# AI Model Context Protocol (MCP) ## Overview Model Context Protocol (MCP) is an open-source standard developed by [Anthropic](https://www.anthropic.com/) that enables AI assistants to securely connect to AttackForge with external data sources and tools. MCP transforms AI from a conversational knowledge base into a practical assistant that can work with your actual AttackForge data and tools to get real work done, fast!

MCP has significant benefits for AttackForge users: #### **1. More Helpful and Accurate Responses** **Access to Current AttackForge Information** Instead of being limited to training data, AI assistants using MCP can pull real-time information from AttackForge - for example access to your latest vulnerabilities and projects. This provides context and answers based on your latest data, not outdated information. **Personalized Assistance** MCP enables AI to access your specific context - your AttackForge vulnerabilities, writeups, assets, projects - making responses tailored to your actual situation rather than generic advice. #### **2. Greater Productivity** **Unified Interface** Instead of switching between different APIs and creating complex scripts, you can interact with your AttackForge through a single conversational interface. Ask questions about your data, retrieve records, check statuses, all in one place. **Automated Workflows** The AI can perform multi-step tasks, like pulling data from AttackForge, analyzing it, and updating a spreadsheet or creating a presentation - all from a simple request. #### **3. Better Privacy and Control** **Data Stays Where It Belongs** With MCP, your sensitive vulnerability data doesn't need to be sent to AI providers for training. The AI accesses your data when needed and only for your specific requests. **Granular Permissions** You control exactly what data and capabilities the AI can access on behalf of any AttackForge user you authorize to use MCP, ensuring appropriate boundaries and compliance with your security requirements. #### **4. Future-Proof Investment** **Vendor Independence** If you build workflows using MCP, you're not locked into a specific AI provider. You can switch AI assistants while keeping all your integrations working. **Growing Ecosystem** As AttackForge continues to build more MCP tools and services, you'll automatically gain access to new capabilities without needing custom development work. ## Enabling MCP To get started with MCP: * AttackForge Enterprise - MCP is available with your licence. * AttackForge Core - MCP can be add-on from `Administration > Subscriptions` To enable MCP - go to `Administration > Integrations` and enable the toggle for MCP. > **IMPORTANT:** When MCP is enabled, access to MCP Tools is not yet available. Each tool must be enabled by an AttackForge administrator on a per-user basis for maximum security.

## Configuring Remote MCP

Remote MCP are remote Model Context Protocol servers that are hosted on the internet rather than on your local machine. Remote MCP servers extend AI applications' capabilities beyond your local environment, providing access to internet-hosted tools, services, and data sources. Unlike local MCP servers that run on your computer, remote servers are accessible from any MCP client with an internet connection. The key advantage of remote MCP servers is their accessibility - unlike local servers that require installation and configuration on each device. This makes them particularly useful for web-based AI applications (like AttackForge) and services that require server-side processing or authentication. Remote MCP servers expose tools, prompts, and resources that AI assistants can use. These servers can integrate with various services such as AttackForge. AttackForge has a built-in [OAuth v2.1](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/) service which is used to authenticate users connecting to AttackForge MCP. Every AttackForge user connecting to AttackForge via remote MCP must explicitly grant the AI assistant permission to do so on behalf of the user. ## Self Registration Self registration allows AttackForge users to register their AI assistant to use AttackForge MCP directly. This saves time and effort for AttackForge administrators having to manually create OAuth2 Client IDs and Client Secrets and having to share that information with enrolling users. Self registration is handled using the built-in AttackForge [OAuth2 Authorization Server](https://datatracker.ietf.org/doc/html/rfc6749) which comes with every AttackForge tenant, and is made available when MCP is enabled in AttackForge. To enable self registration - go to `Administration > Integrations > MCP` and toggle to option to enable self registration. > **IMPORTANT:** When Self Registration is enabled, access to MCP Tools is not yet available. Each tool can be enabled on a per-user basis by the AttackForge administrators for maximum security.

### Microsoft Copilot Studio Self Registration 1. Log in to [Microsoft Copilot Studio](https://copilotstudio.microsoft.com/). Select `Agents > Create blank agent`

2. Click on `Tools > Add a tool`

3. Click on `Model Context Protocol > New tool`

4. Click on `Model Context Protocol`

5. Enter in a name for your connecter. For the `Server URL` this should be in the following format: `https://{{ATTACKFORGE-HOSTNAME}}/mcp` . Select `OAuth 2.0` for Authentication. Select `Dynamic discovery` for Type. Click `Add`.

6. Click on `Create new connection`

7. Click `Create`. You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on `Agree and Continue`. You will then be redirected back to Copilot Studio.

8. You should see a successful connection. Click on `Add and configure`.

9. Your agent should now be connected to AttackForge.

10. Click on `Tools`. Configure the [Tools](#tools) you want to use.

11. Try a prompt. If you see an error `Let's get you connected first, and then I can find that info for you` - click on the link to **Open connection manager** and click `Connect`. Otherwise your prompt should work!

### ChatGPT Self Registration 1. Log in to [ChatGPT](https://chatgpt.com/) and from the menu - select `Workspace settings`

2. Select `Apps & Connectors`

3. Click on `Create`

4. Enter in a name for your connecter. For the `MCP Server URL` this should be in the following format: `https://{{ATTACKFORGE-HOSTNAME}}/mcp` . Click `Create`.

5. You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on `Agree and Continue`. You will then be redirected back to ChatGPT.

6. Click `Publish`

7. Review and actions then click `Publish`

8. AttackForge MCP will now be available.

9. Try the integration by going to a new chat. Click on `+` and select `More`. Select the AttackForge connector, then try a prompt!

### Claude Self Registration 1. Log in to [Claude](https://claude.ai/) and from the menu - select `Settings`

2. Select `Connectors`

3. Select `Add custom connector`

4. Enter in a name for your connecter. For the `MCP Server URL` this should be in the following format: `https://{{ATTACKFORGE-HOSTNAME}}/mcp` . Click `Add`.

