CTO TOOLS
SECURITY REVIEW & ENGINEERING LEADERSHIP
CTO Tools provides automated security risk analysis and engineering leadership frameworks. Correlates security alerts from multiple sources (SAST/DAST, CSPM, threat intel) with compliance policies to identify and prioritize risks. Also includes weekly team review frameworks for technical leaders.
INSTALLATION
One-Click Installation
Download the MCP Bundle for instant installation. Works with Claude Desktop, Cursor, Windsurf, and other MCP-compatible clients.
⚙️ Advanced: Manual Installation
Prefer to configure manually? Expand your client below for detailed instructions.
Claude Desktop
Edit: ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"cto-tools": {
"url": "https://ai.yuda.me/mcp/cto-tools/serve"
}
}
}After saving, restart Claude Desktop (Cmd+Q then reopen). Look for the 🔌 icon.
Claude Code (CLI)
Run this command in your terminal:
claude mcp add --transport http cto-tools https://ai.yuda.me/mcp/cto-tools/serveCursor
Edit: ~/.cursor/mcp.json
{
"mcpServers": {
"cto-tools": {
"url": "https://ai.yuda.me/mcp/cto-tools/serve"
}
}
}Restart Cursor after saving the configuration.
Windsurf
Edit: ~/.codeium/windsurf/mcp_config.json
{
"mcpServers": {
"cto-tools": {
"url": "https://ai.yuda.me/mcp/cto-tools/serve"
}
}
}Restart Windsurf after saving the configuration.
AVAILABLE TOOLS
security_review()
Automated security risk analysis that correlates alerts from multiple tools with compliance policies. Identifies, scores (0-100), and prioritizes security risks with actionable remediation steps.
What It Analyzes
- SAST/DAST vulnerabilities (SQL injection, XSS, hardcoded credentials)
- Cloud misconfigurations (public S3 buckets, unencrypted databases)
- Threat intelligence indicators
- Compliance policy violations (PII handling, encryption requirements)
Risk Scoring Model
- Alert Severity (40%) - CVSS scores + scanner criticality
- Exposure Risk (30%) - Environment, data classification, public access
- Policy Violations (30%) - Compliance policy weights
- Business Impact (multiplier) - Up to 1.5x for critical combinations
Output Format
- Natural language risk summary
- Structured JSON with all details
- Recommended actions with assignees
- Ready for copy-paste to ticketing systems
| Feature | Details |
|---|---|
| Demo Connectors | SAST, CSPM, Policy (works immediately) |
| Risk Severity | Critical, High, Medium, Low (80-100, 50-79, 20-49, <20) |
| Configuration | Zero config with demo data |
| Extensibility | Add custom connectors (Snyk, AWS Security Hub, etc.) |
weekly_review()
Streamlined 3-phase framework for weekly engineering team reviews. Produces ~200 word summaries with 5 adaptive categories based on actual work. 15-20 minute reviews, works with any codebase.
| Output | ~200 words, 5 adaptive categories, contributor stats |
| Time | 15-20 minutes |
| Approach | Analysis-focused, not prescriptive |
KEY FEATURES
Multi-Source Correlation
Automatically links alerts from SAST, DAST, CSPM, and threat intel with policy violations
Intelligent Risk Scoring
0-100 scale based on severity, exposure, policy violations, and business impact
Actionable Output
Natural language summaries + structured JSON with recommended actions and assignees
Zero Configuration
Works immediately with built-in demo connectors, extensible for real tools
USAGE EXAMPLES
- Security Review — "Show me critical PII-related risks in the last 48 hours"
- Risk Prioritization — "What are the top 5 security risks in production?"
- Compliance Check — "Which cloud resources violate our encryption policies?"
- Weekly Review — "Run a weekly review of my team's work"
PRIVACY & SECURITY
| Data Storage | None - all processing in-memory |
| Authentication | Not required (demo connectors) |
| Security Data | Never transmitted or stored |
| Execution | Fully local via MCP protocol |
| Extensibility | Add real connectors with your own API keys |