AI Model Context Protocol (MCP)

Overview

Model Context Protocol (MCP) is an open-source standard developed by Anthropic that enables AI assistants to securely connect to AttackForge with external data sources and tools.

MCP transforms AI from a conversational knowledge base into a practical assistant that can work with your actual AttackForge data and tools to get real work done, fast!

MCP has significant benefits for AttackForge users:

1. More Helpful and Accurate Responses

Access to Current AttackForge Information

Instead of being limited to training data, AI assistants using MCP can pull real-time information from AttackForge - for example access to your latest vulnerabilities and projects. This provides context and answers based on your latest data, not outdated information.

Personalized Assistance

MCP enables AI to access your specific context - your AttackForge vulnerabilities, writeups, assets, projects - making responses tailored to your actual situation rather than generic advice.

2. Greater Productivity

Unified Interface

Instead of switching between different APIs and creating complex scripts, you can interact with your AttackForge through a single conversational interface. Ask questions about your data, retrieve records, check statuses, all in one place.

Automated Workflows

The AI can perform multi-step tasks, like pulling data from AttackForge, analyzing it, and updating a spreadsheet or creating a presentation - all from a simple request.

3. Better Privacy and Control

Data Stays Where It Belongs

With MCP, your sensitive vulnerability data doesn't need to be sent to AI providers for training. The AI accesses your data when needed and only for your specific requests.

Granular Permissions

You control exactly what data and capabilities the AI can access on behalf of any AttackForge user you authorize to use MCP, ensuring appropriate boundaries and compliance with your security requirements.

4. Future-Proof Investment

Vendor Independence

If you build workflows using MCP, you're not locked into a specific AI provider. You can switch AI assistants while keeping all your integrations working.

Growing Ecosystem

As AttackForge continues to build more MCP tools and services, you'll automatically gain access to new capabilities without needing custom development work.

Enabling MCP

To get started with MCP:

AttackForge Enterprise - MCP is available with your licence.
AttackForge Core - MCP can be add-on from Administration > Subscriptions

To enable MCP - go to Administration > Integrations and enable the toggle for MCP.

IMPORTANT: When MCP is enabled, access to MCP Tools is not yet available. Each tool must be enabled by an AttackForge administrator on a per-user basis for maximum security.

Configuring Remote MCP

Remote MCP are remote Model Context Protocol servers that are hosted on the internet rather than on your local machine. Remote MCP servers extend AI applications' capabilities beyond your local environment, providing access to internet-hosted tools, services, and data sources. Unlike local MCP servers that run on your computer, remote servers are accessible from any MCP client with an internet connection.

The key advantage of remote MCP servers is their accessibility - unlike local servers that require installation and configuration on each device. This makes them particularly useful for web-based AI applications (like AttackForge) and services that require server-side processing or authentication.

Remote MCP servers expose tools, prompts, and resources that AI assistants can use. These servers can integrate with various services such as AttackForge.

AttackForge has a built-in OAuth v2.1 service which is used to authenticate users connecting to AttackForge MCP. Every AttackForge user connecting to AttackForge via remote MCP must explicitly grant the AI assistant permission to do so on behalf of the user.

Self Registration

Self registration allows AttackForge users to register their AI assistant to use AttackForge MCP directly. This saves time and effort for AttackForge administrators having to manually create OAuth2 Client IDs and Client Secrets and having to share that information with enrolling users.

Self registration is handled using the built-in AttackForge OAuth2 Authorization Server which comes with every AttackForge tenant, and is made available when MCP is enabled in AttackForge.

To enable self registration - go to Administration > Integrations > MCP and toggle to option to enable self registration.

IMPORTANT: When Self Registration is enabled, access to MCP Tools is not yet available. Each tool can be enabled on a per-user basis by the AttackForge administrators for maximum security.

ChatGPT Self Registration

Select Apps & Connectors

Click on Create

Enter in a name for your connecter. For the MCP Server URL this should be in the following format: https://{{ATTACKFORGE-HOSTNAME}}/mcp . Click Create.

You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on Agree and Continue. You will then be redirected back to ChatGPT.

Click Publish

Review and actions then click Publish

AttackForge MCP will now be available.

Try the integration by going to a new chat. Click on + and select More. Select the AttackForge connector, then try a prompt!

Claude Self Registration

Select Connectors

Select Add custom connector

Enter in a name for your connecter. For the MCP Server URL this should be in the following format: https://{{ATTACKFORGE-HOSTNAME}}/mcp . Click Add.

Click Connect

You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on Agree and Continue. You will then be redirected back to Claude.

Try the integration by going to a new chat. Click on Settings and enable the AttackForge connector, then enabled the relevant tools you have access to. Try a prompt!

Assisted Registration

If self registration is disabled - AI assistants can still get access to AttackForge MCP using assisted registration. The process is as follows:

AttackForge admin manually registers the AI assistant for the required AttackForge user. This process results in the creation of an OAuth 2 Client Id and Client Secret which is then shared with the AttackForge user.
AttackForge user supplies the Client Id and Client Secret to their AI assistant to configure the integration.

Manually Registering MCP Clients

Go to Users > (Select the user) > Applications > MCP Client

Click on Add Client. Include a name for the client and insert the redirect URLs. Click Add

TIP: Click on the down arrow to see common redirect URLs for popular remote MCP clients

Copy the Client Id and Client Secret.

IMPORTANT: The Client Secret will only be shown one time. Make sure to copy it.

Manually Enrolling ChatGPT

Select Apps & Connectors

Click on Create

Enter in a name for your connecter. For the MCP Server URL this should be in the following format: https://{{ATTACKFORGE-HOSTNAME}}/mcp . Enter in the OAuth 2 Client Id and Client Secret. Click Create.

You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on Agree and Continue. You will then be redirected back to ChatGPT.

Click Publish

Review and actions then click Publish

AttackForge MCP will now be available.

Try the integration by going to a new chat. Click on + and select More. Select the AttackForge connector, then try a prompt!

Manually Enrolling Claude

Select Connectors

Select Add custom connector

Enter in a name for your connecter. For the MCP Server URL this should be in the following format: https://{{ATTACKFORGE-HOSTNAME}}/mcp . Click Advanced Settings. Enter in the OAuth 2 Client Id and Client Secret. Click Add.

Click Connect

You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on Agree and Continue. You will then be redirected back to Claude.

Try the integration by going to a new chat. Click on Settings and enable the AttackForge connector, then enable the relevant tools you have access to. Try a prompt!

Configuring Local MCP

Local MCP are local Model Context Protocol servers that run directly on your machine rather than connecting to remote services, like Claude Desktop and LM Studio.

The key advantages of local MCP servers include:

Complete Data Privacy: Local servers process data on your device, offering complete data privacy since information never leaves your machine.
Offline Functionality: Local servers work without internet connectivity once downloaded, which is crucial for developers working in secure environments or areas with unreliable internet access.
Predictable Performance: Local servers offer predictable performance since they're not dependent on network latency or external service availability.

Local MCP is particularly valuable for sensitive data processing, secure enterprise environments, and scenarios where you need AI capabilities without relying on external services.

