Contexts Overview

What is a context?

A context is a security knowledge bundle the agent loads before starting an engagement. It gives the agent domain expertise: methodology, techniques, tools, and reporting guidance for a specific type of security work. Contexts are served via the rifteo-context-mcp MCP server and retrieved on demand through natural language. Unlike skills (which define a specific technique), contexts define the full engagement methodology: the phases to follow, what to test, how to validate findings, and how to report.

Install the MCP server

git clone https://github.com/Rifteo/context-mcp
cd context-mcp
pip install -e .

rifteo-context install

Or register with a specific agent:

rifteo-context install --agent claude-code
rifteo-context install --agent cursor
rifteo-context install --agent gemini-cli

Supports 15 agents: Claude Code, Cursor, Windsurf, Gemini CLI, Cline, Kiro, Codex, OpenCode, Amp, Continue, GitHub Copilot, Aider Desk, Roo Code, OpenHands, Goose.

Using a context

Once the MCP server is registered, ask your agent in plain language:

list all available security contexts

get the web-app-pentest context

The agent automatically loads the right level (L1 for an overview, L2 when it needs deep methodology detail).

Available contexts

Context	What it covers
Web App Pentest	Full web app pentest methodology: recon, auth, injection, business logic
Cloud Audit	AWS/Azure/GCP: IAM, storage exposure, networking, logging, secrets
Code Audit	Source code security review: secrets, auth logic, injection sinks, crypto, dependencies
AD Pentest (Unauthenticated)	Unauthenticated infra pentest with AD focus: host discovery, SMB null sessions, AS-REP roasting, Kerberoasting

Context anatomy

Every context lives in its own directory with a single required file:

contexts/
└── web-app-pentest/
  └── CONTEXT.md

`CONTEXT.md`

The core of every context. It has a frontmatter block and a body structured in three levels:

---
name: my-context
l0: One sentence describing what this context covers.
---

## L1 Overview

When to use this context and what it covers at a high level.

---

## L2 Full Methodology

Complete detailed content the agent uses during the engagement.

See CONTEXT_GUIDE.md for the full format reference including optional fields.

The 3-tier loading system

Each context has three levels of detail. The MCP server loads the right level based on what the agent needs, keeping token usage low.

Level	What it contains	When used
L0	One sentence from the `l0` frontmatter field	Listings, quick discovery
L1	Overview: when to use, key focus areas, high-level scope	Default load at session start
L2	Full methodology: phases, techniques, tools, commands, reporting	Loaded when the agent needs deep detail

Context vs skill

	Context	Skill
Scope	Full engagement methodology	Single technique or workflow
When loaded	At session start	When the user’s request matches a trigger
Content	Phases, tools, reporting guidance	Step-by-step instructions, output format, rules
Example	`web-app-pentest`	`xss-hunter`, `jwt-cracker`

Contexts and skills work together: a context defines the engagement methodology and references relevant skills at each phase.

Naming conventions

Rule	Good	Avoid
Use kebab-case	`web-app-pentest`, `cloud-audit`	`WebAppPentest`, `cloud_audit`
Name by engagement type, not tool	`api-security-review`	`burp-scan`
Keep names under 40 characters	`mobile-pentest`	`android-and-ios-mobile-pentest-full`

Next step

Ready to write a context? Follow the CONTEXT_GUIDE.md in the community repo.

​What is a context?

​Install the MCP server

​Using a context

​Available contexts

​Context anatomy

​CONTEXT.md

​The 3-tier loading system

​Context vs skill

​Naming conventions

​Next step