5. Click `Connect`

6. You will be redirected to AttackForge. If you are not logged in - you will first need to log in. After you have logged in - you will see the screen below. Click on `Agree and Continue`. You will then be redirected back to Claude.

7. Try the integration by going to a new chat. Click on `Settings` and enable the AttackForge connector, then enabled the relevant tools you have access to. Try a prompt!

## Assisted Registration

If self registration is disabled - AI assistants can still get access to AttackForge MCP using assisted registration. The process is as follows: 1. AttackForge admin [manually registers the AI assistant](#manually-registering-mcp-client) for the required AttackForge user. This process results in the creation of an OAuth 2 Client Id and Client Secret which is then shared with the AttackForge user. 2. AttackForge user supplies the Client Id and Client Secret to their AI assistant to configure the integration. ### Manually Registering MCP Clients 1. Go to `Users > (Select the user) > Applications > MCP Client`

2. Click on `Add Client`. Include a name for the client and insert the redirect URLs. Click `Add` > **TIP:** Click on the down arrow to see common redirect URLs for popular remote MCP clients

3. Copy the **Client Id** and **Client Secret**. > **IMPORTANT:** The Client Secret will only be shown one time. Make sure to copy it.

### Manually Enrolling ChatGPT 1. Log in to [ChatGPT](https://chatgpt.com/) and from the menu - select `Workspace settings`

2. Select `Apps & Connectors`

3. Click on `Create`

4. Enter in a name for your connecter. For the `MCP Server URL` this should be in the following format: `https://{{ATTACKFORGE-HOSTNAME}}/mcp` . Enter in the [OAuth 2 Client Id and Client Secret](#manually-registering-mcp-clients). Click `Create`.

6. Click `Publish`

7. Review and actions then click `Publish`

8. AttackForge MCP will now be available.

9. Try the integration by going to a new chat. Click on `+` and select `More`. Select the AttackForge connector, then try a prompt!

### Manually Enrolling Claude 1. Log in to [Claude](https://claude.ai/) and from the menu - select `Settings`

2. Select `Connectors`

3. Select `Add custom connector`

4. Enter in a name for your connecter. For the `MCP Server URL` this should be in the following format: `https://{{ATTACKFORGE-HOSTNAME}}/mcp` . Click `Advanced Settings`. Enter in the [OAuth 2 Client Id and Client Secret](#manually-registering-mcp-clients). Click `Add`.

5. Click `Connect`

7. Try the integration by going to a new chat. Click on `Settings` and enable the AttackForge connector, then enable the relevant tools you have access to. Try a prompt!

## Configuring Local MCP

Local MCP are local Model Context Protocol servers that run directly on your machine rather than connecting to remote services, like [Claude Desktop](https://www.claude.com/download) and [LM Studio](https://lmstudio.ai/). The key advantages of local MCP servers include: * **Complete Data Privacy**: Local servers process data on your device, offering complete data privacy since information never leaves your machine. * **Offline Functionality**: Local servers work without internet connectivity once downloaded, which is crucial for developers working in secure environments or areas with unreliable internet access. * **Predictable Performance**: Local servers offer predictable performance since they're not dependent on network latency or external service availability. Local MCP is particularly valuable for sensitive data processing, secure enterprise environments, and scenarios where you need AI capabilities without relying on external services. ### LM Studio Configuration 1. Download and install [LM Studio](https://lmstudio.ai/)

2. Open LM Studio. Load your model. Click on `Settings > Program > Install > Edit mcp.json`

3. Open `mcp.json` tab. Add the following local MCP server. Make sure to add your AttackForge hostname for the `"AF_HOSTNAME"` and your AttackForge User API Key for the `"AF_USER_KEY"`. ```json { "mcpServers": { "af-mcp-server": { "command": "npx", "args": [ "-y", "@attackforge/mcp-server" ], "env": { "AF_HOSTNAME": "demo.attackforge.com", "AF_USER_KEY": "asjkdhuwqj.......kashdkjhdkqhu" } } } } ```

4. Click Save when finished and you should see the following success message.

5. Open a new chat. Enable `mcp/af-mcp-server.` Configure the AF MCP tools you want to run, then try a test prompt!

### Claude Desktop Configuration 1. Download and install [Claude Desktop](https://www.claude.com/download)

2. Open Claude Desktop

3. Click on `Profile > Settings`

4. Click on `Developer`

5. Within **Local MCP Servers** - click on `Edit Config`

6. Open `claude_desktop_config.json` in a text editor, and add the following local MCP server. Make sure to add your AttackForge hostname for the `"AF_HOSTNAME"` and your AttackForge User API Key for the `"AF_USER_KEY"` ```json { "mcpServers": { "af-mcp-server": { "command": "npx", "args": [ "-y", "@attackforge/mcp-server" ], "env": { "AF_HOSTNAME": "demo.attackforge.com", "AF_USER_KEY": "asjkdhuwqj.......kashdkjhdkqhu" } } } } ``` 7. Save the file. Quit/Close Claude Desktop. Re-open Claude Desktop and open your Settings and click on `Developer`. You should see `af-mcp-server` is now running.

8. In Settings, click on `Connectors` and observe `af-mcp-server` is available. You can configure the integration and tools from here.

9. Try the integration by going to a new chat. Click on `Settings` and enable the AttackForge connector, then enable the relevant tools you have access to. Try a prompt!