Claude Desktop Configuration

Download and install Claude Desktop

Open Claude Desktop

Click on Profile > Settings

Click on Developer

Within Local MCP Servers - click on Edit Config

Open claude_desktop_config.json in a text editor, and add the following local MCP server. Make sure to add your AttackForge hostname for the "AF_HOSTNAME" and your AttackForge User API Key for the "AF_USER_KEY"

{
    "mcpServers": {
        "af-mcp-server": {
            "command": "npx",
            "args": [
                "-y",
                "@attackforge/mcp-server"
            ],
            "env": {
                "AF_HOSTNAME": "demo.attackforge.com",
                "AF_USER_KEY": "asjkdhuwqj...<REMOVED>....kashdkjhdkqhu"
            }
        }
    }
}

Save the file. Quit/Close Claude Desktop. Re-open Claude Desktop and open your Settings and click on Developer. You should see af-mcp-server is now running.

In Settings, click on Connectors and observe af-mcp-server is available. You can configure the integration and tools from here.

Try the integration by going to a new chat. Click on Settings and enable the AttackForge connector, then enable the relevant tools you have access to. Try a prompt!

User Access to MCP

Once a user has connected their AI assistant to AttackForge, they can start to leverage the MCP Tools made available to them.

IMPORTANT: Each MCP Tool must be be enabled on a per-user basis by the AttackForge administrators for maximum security.

Access to Tools

Go to Users > (Select the user) > Access > MCP

View details for each Tool. Select the tools to enable for the user. Click Add

Once the tools have been enabled, the user is now able to access those tools in their AI assistant.

MCP Sessions

When a user has established a session with AttackForge MCP using their AI assistant, their sessions will become visible in Users > (Select the user) > Applications > MCP Sessions

Removing User Access to MCP

To remove a users' access to AttackForge MCP - apply each of the following steps.

Tools

Whoami

Description

This tool can be used to provide details regarding the currently authenticated AttackForge user.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool whoami and click Add

Example Prompts

Who is my AttackForge user?

What is my AttackForge user id?

What is my AttackForge email address?

Example Response

{
	"id":"5ad737d6e576e6290aff1808",
	"email":"[email protected]"
}

Count Projects

Description

This tool can be used to count Projects using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool count_projects and click Add

Example Prompts

How many projects do I have in AttackForge?

Supported Query Fields

id: {
  description: "This is the project id.",
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
}
created: {
  description: 'The timestamp that this project was created.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
modified: {
  description: 'The timestamp that this project was last modified.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
name: {
  type: 'string',
}
code: {
  type: 'string',
}
start_date: {
  description: 'The timestamp that this project is expected to commence.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
end_date: {
  description: 'The timestamp that this project is expected to conclude.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
status: {
  enum: [
    'Completed',
    'On Hold',
    'Overrun',
    'Retest',
    'Testing',
    'Waiting to Start'
  ]
}
org_code: {
  description: 'This is used to capture the Organizational Code that this project belongs',
  type: 'string',
}
vuln_code: {
  description: 'The Vulnerability Code that is used to generate the alernate id for the project vulnerabilities',
  type: 'string',
}
attack_chains_enabled: {
  description: 'Indicates if attack chains are enabled on this project',
  type: 'boolean'
}
reporting_enabled: {
  description: 'Indicates if reporting is enabled on this project',
  type: 'boolean'
}
retesting_enabled: {
  description: 'Indicates if the retesting workflow is enabled on this project',
  type: 'boolean'
}
summary_enabled: {
  description: 'Indicates if the summary page is enabled on this project',
  type: 'boolean'
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}

Example Response

{
	"count": 15
}

Count Vulnerabilities

Description

This tool can be used to count Vulnerabilities using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool count_vulnerabilities and click Add

Example Prompts

How many vulnerabilities do I have in AttackForge?

Supported Query Fields

id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
  description: "This is the vulnerability id.",
}
created: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was created.'
},
modified: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was last modified.'
}
title: {
  type: 'string',
}
priority: {
  enum: [
    'Critical',
    'High',
    'Medium',
    'Low',
    'Info'
  ]
}
alternate_id: {
  type: 'string',
}
cvssv3_1_score: {
  description: 'CVSSv3.1 score',
  type: 'number'
}
cvssv3_1_vector: {
  description: 'CVSSv3.1 vector string',
  type: 'string'
}
status: {
  enum: ['Closed', 'Open']
}
status_updated: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The status was last updated at this timestamp.'
}
target_remediation_date: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The latest timestamp at which the vulnerability is planned to be remediated.'
}
likelihood_of_exploitation: {
  type: 'integer',
  description: 'Scale of exploitability - 1 is least, 10 is most.'
}
steps_to_reproduce_html: {
  type: 'string',
}
release_date: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp when the vulnerability was marked as released.'
}
sla: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp when the vulnerability is expected to be remediated.'
}
tags: {
  type: 'array',
  items: { type: 'string' }
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}
is_retest: {
  enum: ['Yes', 'No'],
  description: 'Indicates whether this vulnerability has been marked for retest.'
}
is_zero_day: {
  enum: ['Yes', 'No'],
  description: 'Indicates whether this vulnerability has been categorised as zero day.'
}
writeup_id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
  description: "This is the Writeup id. Example query: { writeup_id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }"
}

Example Response

{
	"count": 3232
}

Count Writeups

Description

This tool can be used to count Writeups using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool count_writeups and click Add

Example Prompts

How many writeups do I have in AttackForge?

How many writeups are in my main library?

Supported Query Fields

id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
}
created: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was created.'
}
modified: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was last modified.'
}
attack_scenario: {
  type: 'string',
}
description: {
  type: 'string',
}
impact_on_availability: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
impact_on_confidentiality: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
impact_on_integrity: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
import_source_id: {
  type: 'string'
}
import_source: {
  type: 'string'
}
likelihood_of_exploitation: {
  description: 'Scale of exploitability, 1 is least and 10 is most',
  enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
}
remediation_recommendation: {
  type: 'string'
}
severity: {
  description: '1 is least severe and 10 is most severe',
  enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
}
title: {
  type: 'string',
}
tags: {
  type: 'array',
  items: { type: 'string' }
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}

Example Response

{
	"count": 891
}

Find Projects

Description

This tool can be used to find Projects using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool find_projects and click Add

Example Prompts

Which projects are currently in Testing status? Include custom fields in the response.

