AI Security Scanner.
40,000+ Detection Rules.

MEDUSA detects prompt injection, MCP (Model Context Protocol) vulnerabilities, RAG (retrieval-augmented generation) poisoning, agent attacks, and 200 CVEs across your AI/ML stack. 514 false positive filters for 96.8% FP reduction. Free and open source.

pip install medusa-security && medusa scan .

MEDUSA GitHub stars Trusted by 900+ developers on GitHub

MEDUSA — cybernetic Medusa emblem with a glowing security shield, the AI security scanner
40,000+
Detection Patterns
200
CVEs Detected
96.8%
FP Reduction

See It in Action

Run one command. Get a full AI security audit across 79 scanners in seconds.

medusa scan .

AI Applications Need Security Too

LLM agents, MCP servers, and RAG pipelines introduce attack surfaces that traditional scanners miss

AI Agents Are Under Attack

Prompt injection, jailbreaking, and tool poisoning can hijack your AI agents. CVE-2025-6514 proved MCP servers are already being exploited. Traditional SAST tools don't detect these attack vectors.

Blind Spots in AI Pipelines

RAG poisoning, dataset injection, and model extraction attacks happen before your code even runs. Your training data, embeddings, and knowledge bases can all be vectors for adversarial content.

New Protocols, New Risks

MCP, UCP, AP2, and ACP — the emerging agent-communication protocols — are powerful but introduce discovery endpoint attacks, credential smuggling, and cross-tool exploitation. These protocols need security scanning from day one.

Built for the Agentic AI Era

79 scanners, 40,000+ detection patterns, and 514 FP filters covering the entire AI security landscape

40,000+ AI Security Patterns

Industry-leading coverage for prompt injection, jailbreaking, MCP tool poisoning, RAG security, agent memory attacks, supply chain risks, and traditional SAST. 514 false positive filters ensure 96.8% FP reduction.

Agent Protocol Security

91 dedicated rules for MCP, UCP, AP2, and ACP vulnerabilities. Detect discovery endpoint attacks, credential smuggling, tool poisoning, and cross-agent exploitation.

CVE Detection

200 CVEs via CVEMiner covering LangChain, PyTorch, MCP, LlamaIndex, and more. Version-aware SCA detection — only flags installed vulnerable versions.

Zero Setup Required

Works immediately after pip install. No external tools, no API keys, no configuration needed. Just install and scan. Multi-core parallel processing out of the box.

IDE Integration

Works with Claude Code, Cursor, VS Code, and Gemini CLI. Get AI security feedback right in your development workflow. SARIF output for GitHub Code Scanning.

Beautiful Reports

Export to JSON, HTML, SARIF, or Markdown. Glassmorphism HTML dashboard, machine-readable JSON for CI/CD, and SARIF for GitHub integration.

Detection Coverage

Updated for OWASP Top 10 for LLM Applications 2025 and MITRE ATLAS

800+
Prompt Injection
Direct, indirect, jailbreaks, system prompt leakage, long-context attacks
900+
Agent Security
Excessive agency, memory poisoning, HITL bypass, agentic attacks, delegation abuse
600+
MCP & Protocols
Tool poisoning, confused deputy, UCP, AP2, ACP vulnerabilities, advanced attacks
1,400+
Model Security
Federated learning, RLHF attacks, model poisoning, synthetic data poisoning, finetuning
350+
Supply Chain
Dependency confusion, typosquatting, slopsquatting, malicious packages
300+
RAG Security
Vector injection, document poisoning, tenant isolation, knowledge injection
200
Known CVEs
Version-aware SCA detection across 7 ecosystems: Python, npm, Java, Go, Rust, Ruby, PHP
50+
File Types
Python, JS/TS, Go, Rust, Java, Docker, Terraform, YAML, and more

Why not just use Semgrep or Snyk?

Use them! MEDUSA covers the AI attack surface they weren't built for — most teams run it alongside their existing tools.

Traditional SAST (Semgrep, Snyk)

Excellent at classic code vulnerabilities — injection, XSS, insecure crypto. But prompt injection surfaces, MCP tool poisoning, and RAG pipeline attacks aren't in their rule sets. MEDUSA includes traditional SAST rules too, and adds the AI-specific layer on top.

LLM Red-Teaming (garak)

Tools like garak probe a running model with adversarial prompts — dynamic testing of model behaviour. Complementary, not overlapping: MEDUSA statically scans the code, configs, and pipelines around the model before anything runs.

MEDUSA

Static scanning purpose-built for the AI stack: prompt injection surfaces, MCP and agent-protocol rules, RAG poisoning, AI supply-chain attacks, and 200 known CVEs across 7 ecosystems — plus the traditional code checks, in one zero-setup scan.

What's New in v2026.7.0

Claude Code compromise detection, always-on AI attack signatures, and native Rust & PHP coverage.

Claude Code Compromise Detection

Vets your .claude/ directory — hooks, permissions, and skills — for injected instructions and backdoors targeting AI coding assistants.

Always-On AI Attack Signatures

AI attack-signature scanning now runs on every scan by default. No flags, no configuration — protection is the baseline.

Native Rust & PHP Coverage

22 new Rust rules and 16 new PHP rules bring first-class coverage to two more ecosystems.

--trace-rules Diagnostics

See exactly which rules fired on which files, and why — for tuning, auditing, and false-positive triage.

Simple, Transparent Pricing

Free forever for open-source scanning. Pro adds an ultra-fast runtime proxy that blocks attacks in real time.

Coming Soon
Professional
$99/dev/mo
Ultra-fast proxy blocks attacks before they reach your LLM
  • Everything in Free
  • Runtime proxy server
  • 1,100+ real-time filters
  • Sub-millisecond latency
  • REST API & webhooks
  • Priority support
Join Waitlist
Coming Soon
Enterprise
$499/50 devs/mo
Full AI security platform for teams at scale
  • Everything in Professional
  • Custom detection rules
  • SSO / SAML
  • Audit logs & compliance
  • On-premise deployment
  • Dedicated support
Contact Sales

Coming Soon: Runtime Proxy

MEDUSA scans your code. The proxy protects it in production.

Ultra-Fast Filtering

Built in Zig for maximum performance. The MEDUSA proxy sits between your application and your LLM, filtering 1,100+ attack patterns with sub-millisecond latency overhead.

Real-Time Blocking

Block prompt injection, jailbreaking, and data exfiltration attempts before they reach your model. Every request and response is scanned against production-grade detection rules.

Drop-In Deployment

Point your LLM API calls through the proxy. Works with OpenAI, Anthropic, and any LLM provider. No code changes required. REST API and webhook integrations included.

Get Early Access

Frequently Asked Questions

What is MEDUSA?

MEDUSA is an AI-first security scanner with 79 scanners and 40,000+ detection rules. It scans for prompt injection, MCP vulnerabilities, RAG poisoning, agent attacks, and traditional code vulnerabilities across 50+ file types.

How do I install MEDUSA?

Install MEDUSA with pip: pip install medusa-security, then run medusa scan . in your project directory. Zero setup — no external tools, no API keys, no configuration.

Is MEDUSA free?

Yes — MEDUSA is free and open source under the AGPL-3.0 license. The core scanner with 79 scanners and 40,000+ rules is free forever. Professional and Enterprise tiers add runtime protection and team features.

Secure Your AI Stack in 30 Seconds

Install MEDUSA and scan your first project right now.

pip install medusa-security && medusa scan .
79 Scanners 40,000+ Rules Open Source Free Forever