## User Access to MCP Once a user has connected their AI assistant to AttackForge, they can start to leverage the MCP Tools made available to them. > **IMPORTANT:** Each MCP Tool must be be enabled on a per-user basis by the AttackForge administrators for maximum security. ### Access to Tools 1. Go to `Users > (Select the user) > Access > MCP`

2. [View details for each Tool](#tools). Select the tools to enable for the user. Click `Add`

Once the tools have been enabled, the user is now able to access those tools in their AI assistant. ### MCP Sessions When a user has established a session with AttackForge MCP using their AI assistant, their sessions will become visible in `Users > (Select the user) > Applications > MCP Sessions`

## Removing User Access to MCP To remove a users' access to AttackForge MCP - apply each of the following steps. 1. Remove [access to tools](#access-to-tools) 2. Revoke [MCP sessions](#mcp-sessions) 3. Remove [MCP clients](#manually-registering-mcp-clients) ## Tools ### Whoami #### Description This tool can be used to provide details regarding the currently authenticated AttackForge user. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `whoami` and click `Add` #### Example Prompts ``` Who is my AttackForge user? ``` ``` What is my AttackForge user id? ``` ``` What is my AttackForge email address? ``` #### Example Response {% code overflow="wrap" %} ```json { "id":"5ad737d6e576e6290aff1808", "email":"admin@attackforge.com" } ``` {% endcode %} ### Count Projects #### Description This tool can be used to count Projects using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `count_projects` and click `Add` #### Example Prompts ``` How many projects do I have in AttackForge? ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { description: "This is the project id.", type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", } created: { description: 'The timestamp that this project was created.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } modified: { description: 'The timestamp that this project was last modified.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } name: { type: 'string', } code: { type: 'string', } start_date: { description: 'The timestamp that this project is expected to commence.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } end_date: { description: 'The timestamp that this project is expected to conclude.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } status: { enum: [ 'Completed', 'On Hold', 'Overrun', 'Retest', 'Testing', 'Waiting to Start' ] } org_code: { description: 'This is used to capture the Organizational Code that this project belongs', type: 'string', } vuln_code: { description: 'The Vulnerability Code that is used to generate the alernate id for the project vulnerabilities', type: 'string', } attack_chains_enabled: { description: 'Indicates if attack chains are enabled on this project', type: 'boolean' } reporting_enabled: { description: 'Indicates if reporting is enabled on this project', type: 'boolean' } retesting_enabled: { description: 'Indicates if the retesting workflow is enabled on this project', type: 'boolean' } summary_enabled: { description: 'Indicates if the summary page is enabled on this project', type: 'boolean' } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } ``` {% endcode %} #### Example Response ```json { "count": 15 } ``` ### Count Vulnerabilities #### Description This tool can be used to count Vulnerabilities using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `count_vulnerabilities` and click `Add` #### Example Prompts ``` How many vulnerabilities do I have in AttackForge? ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", description: "This is the vulnerability id.", } created: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was created.' }, modified: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was last modified.' } title: { type: 'string', } priority: { enum: [ 'Critical', 'High', 'Medium', 'Low', 'Info' ] } alternate_id: { type: 'string', } cvssv3_1_score: { description: 'CVSSv3.1 score', type: 'number' } cvssv3_1_vector: { description: 'CVSSv3.1 vector string', type: 'string' } status: { enum: ['Closed', 'Open'] } status_updated: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The status was last updated at this timestamp.' } target_remediation_date: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The latest timestamp at which the vulnerability is planned to be remediated.' } likelihood_of_exploitation: { type: 'integer', description: 'Scale of exploitability - 1 is least, 10 is most.' } steps_to_reproduce_html: { type: 'string', } release_date: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp when the vulnerability was marked as released.' } sla: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp when the vulnerability is expected to be remediated.' } tags: { type: 'array', items: { type: 'string' } } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } is_retest: { enum: ['Yes', 'No'], description: 'Indicates whether this vulnerability has been marked for retest.' } is_zero_day: { enum: ['Yes', 'No'], description: 'Indicates whether this vulnerability has been categorised as zero day.' } writeup_id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", description: "This is the Writeup id. Example query: { writeup_id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }" } ``` {% endcode %} #### Example Response ```json { "count": 3232 } ``` ### Count Writeups #### Description This tool can be used to count Writeups using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `count_writeups` and click `Add` #### Example Prompts ``` How many writeups do I have in AttackForge? ``` ``` How many writeups are in my main library? ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", } created: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was created.' } modified: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was last modified.' } attack_scenario: { type: 'string', } description: { type: 'string', } impact_on_availability: { enum: [ 'High', 'Medium', 'Low', 'None', ] } impact_on_confidentiality: { enum: [ 'High', 'Medium', 'Low', 'None', ] } impact_on_integrity: { enum: [ 'High', 'Medium', 'Low', 'None', ] } import_source_id: { type: 'string' } import_source: { type: 'string' } likelihood_of_exploitation: { description: 'Scale of exploitability, 1 is least and 10 is most', enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] } remediation_recommendation: { type: 'string' } severity: { description: '1 is least severe and 10 is most severe', enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] } title: { type: 'string', } tags: { type: 'array', items: { type: 'string' } } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } ``` {% endcode %} #### Example Response ```json { "count": 891 } ``` ### Find Projects #### Description This tool can be used to find Projects using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `find_projects` and click `Add` #### Example Prompts ``` Which projects are currently in Testing status? Include custom fields in the response. ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { description: "This is the project id. Match against single id: { id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }. Match against multiple ids: { id: { $in: [ ObjectId('65a440c08cade68ca7bc7192'), ObjectId('65a440c08cade68ca7bc7192') ] } }", type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", } created: { description: 'The timestamp that this project was created.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } modified: { description: 'The timestamp that this project was last modified.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } name: { type: 'string', } code: { type: 'string', } start_date: { description: 'The timestamp that this project is expected to commence.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } end_date: { description: 'The timestamp that this project is expected to conclude.', type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', } status: { enum: [ 'Completed', 'On Hold', 'Overrun', 'Retest', 'Testing', 'Waiting to Start' ] } org_code: { description: 'This is used to capture the Organizational Code that this project belongs', type: 'string', } vuln_code: { description: 'The Vulnerability Code that is used to generate the alernate id for the project vulnerabilities', type: 'string', } attack_chains_enabled: { description: 'Indicates if attack chains are enabled on this project', type: 'boolean' } reporting_enabled: { description: 'Indicates if reporting is enabled on this project', type: 'boolean' } retesting_enabled: { description: 'Indicates if the retesting workflow is enabled on this project', type: 'boolean' } summary_enabled: { description: 'Indicates if the summary page is enabled on this project', type: 'boolean' } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } ``` {% endcode %} #### Example Response {% code overflow="wrap" %} ```json { "data": [ { "id": "685500711d6a44e61f90db4e", "created": "2025-06-20T06:32:17.811Z", "modified": "2025-09-26T22:45:11.191Z", "name": "HackerOne Bug Bounty", "code": "H1-BB", "start_date": "2025-05-31T14:00:00.000Z", "end_date": "2025-07-31T13:59:59.000Z", "status": "Testing", "vuln_code": "H1", "attack_chains_enabled": true, "reporting_enabled": true, "retesting_enabled": true, "summary_enabled": true, "custom_tags": [], "custom_fields": [ { "key": "testing_types", "value": [ "Bug Bounty" ], "label": "Testing Type(s)" }, { "key": "substatus", "value": "Continuous Testing", "label": "Sub-Status" }, { "key": "project_budget", "value": "Under $10,000", "label": "Project Budget" }, { "key": "jira_project_key", "value": "ATTAKFORGE", "label": "JIRA Project Key" }, { "key": "slack_channel", "value": "C08CC3EMXGE", "label": "Slack Channel" } ] } ], "count": 1, "total": 1 } ``` {% endcode %} ### Find Vulnerabilities #### Description This tool can be used to find Vulnerabilities using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `find_vulnerabilities` and click `Add` #### Example Prompts ``` Which vulnerabilities are currently in Retest status? Include custom fields in the response. ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", description: "This is the vulnerability id. Match against single id: { id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }. Match against multiple ids: { id: { $in: [ ObjectId('65a440c08cade68ca7bc7192'), ObjectId('65a440c08cade68ca7bc7192') ] } }", } created: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was created.' }, modified: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was last modified.' } title: { type: 'string', } priority: { enum: [ 'Critical', 'High', 'Medium', 'Low', 'Info' ] } alternate_id: { type: 'string', } cvssv3_1_score: { description: 'CVSSv3.1 score', type: 'number' } cvssv3_1_vector: { description: 'CVSSv3.1 vector string', type: 'string' } status: { enum: ['Closed', 'Open'] } status_updated: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The status was last updated at this timestamp.' } target_remediation_date: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The latest timestamp at which the vulnerability is planned to be remediated.' } likelihood_of_exploitation: { type: 'integer', description: 'Scale of exploitability - 1 is least, 10 is most.' } steps_to_reproduce: { type: 'string', } release_date: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp when the vulnerability was marked as released.' } sla: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp when the vulnerability is expected to be remediated.' } tags: { type: 'array', items: { type: 'string' } } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } is_retest: { enum: ['Yes', 'No'], description: 'Indicates whether this vulnerability has been marked for retest.' } is_zero_day: { enum: ['Yes', 'No'], description: 'Indicates whether this vulnerability has been categorised as zero day.' } writeup_id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", description: "This is the Writeup id. Example query: { writeup_id: { $eq: ObjectId('65a440c08cade68ca7bc7192') } }" } ``` {% endcode %} #### Example Response {% code overflow="wrap" %} ```json { "data": [ { "id": "656168055d7035a12ade4cb3", "created": "2023-11-25T03:20:37.342Z", "modified": "2025-05-21T08:54:09.414Z", "title": "Hosts Respond with Hashes/Challenge-Responses to Spoofed Hostnames", "priority": "High", "project_ids": [ "656158c0965172000f9119e8" ], "writeup_id": "5b9d9c9296d7402e00f42f8a", "affected_assets": [ "682d94b146e588dd33696a46" ], "status": "Open", "status_updated": "2023-11-25T03:20:37.342Z", "target_remediation_date": "2025-05-26T14:00:00.000Z", "likelihood_of_exploitation": 9, "steps_to_reproduce": "