Supported Query Fields

id: {
  description: "This is the project id. Match against single id: { id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }. Match against multiple ids: { id: { $in: [ ObjectId('65a440c08cade68ca7bc7192'), ObjectId('65a440c08cade68ca7bc7192') ] } }",
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
}
created: {
  description: 'The timestamp that this project was created.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
modified: {
  description: 'The timestamp that this project was last modified.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
name: {
  type: 'string',
}
code: {
  type: 'string',
}
start_date: {
  description: 'The timestamp that this project is expected to commence.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
end_date: {
  description: 'The timestamp that this project is expected to conclude.',
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
}
status: {
  enum: [
    'Completed',
    'On Hold',
    'Overrun',
    'Retest',
    'Testing',
    'Waiting to Start'
  ]
}
org_code: {
  description: 'This is used to capture the Organizational Code that this project belongs',
  type: 'string',
}
vuln_code: {
  description: 'The Vulnerability Code that is used to generate the alernate id for the project vulnerabilities',
  type: 'string',
}
attack_chains_enabled: {
  description: 'Indicates if attack chains are enabled on this project',
  type: 'boolean'
}
reporting_enabled: {
  description: 'Indicates if reporting is enabled on this project',
  type: 'boolean'
}
retesting_enabled: {
  description: 'Indicates if the retesting workflow is enabled on this project',
  type: 'boolean'
}
summary_enabled: {
  description: 'Indicates if the summary page is enabled on this project',
  type: 'boolean'
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}

Example Response

{
    "data":
    [
        {
            "id": "685500711d6a44e61f90db4e",
            "created": "2025-06-20T06:32:17.811Z",
            "modified": "2025-09-26T22:45:11.191Z",
            "name": "HackerOne Bug Bounty",
            "code": "H1-BB",
            "start_date": "2025-05-31T14:00:00.000Z",
            "end_date": "2025-07-31T13:59:59.000Z",
            "status": "Testing",
            "vuln_code": "H1",
            "attack_chains_enabled": true,
            "reporting_enabled": true,
            "retesting_enabled": true,
            "summary_enabled": true,
            "custom_tags":
            [],
            "custom_fields":
            [
                {
                    "key": "testing_types",
                    "value":
                    [
                        "Bug Bounty"
                    ],
                    "label": "Testing Type(s)"
                },
                {
                    "key": "substatus",
                    "value": "Continuous Testing",
                    "label": "Sub-Status"
                },
                {
                    "key": "project_budget",
                    "value": "Under $10,000",
                    "label": "Project Budget"
                },
                {
                    "key": "jira_project_key",
                    "value": "ATTAKFORGE",
                    "label": "JIRA Project Key"
                },
                {
                    "key": "slack_channel",
                    "value": "C08CC3EMXGE",
                    "label": "Slack Channel"
                }
            ]
        }
    ],
    "count": 1,
    "total": 1
}

Find Vulnerabilities

Description

This tool can be used to find Vulnerabilities using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool find_vulnerabilities and click Add

Example Prompts

Which vulnerabilities are currently in Retest status? Include custom fields in the response.

Supported Query Fields

id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
  description: "This is the vulnerability id. Match against single id: { id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }. Match against multiple ids: { id: { $in: [ ObjectId('65a440c08cade68ca7bc7192'), ObjectId('65a440c08cade68ca7bc7192') ] } }",
}
created: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was created.'
},
modified: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was last modified.'
}
title: {
  type: 'string',
}
priority: {
  enum: [
    'Critical',
    'High',
    'Medium',
    'Low',
    'Info'
  ]
}
alternate_id: {
  type: 'string',
}
cvssv3_1_score: {
  description: 'CVSSv3.1 score',
  type: 'number'
}
cvssv3_1_vector: {
  description: 'CVSSv3.1 vector string',
  type: 'string'
}
status: {
  enum: ['Closed', 'Open']
}
status_updated: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The status was last updated at this timestamp.'
}
target_remediation_date: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The latest timestamp at which the vulnerability is planned to be remediated.'
}
likelihood_of_exploitation: {
  type: 'integer',
  description: 'Scale of exploitability - 1 is least, 10 is most.'
}
steps_to_reproduce: {
  type: 'string',
}
release_date: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp when the vulnerability was marked as released.'
}
sla: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp when the vulnerability is expected to be remediated.'
}
tags: {
  type: 'array',
  items: { type: 'string' }
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}
is_retest: {
  enum: ['Yes', 'No'],
  description: 'Indicates whether this vulnerability has been marked for retest.'
}
is_zero_day: {
  enum: ['Yes', 'No'],
  description: 'Indicates whether this vulnerability has been categorised as zero day.'
}
writeup_id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
  description: "This is the Writeup id. Example query: { writeup_id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }"
}

Example Response

{
    "data":
    [
        {
            "id": "656168055d7035a12ade4cb3",
            "created": "2023-11-25T03:20:37.342Z",
            "modified": "2025-05-21T08:54:09.414Z",
            "title": "Hosts Respond with Hashes/Challenge-Responses to Spoofed Hostnames",
            "priority": "High",
            "project_ids":
            [
                "656158c0965172000f9119e8"
            ],
            "writeup_id": "5b9d9c9296d7402e00f42f8a",
            "affected_assets":
            [
                "682d94b146e588dd33696a46"
            ],
            "status": "Open",
            "status_updated": "2023-11-25T03:20:37.342Z",
            "target_remediation_date": "2025-05-26T14:00:00.000Z",
            "likelihood_of_exploitation": 9,
            "steps_to_reproduce": "<p>Run the tool Responder on an active broadcast domain:</p><p>{{{start-responder.png}}}</p><p>User attempts to search for a share that doesn't exist:</p><p>{{{user-mistypes-share.png}}}</p><p>View the LLMNR request in Responder:</p><p>{{{request-in-responder.png}}}</p><p>Get the user’s hashed credentials:</p><p>{{{user-hash.png}}}</p><p>Crack the hash using a tool such as Hashcat:</p><p>{{{cracked-hash.png}}}</p>",
            "release_date": "2023-11-25T03:20:37.362Z",
            "sla": "2025-06-19T14:00:00.000Z",
            "tags":
            [
                "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
                "CWE-290: Authentication Bypass by Spoofing",
                "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                "CVSSv3.1 Base Score: 8.1"
            ],
            "cvssv3_1_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "cvssv3_1_score": 8.1,
            "custom_tags":
            [],
            "custom_fields":
            [
                {
                    "key": "attack_narrative",
                    "value": "<p>For this assessment, attackers were placed on the 10.0.9.0/24 network segment. </p><p>This attack was executed from host 10.0.9.18.</p>",
                    "label": "Attack Narrative"
                },
                {
                    "key": "critical_steps",
                    "value":
                    [
                        {
                            "step": "1",
                            "details": "Ensure network access is established. Use 'ip a' or 'ifconfig' to confirm."
                        }
                    ],
                    "label": "Critical Steps"
                },
                {
                    "key": "technical_impact",
                    "value": "<p>Receive the hash or challenge-response and username of the person using the host, then subject the hashes to an offline password cracking/recovery attack.</p>",
                    "label": "Technical Impact"
                },
                {
                    "key": "persons_targeted",
                    "value":
                    [],
                    "label": "Persons Targeted"
                },
                {
                    "key": "cve",
                    "value": "CVE-2025-26943",
                    "label": "CVE"
                }
            ],
            "is_retest": "No",
            "is_zero_day": "No"
        }
    ],
    "count": 50,
    "total": 332
}

Find Affected Assets

Description

This tool can be used to find Affected Assets on Vulnerabilities using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool find_affected_assets and click Add

Example Prompts

How many affected assets do I have? Include custom fields in the response.

