Skip to content

Setup

This article describes how to enable and configure API Security Testing via Postman.

1. Add Wallarm's MCP server

  1. In Postman, access its AI Agent.

  2. In AI Agent panel, click Configure ("gear"), and select Configure MCP servers.

  3. In displayed MCP Servers tab, click Add ("plus") and do one of the following:

    • Select Rogue MCP Server Detection from the list of the featured MCP servers

    • Or just click Edit config and save the following to it:

      {
    "mcpServers": {
        "Rogue MCP Server Detection": {
            "command": "npx",
            "args": [
                "-y",
                "rogue-mcp@latest"
            ],
            "env": {
                "WALLARM_API_TOKEN": "YOUR_WALLARM_API_TOKEN"
            }
        }
    }
}

    Free MCP scans available immediately

    After adding the MCP server, you can immediately run Rogue MCP Inspection scans on your installed MCP servers โ€” no registration or API key required.

2. Subscribe and get API token

API Security Testing requires a paid Rogue MCP subscription. To unlock it, obtain a WALLARM_API_TOKEN and add it to the MCP server configuration in Postman.

New users:

  1. Register and subscribe at roguemcp.wallarm.com.

  2. Copy the provided API token and paste it as the WALLARM_API_TOKEN value in your MCP server configuration in Postman.

Existing users:

  1. Contact Wallarm Support to get the Rogue MCP subscription.

  2. Once the subscription is active, go to Wallarm Console โ†’ Settings โ†’ API Tokens and create a token of the Rogue MCP type.

  3. Copy the token and paste it as the WALLARM_API_TOKEN value in your MCP server configuration in Postman.

Credits

Credits are only consumed when running API Security Testing on Postman collections โ€” Rogue MCP Inspection scans are always free.

3. Ask to test the collection

With Wallarm's MCP server and credentials in place, use natural language in Postman Agent Mode to ask for a security test. For example: "Please, test the collection for security issues with Wallarm."

The Agent runs the tests (typically 2โ€“3 minutes) and responds with a report; results are also sent to Wallarm Cloud. To interpret them, see Exploring Results.