Run the tool Responder on an active broadcast domain:

{{{start-responder.png}}}

User attempts to search for a share that doesn't exist:

{{{user-mistypes-share.png}}}

View the LLMNR request in Responder:

{{{request-in-responder.png}}}

Get the user’s hashed credentials:

{{{user-hash.png}}}

Crack the hash using a tool such as Hashcat:

{{{cracked-hash.png}}}

", "release_date": "2023-11-25T03:20:37.362Z", "sla": "2025-06-19T14:00:00.000Z", "tags": [ "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action", "CWE-290: Authentication Bypass by Spoofing", "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "CVSSv3.1 Base Score: 8.1" ], "cvssv3_1_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "cvssv3_1_score": 8.1, "custom_tags": [], "custom_fields": [ { "key": "attack_narrative", "value": "

For this assessment, attackers were placed on the 10.0.9.0/24 network segment.

This attack was executed from host 10.0.9.18.

", "label": "Attack Narrative" }, { "key": "critical_steps", "value": [ { "step": "1", "details": "Ensure network access is established. Use 'ip a' or 'ifconfig' to confirm." } ], "label": "Critical Steps" }, { "key": "technical_impact", "value": "

Receive the hash or challenge-response and username of the person using the host, then subject the hashes to an offline password cracking/recovery attack.