Supported Query Fields

ids: {
  description: 'Find AttackForge affected assets by id.',
  type: 'array',
  items: {
    type: 'string',
    pattern: '^[0-9a-fA-F]{24}$'
  }
}

Example Response

{
    "data":
    [
        {
            "id": "64e17a99009140000f4acf70",
            "name": "192.168.0.1",
            "components":
            [
                {
                    "name": "192.168.0.1",
                    "notes":
                    [
                        "\nThe following is a list of SSL anonymous ciphers supported by the remote server :\n\n  Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)\n\n    ADH-DES-CBC3-SHA             Kx=DH          Au=None     Enc=3DES-CBC(168)        Mac=SHA1   \n    AECDH-DES-CBC3-SHA           Kx=ECDH        Au=None     Enc=3DES-CBC(168)        Mac=SHA1   \n\n  High Strength Ciphers (>= 112-bit key)\n\n    DH-AES128-SHA256             Kx=DH          Au=None     Enc=AES-GCM(128)         Mac=SHA256  \n    DH-AES256-SHA384             Kx=DH          Au=None     Enc=AES-GCM(256)         Mac=SHA384  \n    ADH-AES128-SHA               Kx=DH          Au=None     Enc=AES-CBC(128)         Mac=SHA1   \n    ADH-AES256-SHA               Kx=DH          Au=None     Enc=AES-CBC(256)         Mac=SHA1   \n    ADH-CAMELLIA128-SHA          Kx=DH          Au=None     Enc=Camellia-CBC(128)    Mac=SHA1   \n    ADH-CAMELLIA256-SHA          Kx=DH          Au=None     Enc=Camellia-CBC(256)    Mac=SHA1   \n    AECDH-AES128-SHA             Kx=ECDH        Au=None     Enc=AES-CBC(128)         Mac=SHA1   \n    AECDH-AES256-SHA             Kx=ECDH        Au=None     Enc=AES-CBC(256)         Mac=SHA1   \n    DH-AES128-SHA256             Kx=DH          Au=None     Enc=AES-CBC(128)         Mac=SHA256  \n    DH-AES256-SHA256             Kx=DH          Au=None     Enc=AES-CBC(256)         Mac=SHA256  \n\nThe fields above are :\n\n  {OpenSSL ciphername}\n  Kx={key exchange}\n  Au={authentication}\n  Enc={symmetric encryption method}\n  Mac={message authentication code}\n  {export flag}\n",
                        "http://www.nessus.org/u?3a040ada"
                    ],
                    "tags":
                    [
                        "port:21",
                        "pluginID:31705",
                        "pluginFamily:Service detection",
                        "svc_name:ftp",
                        "protocol:tcp",
                        "severity:1",
                        "cve:CVE-2007-1858",
                        "cvss3_base_score:5.9",
                        "cvss3_temporal_score:5.2",
                        "cvss3_temporal_vector:CVSS:3.0/E:U/RL:O/RC:C",
                        "cvss3_vector:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                        "cvss_base_score:2.6",
                        "cvss_temporal_score:1.9",
                        "cvss_temporal_vector:CVSS2#E:U/RL:OF/RC:C",
                        "cvss_vector:CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N",
                        "exploit_available:false",
                        "exploitability_ease:No known exploits are available",
                        "plugin_modification_date:2018/08/03",
                        "plugin_publication_date:2008/03/28",
                        "plugin_type:remote"
                    ]
                }
            ],
            "notes":
            [],
            "tags":
            [],
            "actioned": false,
            "asset_type": "Infrastructure",
            "external_asset_id": "CMDB-123",
            "details": "This asset is the main router for the head office",
            "custom_fields":
            [
                {
                    "key": "af_sys_hostnames",
                    "value":
                    [],
                    "label": "Hostnames"
                },
                {
                    "key": "internet_facing",
                    "value": "Yes",
                    "label": "Internet Facing"
                },
                {
                    "key": "subnets",
                    "value":
                    [
                        "192.168.0.0/24",
                        "192.168.0.1/24"
                    ],
                    "label": "Subnets"
                },
                {
                    "key": "af_sys_ports",
                    "value":
                    [],
                    "label": "Ports"
                }
            ],
            "vulnerability_id": "64e17a99009140000f4acf6e"
        }
    ],
    "count": 1,
    "total": 1
}

Find Writeups

Description

This tool can be used to find Writeups using a provided filter expression.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool find_writeups and click Add

Example Prompts

Show me my Writeups in the 'Main' library. Include custom fields in the response.

Supported Query Fields

id: {
  type: 'string',
  pattern: "ObjectId\\(\\'[0-9a-fA-F]{24}\\'\\)",
}
created: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was created.'
}
modified: {
  type: 'string',
  pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$',
  description: 'The timestamp that this vulnerability was last modified.'
}
attack_scenario: {
  type: 'string',
}
description: {
  type: 'string',
}
impact_on_availability: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
impact_on_confidentiality: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
impact_on_integrity: {
  enum: [
    'High',
    'Medium',
    'Low',
    'None',
  ]
}
import_source_id: {
  type: 'string'
}
import_source: {
  type: 'string'
}
likelihood_of_exploitation: {
  description: 'Scale of exploitability, 1 is least and 10 is most',
  enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
}
remediation_recommendation: {
  type: 'string'
}
severity: {
  description: '1 is least severe and 10 is most severe',
  enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
}
title: {
  type: 'string',
}
tags: {
  type: 'array',
  items: { type: 'string' }
}
custom_tags: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      name: { type: 'string' },
      value: { type: 'string' }
    },
    required: ['name', 'value'],
    additionalProperties: false
  }
}
custom_fields: {
  type: 'array',
  items: {
    type: 'object',
    properties: {
      key: {
        type: 'string',
        pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$',
      },
      value: {
        oneOf: [
          {
            type: 'string',
          },
          {
            type: 'array',
          },
        ]
      }
    },
    required: ['key', 'value'],
    additionalProperties: false
}

