey middleware as the REST API and inherits the user's role-based permissions.
# Verify the endpoint is reachable
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://sat.example.com:3333/api/mcp/Client Setup
Claude Desktop / Claude Code
Add the following to your Claude Desktop or Claude Code MCP settings (~/.config/claude/mcp.json on Linux, ~/Library/Application Support/Claude/mcp.json on macOS):
{
"mcpServers": {
"hailbytes-sat": {
"transport": "http",
"url": "https://sat.example.com:3333/api/mcp/",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}Cursor / Windsurf
{
"mcp": {
"servers": {
"hailbytes-sat": {
"url": "https://sat.example.com:3333/api/mcp/",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
}Anthropic SDK (Python)
from anthropic import Anthropic
client = Anthropic()
response = client.beta.messages.create(
model="claude-sonnet-4-6",
max_tokens=2048,
mcp_servers=[{
"type": "url",
"url": "https://sat.example.com:3333/api/mcp/",
"name": "hailbytes-sat",
"authorization_token": "YOUR_API_KEY",
}],
messages=[{
"role": "user",
"content": "Launch a phishing campaign against the Marketing group using the Q2 template.",
}],
)Tool Reference
All 14 tools, grouped by resource. Required parameters are marked with *.
Campaign Tools
| Tool | Description | Parameters |
|---|---|---|
list_campaigns | List all phishing simulation campaigns. Returns names, statuses, and dates. | — |
get_campaign | Get full details: template, landing page, SMTP profile, groups, and results. | campaign_id* |
get_campaign_summary | Aggregated stats: targets, sent, opened, clicked, submitted, reported. | campaign_id* |
get_campaign_results | Per-target results: each target's email, status, and event timeline. | campaign_id* |
create_campaign | Create and schedule a new campaign. Requires existing template, landing page, sending profile, and group. | name*, template_name*, page_name*, smtp_name*, group_names*, url*, launch_date |
complete_campaign | Mark a running campaign as complete. Stops further sends and tracking. | campaign_id* |
Email Template Tools
| Tool | Description | Parameters |
|---|---|---|
list_templates | List templates. Returns id, name, subject (HTML body excluded for brevity). | — |
create_template | Create an email template. Use {{.URL}} for the phishing link, {{.FirstName}}/{{.LastName}} for personalization. | name*, subject*, html, text, envelope_sender |
Landing Page Tools
| Tool | Description | Parameters |
|---|---|---|
list_pages | List landing pages. Returns id and name (HTML excluded). | — |
create_page | Create a landing page shown to targets who click the phishing link. | name*, html*, capture_credentials, capture_passwords, redirect_url |
Target Group Tools
| Tool | Description | Parameters |
|---|---|---|
list_groups | List target groups. Returns id, name, target count. | — |
create_group | Create a target group. Each target object has email (required), plus optional first_name, last_name, position. | name*, targets* |
Sending Profile (SMTP) Tools
| Tool | Description | Parameters |
|---|---|---|
list_sending_profiles | List SMTP sending profiles. Returns id, name, host, from address, username (passwords excluded). | — |
create_sending_profile | Create an SMTP sending profile for delivering simulation emails. | name*, host*, from_address*, username*, password*, ignore_cert_errors |
Example: End-to-End Campaign in One Conversation
With the MCP server connected, an operator can run an entire engagement in conversation:
Operator: Run a Q2 phishing test against the Engineering group. Use a Microsoft 365 password-reset pretext, send from security@acme-cloud.io, and launch tomorrow at 9am ET.
Assistant (chained tool calls):
list_groups→ confirms "Engineering" exists with 184 targetslist_sending_profiles→ finds existing "Acme SES" profilecreate_template→ "Q2 M365 Password Reset" with subject "Action Required: Verify your Microsoft 365 password"create_page→ "M365 Login Mirror" with credential capture and training redirectcreate_campaign→ ties it together withlaunch_date: 2026-05-05T13:00:00Z
Permissions & Audit
- MCP requests inherit the API key owner's role and permissions. A read-only user can list and get, but cannot create or complete.
- Every tool call is captured in the audit log alongside the originating user, IP, and user agent.
- Rate limiting and request-body limits apply to MCP just as they do to the REST API.
Troubleshooting
401 Unauthorized:
- Confirm the API key is current. Rotate it from Settings → API Key if uncertain.
- Confirm the
Authorizationheader is present and usesBearer.
Tool not visible to client:
- Restart the client after editing the MCP config.
- Verify the URL ends with
/api/mcp/(trailing slash).
create_campaign rejected:
- Template, landing page, sending profile, and groups must already exist by name.
launch_datemust be ISO 8601 / RFC 3339 (2026-05-05T13:00:00Z).
Next Steps
REST API Reference
The full HTTP API behind every MCP tool, plus everything not yet exposed over MCP.
View Reference →Programmatic AWS Deploy
Spin up a HailBytes SAT instance from the AWS Marketplace AMI with a single AWS CLI command.
View Tutorial →Related Tutorials
- SAT Quickstart — first phishing simulation in 10 minutes.
- Programmatic Azure deploy — the same CLI flow on the Microsoft side.
- Browse the full tutorial library or see the HailBytes SAT product page.
Get the Free HailBytes SAT Getting Started Guide
A 7-part email series covering everything from your first deployment to advanced configuration and real-world workflows. One email per day, no spam.