", "label": "Technical Impact" }, { "key": "persons_targeted", "value": [], "label": "Persons Targeted" }, { "key": "cve", "value": "CVE-2025-26943", "label": "CVE" } ], "is_retest": "No", "is_zero_day": "No" } ], "count": 50, "total": 332 } ``` {% endcode %} ### Find Affected Assets #### Description This tool can be used to find Affected Assets on Vulnerabilities using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `find_affected_assets` and click `Add` #### Example Prompts ``` How many affected assets do I have? Include custom fields in the response. ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript ids: { description: 'Find AttackForge affected assets by id.', type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' } } ``` {% endcode %} #### Example Response {% code overflow="wrap" %} ```json { "data": [ { "id": "64e17a99009140000f4acf70", "name": "192.168.0.1", "components": [ { "name": "192.168.0.1", "notes": [ "\nThe following is a list of SSL anonymous ciphers supported by the remote server :\n\n Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)\n\n ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 \n AECDH-DES-CBC3-SHA Kx=ECDH Au=None Enc=3DES-CBC(168) Mac=SHA1 \n\n High Strength Ciphers (>= 112-bit key)\n\n DH-AES128-SHA256 Kx=DH Au=None Enc=AES-GCM(128) Mac=SHA256 \n DH-AES256-SHA384 Kx=DH Au=None Enc=AES-GCM(256) Mac=SHA384 \n ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 \n ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 \n ADH-CAMELLIA128-SHA Kx=DH Au=None Enc=Camellia-CBC(128) Mac=SHA1 \n ADH-CAMELLIA256-SHA Kx=DH Au=None Enc=Camellia-CBC(256) Mac=SHA1 \n AECDH-AES128-SHA Kx=ECDH Au=None Enc=AES-CBC(128) Mac=SHA1 \n AECDH-AES256-SHA Kx=ECDH Au=None Enc=AES-CBC(256) Mac=SHA1 \n DH-AES128-SHA256 Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA256 \n DH-AES256-SHA256 Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA256 \n\nThe fields above are :\n\n {OpenSSL ciphername}\n Kx={key exchange}\n Au={authentication}\n Enc={symmetric encryption method}\n Mac={message authentication code}\n {export flag}\n", "http://www.nessus.org/u?3a040ada" ], "tags": [ "port:21", "pluginID:31705", "pluginFamily:Service detection", "svc_name:ftp", "protocol:tcp", "severity:1", "cve:CVE-2007-1858", "cvss3_base_score:5.9", "cvss3_temporal_score:5.2", "cvss3_temporal_vector:CVSS:3.0/E:U/RL:O/RC:C", "cvss3_vector:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "cvss_base_score:2.6", "cvss_temporal_score:1.9", "cvss_temporal_vector:CVSS2#E:U/RL:OF/RC:C", "cvss_vector:CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N", "exploit_available:false", "exploitability_ease:No known exploits are available", "plugin_modification_date:2018/08/03", "plugin_publication_date:2008/03/28", "plugin_type:remote" ] } ], "notes": [], "tags": [], "actioned": false, "asset_type": "Infrastructure", "external_asset_id": "CMDB-123", "details": "This asset is the main router for the head office", "custom_fields": [ { "key": "af_sys_hostnames", "value": [], "label": "Hostnames" }, { "key": "internet_facing", "value": "Yes", "label": "Internet Facing" }, { "key": "subnets", "value": [ "192.168.0.0/24", "192.168.0.1/24" ], "label": "Subnets" }, { "key": "af_sys_ports", "value": [], "label": "Ports" } ], "vulnerability_id": "64e17a99009140000f4acf6e" } ], "count": 1, "total": 1 } ``` {% endcode %} ### Find Writeups #### Description This tool can be used to find Writeups using a provided filter expression. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `find_writeups` and click `Add` #### Example Prompts ``` Show me my Writeups in the 'Main' library. Include custom fields in the response. ``` #### Supported Query Fields {% code overflow="wrap" %} ```javascript id: { type: 'string', pattern: "ObjectId\$\\'[0-9a-fA-F]{24}\\'\$", } created: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was created.' } modified: { type: 'string', pattern: '^\\d{4,}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$', description: 'The timestamp that this vulnerability was last modified.' } attack_scenario: { type: 'string', } description: { type: 'string', } impact_on_availability: { enum: [ 'High', 'Medium', 'Low', 'None', ] } impact_on_confidentiality: { enum: [ 'High', 'Medium', 'Low', 'None', ] } impact_on_integrity: { enum: [ 'High', 'Medium', 'Low', 'None', ] } import_source_id: { type: 'string' } import_source: { type: 'string' } likelihood_of_exploitation: { description: 'Scale of exploitability, 1 is least and 10 is most', enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] } remediation_recommendation: { type: 'string' } severity: { description: '1 is least severe and 10 is most severe', enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] } title: { type: 'string', } tags: { type: 'array', items: { type: 'string' } } custom_tags: { type: 'array', items: { type: 'object', properties: { name: { type: 'string' }, value: { type: 'string' } }, required: ['name', 'value'], additionalProperties: false } } custom_fields: { type: 'array', items: { type: 'object', properties: { key: { type: 'string', pattern: '^[a-zA-Z]([a-zA-Z0-9_]*[a-zA-Z0-9])?$', }, value: { oneOf: [ { type: 'string', }, { type: 'array', }, ] } }, required: ['key', 'value'], additionalProperties: false } ``` {% endcode %} #### Example Response {% code overflow="wrap" %} ```json { "data": [ { "id": "5ad737feccb39f330a8ef316", "created": "2018-04-18T12:20:14.784Z", "modified": "2025-06-23T19:43:59.724Z", "attack_scenario": "

XSS injection attack is a well-documented attack with a number of automated tools available to facilitate discovery, exploitation and post-exploitation control processes. XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Some XSS vulnerabilities can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on the end user systems for a variety of nefarious purposes. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running 'Active X' controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content. An attack against the larger user base of the application may result in successful compromise of users computers and potential infection with malware that would effectively allow further compromise of users data.

{{{xss.png}}}

", "description": "

Cross Site Scripting

Cross-site scripting (XSS) vulnerability occurs when data submitted to the application is not properly handled before being embedded within the applications response or stored for later retrieval.

Reflected cross-site scripting

Reflected cross-site scripting (XSS) occurs when a server receives data directly from a HTTP request and returns (or reflects) it back in the HTTP response. In a typical XSS attack scenario, exploitation takes place when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser.

The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.

The most common attack performed with XSS involves the disclosure of session or other sensitive information stored in user cookies. Typically, a malicious user will craft a client-side script, which when parsed by a web browser performs some activity (such as sending all site cookies to a given e-mail address). This script will be loaded and run by each user visiting the vulnerable component of the web site. Since the site requesting to run the script has access to the cookies in question, the malicious script does also. For example, an attacker could redirect users to malicious web sites.

More sophisticated attacks may extend to, for example, an attacker using advanced XSS exploitation tools like the Browser Exploitation Framework (BeEF).

", "impact_on_availability": "None", "impact_on_confidentiality": "None", "impact_on_integrity": "None", "likelihood_of_exploitation": 6, "remediation_recommendation": "

To prevent XSS attacks a multi-layered approach is recommended.