Example Response

{
    "data":
    [
        {
            "id": "5ad737feccb39f330a8ef316",
            "created": "2018-04-18T12:20:14.784Z",
            "modified": "2025-06-23T19:43:59.724Z",
            "attack_scenario": "<p>XSS injection attack is a well-documented attack with a number of automated tools available to facilitate discovery, exploitation and post-exploitation control processes. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some XSS vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running 'Active X' controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. An attack against the larger user base of the application may result in successful compromise of users computers and potential infection with malware that would effectively allow further compromise of users data.</p><p>{{{xss.png}}}</p><p></p>",
            "description": "<h2>Cross Site Scripting</h2><p>Cross-site scripting (XSS) vulnerability occurs when data submitted to the application is not properly handled before being embedded within the applications response or stored for later retrieval.</p><h2>Reflected cross-site scripting</h2><p>Reflected cross-site scripting (XSS) occurs when a server receives data directly from a HTTP request and returns (or reflects) it back in the HTTP response. In a typical XSS attack scenario, exploitation takes place when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.</p><p><strong><u>The most common mechanism for delivering malicious content</u></strong> is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.</p><p><strong><u>The most common attack</u></strong> performed with XSS involves the disclosure of session or other sensitive information stored in user cookies. Typically, a malicious user will craft a client-side script, which when parsed by a web browser performs some activity (such as sending all site cookies to a given e-mail address). This script will be loaded and run by each user visiting the vulnerable component of the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also. For example, an attacker could redirect users to malicious web sites.</p><p>More sophisticated attacks may extend to, for example, an attacker using advanced XSS exploitation tools like the Browser Exploitation Framework (BeEF).</p>",
            "impact_on_availability": "None",
            "impact_on_confidentiality": "None",
            "impact_on_integrity": "None",
            "likelihood_of_exploitation": 6,
            "remediation_recommendation": "<p>To prevent XSS attacks a multi-layered approach is recommended. </p><ul><li>Input received from the client should be strictly validated on the server side before any further processing takes place. </li><li>The filter should use a White List approach by only accepting Known Good characters. </li><li>Validation should be performed on a per field basis and should endeavour to be as strict as possible. </li><li>Ensure that data is fully normalised and decoded before being compared to the filter. </li><li>All client supplied data should be HMTL encoded at the point where it is displayed to the user. This includes request data such as query string parameters and data retrieved from storage. </li><li>It is recommended that all alphanumeric characters be HTML encoded to avoid XSS. However the following characters must be encoded: double quotes, ampersand, less than sign, and greater than sign</li></ul>",
            "severity": 6,
            "title": "Reflected Cross Site Scripting",
            "tags":
            [
                "OWASP Top 10",
                "CWE Top 25",
                "CWE-79: Improper Neutralisation of Input During Web Page Generation ('Cross-site Scripting')",
                "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:T/RC:R/CR:M/IR:M/AR:M/MAV:A/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:H",
                "CVSSv3.1 Base Score: 7.6",
                "CVSSv3.1 Temporal Score: 6.6",
                "CVSSv3.1 Environmental Score: 5.9"
            ],
            "custom_tags":
            [],
            "custom_fields":
            [
                {
                    "key": "af_sys_steps_to_reproduce",
                    "value": "<ol><li>do this.</li><li>do that.</li></ol><pre class=\"ql-syntax\" spellcheck=\"false\">&lt;script&gt;alert(1)&lt;/script&gt;\n</pre><p>Observe arbitrary script is executed in the victim's browser.</p>",
                    "label": "Templates Steps to Reproduce (POC)"
                }
            ]
        }
    ],
    "count": 1,
    "total": 1
}

Get Field Structure

Description

This tool can be used to get the topological structure of all system and custom fields that make up the AttackForge data model. This is useful to determine the custom field keys that exist on the data model.

How To Enable

Go to Users
Select the user you would like to provide access to this tool
Click on Access > MCP
Click on Add Tools
Select the tool get_field_structure and click Add

Example Prompts

Show me what fields are available on vulnerabilities.

Supported Query Fields

model: {
  description: `This is used to specify the data model of which the field structure is required.
  Supported models:
    - asset
    - project
    - vulnerability
    - writeup
  `,
  type: 'string',
  pattern: `^asset, project, vulnerability, writeup].join('|')}$`,
}

Example Response

{
    "model": "vulnerability",
    "structure":
    [
        {
            "type": "section",
            "label": "Info",
            "info": "<p>This section should include basic information about the vulnerability.</p><p><strong><u>Important:</u></strong> Only create new Writeups if you need to. There are already thousands of Writeups the security team worked hard to create for you to select from. Be like Keanu Reeves <span style=\"color: rgb(51, 51, 51);\">🙂</span></p>",
            "fields":
            [
                {
                    "type": "system",
                    "key": "writeupAndAssets",
                    "label": "Writeup and Affected Assets",
                    "required": true
                },
                {
                    "type": "system",
                    "key": "visibility",
                    "label": "Visibility",
                    "required": true
                }
            ]
        },
        {
            "type": "section",
            "label": "Social Engineering",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "persons_targeted",
                    "label": "Persons Targeted",
                    "required": false,
                    "usage_hints": "type: 'Record<string, string | string[] | null>[]', description: \"custom field value contains an array of objects used to represent items in a table\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Red Team",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "attack_narrative",
                    "label": "Attack Narrative",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains html markup\"'"
                },
                {
                    "type": "custom",
                    "key": "critical_steps",
                    "label": "Critical Steps",
                    "required": false,
                    "usage_hints": "type: 'Record<string, string | string[] | null>[]', description: \"custom field value contains an array of objects used to represent items in a table\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "PCI Compliance",
            "info": "<p>For more information on what all these PCI DSS terms mean - please visit <a href=\"https://www.pcisecuritystandards.org/glossary/\" rel=\"noopener noreferrer\" target=\"_blank\">https://www.pcisecuritystandards.org/glossary/</a></p>",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "is_cde",
                    "label": "Are Asset(s) Part of Cardholder Data Environment (CDE)?",
                    "required": true,
                    "info": "<p>CDE is defined at <a href=\"https://www.pcisecuritystandards.org/glossary/#glossary-c\" rel=\"noopener noreferrer\" target=\"_blank\">https://www.pcisecuritystandards.org/glossary/#glossary-c</a></p>",
                    "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'"
                },
                {
                    "type": "custom",
                    "key": "cde_networks",
                    "label": "Which CDE Network(s) are Affected?",
                    "required": true,
                    "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Medical Devices",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "manufacturer",
                    "label": "Manufacturer",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "version",
                    "label": "Affected Version",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "cpe",
                    "label": "CPE",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Scoring",
            "fields":
            [
                {
                    "type": "system",
                    "key": "zeroDay",
                    "label": "Is 0-Day?",
                    "required": true
                },
                {
                    "type": "system",
                    "key": "scoring",
                    "label": "CVSS Scoring, Priority and Exploitability",
                    "required": true
                }
            ]
        },
        {
            "type": "section",
            "label": "Ownership",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "vuln_owner",
                    "label": "Vulnerability Owner",
                    "required": false,
                    "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'"
                },
                {
                    "type": "custom",
                    "key": "teams_responsible",
                    "label": "Teams Responsible",
                    "required": false,
                    "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of group ids\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Testing",
            "fields":
            [
                {
                    "type": "system",
                    "key": "stepsToReproduce",
                    "label": "Steps to Reproduce",
                    "required": true
                },
                {
                    "type": "custom",
                    "key": "technical_impact",
                    "label": "Technical Impact",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains html markup\"'"
                },
                {
                    "type": "system",
                    "key": "notes",
                    "label": "Notes",
                    "required": true
                }
            ]
        },
        {
            "type": "section",
            "label": "Tags",
            "fields":
            [
                {
                    "type": "system",
                    "key": "cvssTags",
                    "label": "CVSS Tags",
                    "required": true
                },
                {
                    "type": "system",
                    "key": "tags",
                    "label": "Tags",
                    "required": true
                },
                {
                    "type": "system",
                    "key": "customTags",
                    "label": "Custom Tags",
                    "required": true
                },
                {
                    "type": "system",
                    "key": "testCases",
                    "label": "Associated Test Cases",
                    "required": true
                },
                {
                    "type": "custom",
                    "key": "category",
                    "label": "Category",
                    "required": true,
                    "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Threat Prioritization",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "threat_score",
                    "label": "Threat Score (X/140)",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "cve",
                    "label": "CVE",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Integrations",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "ado_work_item_id",
                    "label": "ADO Work Item Id",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "ado_work_item_url",
                    "label": "ADO Work Item URL",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "snow_incident_number",
                    "label": "SNOW Incident Number",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "snow_incident_url",
                    "label": "SNOW Incident URL",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "jira_issue_key",
                    "label": "JIRA Issue Key",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "jira_issue_url",
                    "label": "JIRA Issue URL",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "HackerOne",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "hackerone_report_id",
                    "label": "HackerOne Report Id",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "hackerone_report_url",
                    "label": "HackerOne Report URL",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "Synack",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "synack_vuln_id",
                    "label": "Synack Vuln Id",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "synack_vuln_status",
                    "label": "Synack Vuln Status",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                },
                {
                    "type": "custom",
                    "key": "synack_vuln_link",
                    "label": "Synack Vuln Link",
                    "required": false,
                    "usage_hints": "type: 'string', description: \"custom field value contains a string\"'"
                }
            ]
        },
        {
            "type": "section",
            "label": "QA Review",
            "fields":
            [
                {
                    "type": "custom",
                    "key": "qa_status",
                    "label": "QA Status",
                    "required": true,
                    "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'"
                },
                {
                    "type": "custom",
                    "key": "qa_reviewer",
                    "label": "QA Reviewer",
                    "required": false,
                    "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'"
                },
                {
                    "type": "custom",
                    "key": "qa_approver",
                    "label": "QA Approver",
                    "required": false,
                    "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'"
                }
            ]
        }
    ]
}

Prompt Examples

Generate Pentest Executive Summary

Tools Required

Prompt

Assume the role of a highly experienced Chief Information Security Officer (CISO) drafting a report for the Executive Committee. Your task is to analyze the provided penetration testing data for the {{INSERT-PROJECT-NAME}} Project (data includes scope, findings severity breakdown, exploited vulnerabilities, and remediation time estimates) and synthesize it into a concise, single-page Executive Summary designed for C-level risk assessment.
The output must be a unified report, strictly adhering to the following structure and constraints:
1.	NO METADATA: DO NOT include any title, header, footer, or boilerplate text such as "Prepared by," "Classification," or "Date." The output must begin immediately with the body of the report.
2.	Length: Do not exceed the content volume of a single, standard business page.
3.	Conditional Findings (MANDATORY): This is the core logic. You must select between one (1) and three (3) findings based only on the highest available severity level, ignoring the finding's current status (open or closed).
- Priority 1: Critical (CVSS > 9.0): If one or more Critical findings exist, use them first (up to three). If none exist, proceed to Priority 2.
- Priority 2: High (CVSS 7.0 - 8.9): If no Critical findings were found, use High findings (up to three). If none exist, proceed to Priority 3.
- Priority 3: Medium (CVSS 4.0 - 6.9): If no High findings were found, use Medium findings (up to three). If none exist, proceed to Priority 4.
- Priority 4: Low/Info: Only if no Critical, High, or Medium findings exist, use Low or Informational findings (up to three).
4.	Dynamic Headings (MANDATORY): Use only these three bolded headings, in this exact order. The second heading must dynamically reflect the highest severity level found in Step 3, along with the count of findings presented.
-	Executive Overview
-	Top [Number] [Severity Level] Findings (Example: "Top Three Critical Findings," or "Top One High Finding." If no relevant findings are found, use a title like "No Critical or High Findings Identified.")
-	Immediate Mitigation Strategy
5.	Content: Under the dynamic findings heading, use clear, concise bullet points for each selected finding, detailing the risk and business impact.
6.	Conclusion: The final section, Immediate Mitigation Strategy, must conclude with a single, highly prioritized action item that delivers the greatest risk reduction immediately.
7.	Language: Use formal, authoritative, and risk-focused business language throughout.
8.	Presentation: Downloadable Microsoft Word Document

Generate Vulnerability Descriptions and Recommendations

Tools Required

Prompt

You are a CERTIFIED, world-class cybersecurity penetration tester and senior security report writer. Your role is to transform technical data, collected via the AttackForge Connector MCP for the project {{INSERT-PROJECT-NAME}}, into concise, implementation-agnostic technical findings suitable for an enterprise penetration test report.
Your output will be consumed exclusively by technical engineering teams (e.g., developers, network engineers) and must adhere strictly to the specifications below.
1. REQUIRED OUTPUT STRUCTURE
For each and every vulnerability provided in the Input Data, rewrite it into the following three clearly labelled sections, in this exact order:
Finding Title (Formatted): The title must be the first line of the finding, displayed in bold, and the label 'Finding Title' must be excluded. A concise, precise title (under 10 words) that captures the core flaw.
Description: A concise, implementation-agnostic technical explanation of the vulnerability. Explain the root cause at a system or application logic level, not step-by-step exploitation. Maintain strict technical clarity without business or operational context.
Recommendation: Provide a technical direction for remediation, focusing on what needs to be addressed, not how to implement it. Do not reference specific security controls (e.g. “input validation”), code-level fixes, libraries, or configuration syntaxes. Keep the guidance high-level but technically meaningful for engineers.
2. STRICT EXCLUSIONS (DO NOT INCLUDE)
The rewritten findings must not contain any of the following:
•	Executive summaries or introductory statements
•	CVSS scores, risk ratings, or severity levels
•	Business impact, operational context, or data-loss-style consequences
•	Exploitation steps, reproduction details, or proof-of-concept information
•	Remediation strategy specifics, code samples, or control frameworks
•	External references, citations, or URLs
•	Mitigation controls framed as tactical instructions (e.g., “sanitize input,” “enable MFA,”)
3. TONE, FORMATTING, AND STYLE GUIDELINES
•	Maintain a formal, authoritative, and objective security tone.
•	Use precise, accurate security terminology.
•	The Finding Title must be the first line of output for each finding, rendered in bold, and formatted as a center-aligned headline.
•	Keep each section concise (typically 3–6 sentences per section).
•	Treat each vulnerability independently and clearly separate findings using line breaks.
•	Do not number findings unless the input data explicitly includes numbering.
4. OUTPUT OBJECTIVE
Your final output must read as if written by a senior penetration tester producing an enterprise-grade technical report, with:
•	clean structure
•	consistent phrasing
•	internally coherent terminology
•	readable, engineering-focused insight
5. PRESENTATION
•	Downloadable Microsoft Word Document