Input received from the client should be strictly validated on the server side before any further processing takes place.
The filter should use a White List approach by only accepting Known Good characters.
Validation should be performed on a per field basis and should endeavour to be as strict as possible.
Ensure that data is fully normalised and decoded before being compared to the filter.
All client supplied data should be HMTL encoded at the point where it is displayed to the user. This includes request data such as query string parameters and data retrieved from storage.
It is recommended that all alphanumeric characters be HTML encoded to avoid XSS. However the following characters must be encoded: double quotes, ampersand, less than sign, and greater than sign

", "severity": 6, "title": "Reflected Cross Site Scripting", "tags": [ "OWASP Top 10", "CWE Top 25", "CWE-79: Improper Neutralisation of Input During Web Page Generation ('Cross-site Scripting')", "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:P/RL:T/RC:R/CR:M/IR:M/AR:M/MAV:A/MAC:H/MPR:L/MUI:R/MS:C/MC:L/MI:L/MA:H", "CVSSv3.1 Base Score: 7.6", "CVSSv3.1 Temporal Score: 6.6", "CVSSv3.1 Environmental Score: 5.9" ], "custom_tags": [], "custom_fields": [ { "key": "af_sys_steps_to_reproduce", "value": "

do this.
do that.

<script>alert(1)</script>\n

Observe arbitrary script is executed in the victim's browser.

", "label": "Templates Steps to Reproduce (POC)" } ] } ], "count": 1, "total": 1 } ``` {% endcode %} ### Get Field Structure #### Description This tool can be used to get the topological structure of all system and custom fields that make up the AttackForge data model. This is useful to determine the custom field keys that exist on the data model. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `get_field_structure` and click `Add` #### Example Prompts *Show me what fields are available on vulnerabilities.* #### Supported Query Fields ```javascript model: { description: `This is used to specify the data model of which the field structure is required. Supported models: - asset - project - vulnerability - writeup `, type: 'string', pattern: `^asset, project, vulnerability, writeup].join('|')}$`, } ``` #### Example Response {% code overflow="wrap" %} ```json { "model": "vulnerability", "structure": [ { "type": "section", "label": "Info", "info": "

This section should include basic information about the vulnerability.

Important: Only create new Writeups if you need to. There are already thousands of Writeups the security team worked hard to create for you to select from. Be like Keanu Reeves 🙂

", "fields": [ { "type": "system", "key": "writeupAndAssets", "label": "Writeup and Affected Assets", "required": true }, { "type": "system", "key": "visibility", "label": "Visibility", "required": true } ] }, { "type": "section", "label": "Social Engineering", "fields": [ { "type": "custom", "key": "persons_targeted", "label": "Persons Targeted", "required": false, "usage_hints": "type: 'Record[]', description: \"custom field value contains an array of objects used to represent items in a table\"'" } ] }, { "type": "section", "label": "Red Team", "fields": [ { "type": "custom", "key": "attack_narrative", "label": "Attack Narrative", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains html markup\"'" }, { "type": "custom", "key": "critical_steps", "label": "Critical Steps", "required": false, "usage_hints": "type: 'Record[]', description: \"custom field value contains an array of objects used to represent items in a table\"'" } ] }, { "type": "section", "label": "PCI Compliance", "info": "

For more information on what all these PCI DSS terms mean - please visit https://www.pcisecuritystandards.org/glossary/

", "fields": [ { "type": "custom", "key": "is_cde", "label": "Are Asset(s) Part of Cardholder Data Environment (CDE)?", "required": true, "info": "