Determine Single Highest-Risk Vulnerability on Project

Tools Required

Prompt

You are a world-class cybersecurity penetration tester and senior security report analyst (OSCP/OSCE-level). Your role is to transform technical data, collected via the AttackForge Connector MCP for the project {{INSERT-PROJECT-NAME}}. You specialize in transforming pentest output into concise, accurate, and actionable intelligence for security leadership.
CORE TASK
From the vulnerabilities found on the project, identify the single highest-risk vulnerability and return a fully structured analysis. Ignoring the finding's current status (open or closed).
EVALUATION RULES
•	Determine “highest-risk” using severity first (Critical → High → Medium → Low → Informational).
•	If multiple vulnerabilities share the same severity, choose the one with:
1.	The widest asset impact, then
2.	The highest exploitability, then
3.	The highest business impact (as described or inferable from the data).
OUTPUT FORMAT
Return your findings using the exact structure below:
1.	Vulnerability Name
2.	Severity & Risk Rating (CVSS or vendor rating)
3.	Associated Assets
-	List all affected hosts, endpoints, URLs, applications, or systems.
4.	Technical Summary
-	Clear explanation of the root cause and why the vulnerability exists.
5.	Evidence / Key Technical Details
-	Summarize PoC, payloads, reproduction steps, or scanner evidence (if provided).
6.	Business Impact
-	Explain how this vulnerability threatens confidentiality, integrity, availability, or overall organizational risk.
7.	Remediation Recommendation
-	Provide a precise, technically accurate fix (configuration change, patch, architecture control, etc.).
8.	Priority Justification
-	Brief explanation of why this vulnerability was selected as the highest-risk.
STYLE REQUIREMENTS
•	Structure and Coherence: Maintain a clean structure, consistent phrasing, and internally coherent terminology.
•	Tone: Maintain a formal, authoritative, and objective security tone.
•	Precision: Use precise, accurate security terminology and readable, engineering-focused insight.
•	Formatting: The Finding Title must be the first line of output for the finding, rendered in bold, and formatted as a center-aligned headline.
•	Conciseness: Keep each numbered section concise (typically 3–6 sentences per section).
•	Independence: Treat the selected vulnerability independently.
•	Numbering: Do not number findings unless the input data explicitly includes numbering.
PRESENTATION
•	Downloadable Microsoft Word Document

Show Vulnerabilities Assigned to Me

Tools Required

Prompt

You are a highly detail-oriented Cyber Remediation Analyst specializing in interpreting current vulnerability data from the AttackForge Connector MCP.
Your primary task is to generate a comprehensive vulnerability list for both immediate remediation teams and historical auditing. The list must focus exclusively on vulnerabilities assigned to the current user, regardless of project.
The data retrieval must adhere precisely to the following criteria:
1.	Source: All data must be sourced from the AttackForge Connector MCP.
2.	Assignment: Only include vulnerabilities explicitly assigned to the current user ("me"), using the “vulnerability owner” field.
3.	Priority Inclusion: Include all defined priority levels (Critical, High, Medium, Low, Informational).
4.	Included Statuses: Include all vulnerabilities that are currently Open, Retest, or Closed.
5.	Data Scope: Include all projects associated with the assigned vulnerabilities.
Present the filtered results as a single, clear Markdown table with the following five columns, in this exact order:
•	Column 1: Vulnerability Name (Required Data: The full, unique name of the finding. Formatting Note: The name must be displayed in bold.) The data in this column MUST also be horizontally and vertically centered within the table.
•	Column 2: Priority (Required Data: The current priority level. Formatting Note: Use the exact priority terms.) The data in this column MUST also be horizontally and vertically centered within the table.
•	Column 3: Affected Assets Count (Required Data: The total number of assets currently affected by this vulnerability. Formatting Note: Must be rendered as an integer with no commas.) The data in this column MUST also be horizontally and vertically centered within the table.
•	Column 4: Project Name (Required Data: The name of the project containing the vulnerability. Formatting Note: The name must be displayed in italics.) The data in this column MUST also be horizontally and vertically centered within the table.
•	Column 5: Status (Required Data: The current remediation status. Formatting Note: Use a fixed-width/code block style, e.g., `Open`, `Closed`, or `Retest`.) The data in this column MUST also be horizontally and vertically centered within the table.
The entire table must be sorted first by Priority in strict descending order (Critical → High → Medium → Low → Informational) and secondarily by Affected Assets Count in descending order.
Following the table, write a one-paragraph summary of exactly four sentences that clearly reports on the following metrics:
1.	The total count of unique vulnerabilities returned in the table.
2.	The count of vulnerabilities that are currently Closed.
3.	The count of all vulnerabilities categorized as Critical or High that are still Open or Retest.
4.	The single Vulnerability Name (from Column 1) that affects the largest number of assets.
Presentation and Delivery Requirements:
•	Convert the entire output into a downloadable Word file. 
•	Set the document title to: “Vulnerabilities Assigned”

Create a Vulnerability Composition Metrics Dashboard

Tools Required

Prompt

Goal: Design a single-screen, Dark Mode Security Operations Center (SOC) dashboard focused on Vulnerability Composition Metrics. The objective is to provide immediate, comparative situational awareness of severity distribution across distinct time windows and enable rapid triage. Data for this dashboard will be collected from the project. 1. Data & Filters * Source: AttackForge Connector (MCP) * Project: {{INSERT-PROJECT-NAME}} * Metric: Vulnerability Count (Total N) * Global Filter: Vulnerability Age < {{INSERT-NUMBER-OF-DAYS}} days (calculated from date created to today's date). * Dimensions: Severity (Critical, High, Medium, Low, Informational) 2. Aesthetic & Encoding (Dark Mode) * Theme: Dark Mode, industrial aesthetic, optimized for continuous monitoring (low glare, high readability). * UX Note: Implement subtle animations to signify data freshness. * Color Palette (High-Contrast Sequential Alarm):    * Critical: `#E31A1C` (Red)    * High: `#FF7F00` (Orange)    * Medium: `#FFD92F` (Yellow)    * Low: `#1F78B4` (Blue)    * Informational: `#A6CEE3` (Light Blue) 3. Visual Architecture: Comparative Composition (Top Section) * Layout: Single horizontal row of visuals across the top of the dashboard. * Visual Type: Donut Charts. * Encoding: Display the Total Count (N) in the center-aligned vertically and horizontally of the chart. Include a common legend. * Visuals Required (View):     * Total Vulnerabilities 4. Actionable Triage Table (Bottom Section) * Layout: Full-width interactive data grid below the comparative charts. * Functionality:    * Searchable by Vulnerability Title    * Clickable Status Filters: All, Open, Closed, Retest. * Required Columns (Order): Vulnerability Title, Severity, Age (in days), Discovered Date, Status. * Default Sorting Logic: *  1. Primary: Severity (Descending: Critical → Informational). 2. Secondary: Age (Ascending: Oldest first). Do NOT create or add things based on assumption. Strictly follow what is written in the prompt.

Top 10 Vulnerabilities Report

Tools Required

Prompt

Role Definition: Act as a Senior Cybersecurity Analyst executing a critical data synthesis task.
Core Task: Using the vulnerability data collected exclusively from the AttackForge Connector MCP source, you must identify and present the top 10 most common vulnerabilities by their total count of occurrences.
Sorting & Tie-Breaking:
1.	The final list must be sorted descending by the Total Number of Occurrences.
2.	Crucially, ensure any and all vulnerabilities tied for the 10th position are fully included in the output.
Required Output Fields (in order):
1.	Vulnerability Name (Full descriptive name). The data in this column MUST also be horizontally and vertically left -centered within the table. Add 6pt line spacing before and after.
2.	Total Number of Occurrences (Exact numerical count). The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after.
3.	CVSS v3.1 Base Score (The exact numerical score, e.g., 9.8). The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after.
4.	Assigned Priority Rating (The corresponding rating: Critical, High, Medium, Low, or Informational) in BOLD. The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after.
Format & Constraints (Guardrails):
•	Document Title: The generated document must be titled: "Top 10 Vulnerabilities Report"
•	Timestamp: The very first line of the document (before the table) must state the exact Date, Time, and Time Zone the data was generated (e.g., "Generated on: 27/11/2025 at 09:10:18 AM AEDT").
•	Present this information in a clear, sortable markdown table.
•	STRICTLY PROHIBITED: Do not include any notes, legends, introductory summaries, or concluding remarks (other than the required title/timestamp).
•	DATA INTEGRITY MANDATE: USE EXACT DATA. DO NOT APPROXIMATE OR ESTIMATE ANYTHING.
Final Delivery Requirement: After generating the title, timestamp, and markdown table, immediately convert the resulting output into a downloadable Microsoft Word Document.