CDE is defined at https://www.pcisecuritystandards.org/glossary/#glossary-c

", "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'" }, { "type": "custom", "key": "cde_networks", "label": "Which CDE Network(s) are Affected?", "required": true, "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'" } ] }, { "type": "section", "label": "Medical Devices", "fields": [ { "type": "custom", "key": "manufacturer", "label": "Manufacturer", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "version", "label": "Affected Version", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "cpe", "label": "CPE", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" } ] }, { "type": "section", "label": "Scoring", "fields": [ { "type": "system", "key": "zeroDay", "label": "Is 0-Day?", "required": true }, { "type": "system", "key": "scoring", "label": "CVSS Scoring, Priority and Exploitability", "required": true } ] }, { "type": "section", "label": "Ownership", "fields": [ { "type": "custom", "key": "vuln_owner", "label": "Vulnerability Owner", "required": false, "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'" }, { "type": "custom", "key": "teams_responsible", "label": "Teams Responsible", "required": false, "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of group ids\"'" } ] }, { "type": "section", "label": "Testing", "fields": [ { "type": "system", "key": "stepsToReproduce", "label": "Steps to Reproduce", "required": true }, { "type": "custom", "key": "technical_impact", "label": "Technical Impact", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains html markup\"'" }, { "type": "system", "key": "notes", "label": "Notes", "required": true } ] }, { "type": "section", "label": "Tags", "fields": [ { "type": "system", "key": "cvssTags", "label": "CVSS Tags", "required": true }, { "type": "system", "key": "tags", "label": "Tags", "required": true }, { "type": "system", "key": "customTags", "label": "Custom Tags", "required": true }, { "type": "system", "key": "testCases", "label": "Associated Test Cases", "required": true }, { "type": "custom", "key": "category", "label": "Category", "required": true, "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'" } ] }, { "type": "section", "label": "Threat Prioritization", "fields": [ { "type": "custom", "key": "threat_score", "label": "Threat Score (X/140)", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "cve", "label": "CVE", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" } ] }, { "type": "section", "label": "Integrations", "fields": [ { "type": "custom", "key": "ado_work_item_id", "label": "ADO Work Item Id", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "ado_work_item_url", "label": "ADO Work Item URL", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "snow_incident_number", "label": "SNOW Incident Number", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "snow_incident_url", "label": "SNOW Incident URL", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "jira_issue_key", "label": "JIRA Issue Key", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "jira_issue_url", "label": "JIRA Issue URL", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" } ] }, { "type": "section", "label": "HackerOne", "fields": [ { "type": "custom", "key": "hackerone_report_id", "label": "HackerOne Report Id", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "hackerone_report_url", "label": "HackerOne Report URL", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" } ] }, { "type": "section", "label": "Synack", "fields": [ { "type": "custom", "key": "synack_vuln_id", "label": "Synack Vuln Id", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "synack_vuln_status", "label": "Synack Vuln Status", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" }, { "type": "custom", "key": "synack_vuln_link", "label": "Synack Vuln Link", "required": false, "usage_hints": "type: 'string', description: \"custom field value contains a string\"'" } ] }, { "type": "section", "label": "QA Review", "fields": [ { "type": "custom", "key": "qa_status", "label": "QA Status", "required": true, "usage_hints": "type: 'array', items: { type: 'string' }, description: \"custom field value contains an array of strings\"'" }, { "type": "custom", "key": "qa_reviewer", "label": "QA Reviewer", "required": false, "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'" }, { "type": "custom", "key": "qa_approver", "label": "QA Approver", "required": false, "usage_hints": "type: 'array', items: { type: 'string', pattern: '^[0-9a-fA-F]{24}$' }, description: \"custom field value contains an array of user ids\"'" } ] } ] } ``` {% endcode %} ### Get File #### Description This tool can be used to get the metadata and binary content of an AttackForge File by supplying its id. This is useful for retrieving evidence files attached to vulnerabilities or files attached to writeups. #### How To Enable 1. Go to `Users` 2. Select the user you would like to provide access to this tool 3. Click on `Access > MCP` 4. Click on `Add Tools` 5. Select the tool `get_file` and click `Add` #### Example Prompts ***Prompt 1*** *Get all the AttackForge vulnerabilities for project "ACME Corp. Web App Pentest". For every vulnerability, do the following:* * *show me all of the evidence files on the vulnerability. For every evidence file, do the following:* * *show file name, file type and file size.* * *retrieve and display the file if it is an image* ***Prompt 2*** *Download the evidence file with ID 699ff11c529fc71046260673.* *Show me the metadata for the file attached to this vulnerability.* *What is the file name and size of evidence file ID 699ff11c529fc71046260673?* *Get the hash and mime type for a specific file.* *Retrieve the evidence image from this vulnerability.* *Show me when this evidence file was last modified.* #### Supported Query Fields ```javascript id: { description: 'This relates to the "id" field of evidence and files present in tools find_vulnerabilities and find_writeups respectively.', type: 'string', pattern: '^[0-9a-fA-F]{24}$', } ``` #### Supported Response Fields ``` id created modified name mimeType hash size storage_name storage_location caption data ``` #### Example Response {% code overflow="wrap" %} ```json { "id": "699ff11c529fc71046260673", "created": "2026-02-26T07:07:08.366Z", "modified": "2026-02-26T07:07:10.175Z", "name": "evidence 1.png", "mimeType": "image/png", "hash": "b30689526a550266da762212c58ba5860af94ac6563cae65cfe6f9f24c2b62e3", "size": 309447, "storage_name": "h1nn93hfdy1bdpdxrmsbfbnhdiq9ckdzy3rqmxvhatcgofwd0ii6fpyfxlcdwkgzh7bo2zdxoydh17l4gopsxzzzryg4intnvhmx6ctoorthv7uqias3prs3qwr3doys", "storage_location": "test-attackforge-dev/issues/2026-2-26/6972b31b8e7d46a8089d9b53", "caption": "Screenshot of the vulnerability", "data": "<base64 encoded binary content>" } ``` {% endcode %} ## Prompt Examples ### Generate Pentest Executive Summary

#### Tools Required * [Find Projects](#find-projects) * [Count Vulnerabilities](#count-vulnerabilities) * [Find Vulnerabilities](#find-vulnerabilities) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Assume the role of a highly experienced Chief Information Security Officer (CISO) drafting a report for the Executive Committee. Your task is to analyze the provided penetration testing data for the {{INSERT-PROJECT-NAME}} Project (data includes scope, findings severity breakdown, exploited vulnerabilities, and remediation time estimates) and synthesize it into a concise, single-page Executive Summary designed for C-level risk assessment. The output must be a unified report, strictly adhering to the following structure and constraints: 1. NO METADATA: DO NOT include any title, header, footer, or boilerplate text such as "Prepared by," "Classification," or "Date." The output must begin immediately with the body of the report. 2. Length: Do not exceed the content volume of a single, standard business page. 3. Conditional Findings (MANDATORY): This is the core logic. You must select between one (1) and three (3) findings based only on the highest available severity level, ignoring the finding's current status (open or closed). - Priority 1: Critical (CVSS > 9.0): If one or more Critical findings exist, use them first (up to three). If none exist, proceed to Priority 2. - Priority 2: High (CVSS 7.0 - 8.9): If no Critical findings were found, use High findings (up to three). If none exist, proceed to Priority 3. - Priority 3: Medium (CVSS 4.0 - 6.9): If no High findings were found, use Medium findings (up to three). If none exist, proceed to Priority 4. - Priority 4: Low/Info: Only if no Critical, High, or Medium findings exist, use Low or Informational findings (up to three). 4. Dynamic Headings (MANDATORY): Use only these three bolded headings, in this exact order. The second heading must dynamically reflect the highest severity level found in Step 3, along with the count of findings presented. - Executive Overview - Top [Number] [Severity Level] Findings (Example: "Top Three Critical Findings," or "Top One High Finding." If no relevant findings are found, use a title like "No Critical or High Findings Identified.") - Immediate Mitigation Strategy 5. Content: Under the dynamic findings heading, use clear, concise bullet points for each selected finding, detailing the risk and business impact. 6. Conclusion: The final section, Immediate Mitigation Strategy, must conclude with a single, highly prioritized action item that delivers the greatest risk reduction immediately. 7. Language: Use formal, authoritative, and risk-focused business language throughout. 8. Presentation: Downloadable Microsoft Word Document ``` {% endcode %} ### Generate Vulnerability Descriptions and Recommendations