Top 10 Vulnerabilities Dashboard

Tools Required

Prompt

Role Definition: Act as a Senior Cybersecurity Analyst creating executive dashboards.
1. Priority Metric Tiles (KPIs)
These key performance indicator (KPI) tiles provide an immediate, high-level view of the current active vulnerability landscape. For the following Project in AttackForge {{INSERT-PROJECT-NAME}}
Data Source & Scope: All vulnerabilities identified via the AttackForge Connector MCP will be used to create the dashboard.
Have the project Name in the Centre of the Dashboard.
1. Top N Analysis Chart
Priority Metric Tiles (KPIs) These key performance indicator (KPI) tiles provide an immediate, high-level view of the current active vulnerability landscape.
•	Title: "Total Vulnerabilities Distribution."
•	Visualization Type: Set of 5 Square Metric Tiles (Treemap Style).
•	Metrics & Display: Tiles must represent the count for each standard severity level:
o	Critical
o	High
o	Medium
o	Low
o	Informational
•	Design Rule:
o	Use standard industry color mapping (e.g., #D32F2F for Critical, #F57C00 for High, #FBC02D for Medium, #7CB342 for Low and #0288D1 for Informational).
o	The numeric count must be vertically and horizontally center-aligned inside the square tile for maximum visibility.
•	Make sure the data and calculation of finding the 10 Most Common Vulnerabilities by Count is done CORRECTLY
•	Centre aligned with the dashboard. 
2. Top N Analysis Chart
This chart focuses on identifying the most recurring vulnerability types.
•	Visualization Type: Horizontal Bar Chart, sorted descending.
•	Title: " Top 10 Most Common Vulnerabilities by Count."
•	Dynamic Chart Resolution Requirements: 
o	Implement Tooltip for Full Title: Modify the chart to use a tooltip or hover-over functionality for the vulnerability title labels (y-axis/row labels). When a user hovers over any truncated title, a pop-up must appear displaying the full, complete, and untruncated vulnerability title.
o	Optimize Layout and Bar Length: Re-scale the horizontal length of the bars (representing the count) so they dynamically fit within the dedicated chart drawing space and do not obscure the title labels. Dynamically allocate sufficient horizontal space for the row labels on the left side of the chart.
3. Detailed Vulnerability Table
This section provides the comprehensive, actionable list of vulnerabilities.
•	Content: Showing only the top 10 Most Common Vulnerabilities by Count
•	Required Columns:
o	Name
o	Priority (Color Coded e.g., #D32F2F for Critical, #F57C00 for High, #FBC02D for Medium, #7CB342 for Low and #0288D1 for Informational).
o	CVSS Base Score (cvssv3_1_score)
o	Likelihood of Exploitation 
o	Date Found
•	Default Sorting: Table must default to be sorted descending by CVSS Score to prioritize the riskiest items immediately, if does not exists then sorted descending by Priority.
•	Filtering: Ensure filter controls are available for Priority. If none exists for the selected filter, mention e.g. “No Low Vulnerabilities ”
•	Make sure the data and calculation of finding the 10 Most Common Vulnerabilities by Count is done CORRECTLY
IMPORTANT NOTE: Do NOT create or add things based on assumption. Strictly follow what is written in the prompt. 
For ChatGPT ONLY remove the () (Create this dashboard as a downloadable HTML file) else delete it.

Create Interactive Vulnerabilities Chart

Tools Required

Prompt

Objective: Generate a complete, interactive dashboard element featuring the required Radar Chart, title, subtitle, horizontal legend, and key summary metrics, perfectly matching the visual design.
Data Source: AttackForge MCP for project "{{INSERT-PROJECT-NAME}}"
Dashboard Element Structure & Design
1.	Overall Container: The entire output must be rendered as a single, cohesive, dark-themed dashboard card/container with the specified layout.
2.	Top Header (Small Text): A small, subtle text • CISO SECURITY DASHBOARD, centered.
3.	Main Title: Average Vulnerability Age - Large, bold, centered, and prominently displayed.
4.	Subtitle (Under Main Title): Open vulnerabilities by severity • {{INSERT-PROJECT-NAME}} - Smaller font, centered.
Core Visualization Enforcement
1.	Chart Type (STRICT): The central graphical element MUST BE a five-axis Radar Chart (or Web Chart). The use of any other chart type (e.g., Donut, Bar) is strictly forbidden.
2.	Interactivity Enforcement (STRICT): The output HTML file must contain JavaScript to enable full interactivity. When a user hovers over or clicks on a data point on the radar chart, a dynamic tooltip/modal window must appear, clearly showing the exact Average Age for that severity axis (e.g., 'Avg Age: 142 Days').
Radar Chart Visualization Requirements
1.	Axes: Critical, High, Medium, Low, Informational.
2.	Metric: Average Open Vulnerability Age (in days). This metric determines the magnitude plotted on each axis.
o	Robust Calculation Logic: The magnitude for each axis is the mathematical average of the Raw Age (days between Vulnerability created and Today's Date) for all open vulnerabilities in that severity group.
3.	Size & Scale: The radar chart must be large and visually dominant within the container.
4.	Aesthetics:
o	Dark background, consistent theme.
o	Use high-contrast colors (Red, Orange, Yellow, Blue, Green/Gray).
o	The plotted area/line within the radar chart must have a distinct color (e.g., Purple/Blue as shown in the example).
Legend & Summary Metrics
1.	Horizontal Legend (Under Chart):
o	Place the legend directly under the radar chart.
o	Items must be stacked horizontally in a single row.
o	Each legend item must include: Colored dot, Severity Name, Average Age (in days), AND Total Open Vulnerability Count.
o	Example: [Red Dot] Critical | 2630 Days | 4 vulns
2.	Auxiliary Metrics (Bottom Cards):
o	Display three distinct, rounded-corner cards/boxes at the very bottom, arranged horizontally, matching the visual style.
o	Card 1 (Left): Label: OLDEST AVG AGE, Value: (Highest average age).
o	Card 2 (Middle): Label: TOTAL OPEN VULNS, Value: (Sum of all open vulnerabilities).
o	Card 3 (Right): Label: SEVERITIES TRACKED, Value: (Count of severity categories with data).
[ (This block Only Valid for ChatGPT, else delete it.) Output Requirement
Make this visualization a fully functional, interactive HTML File containing all necessary rendering libraries (e.g., Plotly, Chart.js, D3.js) and CSS to perfectly replicate the entire visual and functional design upon opening. a downloadable HTML File.]

PreviousFlows NextSelf-Service RESTful API

Last updated 10 days ago