#### Tools Required * [Find Writeups](#find-writeups) * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` You are a CERTIFIED, world-class cybersecurity penetration tester and senior security report writer. Your role is to transform technical data, collected via the AttackForge Connector MCP for the project {{INSERT-PROJECT-NAME}}, into concise, implementation-agnostic technical findings suitable for an enterprise penetration test report. Your output will be consumed exclusively by technical engineering teams (e.g., developers, network engineers) and must adhere strictly to the specifications below. 1. REQUIRED OUTPUT STRUCTURE For each and every vulnerability provided in the Input Data, rewrite it into the following three clearly labelled sections, in this exact order: Finding Title (Formatted): The title must be the first line of the finding, displayed in bold, and the label 'Finding Title' must be excluded. A concise, precise title (under 10 words) that captures the core flaw. Description: A concise, implementation-agnostic technical explanation of the vulnerability. Explain the root cause at a system or application logic level, not step-by-step exploitation. Maintain strict technical clarity without business or operational context. Recommendation: Provide a technical direction for remediation, focusing on what needs to be addressed, not how to implement it. Do not reference specific security controls (e.g. “input validation”), code-level fixes, libraries, or configuration syntaxes. Keep the guidance high-level but technically meaningful for engineers. 2. STRICT EXCLUSIONS (DO NOT INCLUDE) The rewritten findings must not contain any of the following: • Executive summaries or introductory statements • CVSS scores, risk ratings, or severity levels • Business impact, operational context, or data-loss-style consequences • Exploitation steps, reproduction details, or proof-of-concept information • Remediation strategy specifics, code samples, or control frameworks • External references, citations, or URLs • Mitigation controls framed as tactical instructions (e.g., “sanitize input,” “enable MFA,”) 3. TONE, FORMATTING, AND STYLE GUIDELINES • Maintain a formal, authoritative, and objective security tone. • Use precise, accurate security terminology. • The Finding Title must be the first line of output for each finding, rendered in bold, and formatted as a center-aligned headline. • Keep each section concise (typically 3–6 sentences per section). • Treat each vulnerability independently and clearly separate findings using line breaks. • Do not number findings unless the input data explicitly includes numbering. 4. OUTPUT OBJECTIVE Your final output must read as if written by a senior penetration tester producing an enterprise-grade technical report, with: • clean structure • consistent phrasing • internally coherent terminology • readable, engineering-focused insight 5. PRESENTATION • Downloadable Microsoft Word Document ``` {% endcode %} ### Determine Single Highest-Risk Vulnerability on Project

#### Tools Required * [Find Writeups](#find-writeups) * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Count Vulnerabilities](#count-vulnerabilities) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` You are a world-class cybersecurity penetration tester and senior security report analyst (OSCP/OSCE-level). Your role is to transform technical data, collected via the AttackForge Connector MCP for the project {{INSERT-PROJECT-NAME}}. You specialize in transforming pentest output into concise, accurate, and actionable intelligence for security leadership. CORE TASK From the vulnerabilities found on the project, identify the single highest-risk vulnerability and return a fully structured analysis. Ignoring the finding's current status (open or closed). EVALUATION RULES • Determine “highest-risk” using severity first (Critical → High → Medium → Low → Informational). • If multiple vulnerabilities share the same severity, choose the one with: 1. The widest asset impact, then 2. The highest exploitability, then 3. The highest business impact (as described or inferable from the data). OUTPUT FORMAT Return your findings using the exact structure below: 1. Vulnerability Name 2. Severity & Risk Rating (CVSS or vendor rating) 3. Associated Assets - List all affected hosts, endpoints, URLs, applications, or systems. 4. Technical Summary - Clear explanation of the root cause and why the vulnerability exists. 5. Evidence / Key Technical Details - Summarize PoC, payloads, reproduction steps, or scanner evidence (if provided). 6. Business Impact - Explain how this vulnerability threatens confidentiality, integrity, availability, or overall organizational risk. 7. Remediation Recommendation - Provide a precise, technically accurate fix (configuration change, patch, architecture control, etc.). 8. Priority Justification - Brief explanation of why this vulnerability was selected as the highest-risk. STYLE REQUIREMENTS • Structure and Coherence: Maintain a clean structure, consistent phrasing, and internally coherent terminology. • Tone: Maintain a formal, authoritative, and objective security tone. • Precision: Use precise, accurate security terminology and readable, engineering-focused insight. • Formatting: The Finding Title must be the first line of output for the finding, rendered in bold, and formatted as a center-aligned headline. • Conciseness: Keep each numbered section concise (typically 3–6 sentences per section). • Independence: Treat the selected vulnerability independently. • Numbering: Do not number findings unless the input data explicitly includes numbering. PRESENTATION • Downloadable Microsoft Word Document ``` {% endcode %} ### Show Vulnerabilities Assigned to Me

#### Tools Required * [Whoami](#whoami) * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` You are a highly detail-oriented Cyber Remediation Analyst specializing in interpreting current vulnerability data from the AttackForge Connector MCP. Your primary task is to generate a comprehensive vulnerability list for both immediate remediation teams and historical auditing. The list must focus exclusively on vulnerabilities assigned to the current user, regardless of project. The data retrieval must adhere precisely to the following criteria: 1. Source: All data must be sourced from the AttackForge Connector MCP. 2. Assignment: Only include vulnerabilities explicitly assigned to the current user ("me"), using the “vulnerability owner” field. 3. Priority Inclusion: Include all defined priority levels (Critical, High, Medium, Low, Informational). 4. Included Statuses: Include all vulnerabilities that are currently Open, Retest, or Closed. 5. Data Scope: Include all projects associated with the assigned vulnerabilities. Present the filtered results as a single, clear Markdown table with the following five columns, in this exact order: • Column 1: Vulnerability Name (Required Data: The full, unique name of the finding. Formatting Note: The name must be displayed in bold.) The data in this column MUST also be horizontally and vertically centered within the table. • Column 2: Priority (Required Data: The current priority level. Formatting Note: Use the exact priority terms.) The data in this column MUST also be horizontally and vertically centered within the table. • Column 3: Affected Assets Count (Required Data: The total number of assets currently affected by this vulnerability. Formatting Note: Must be rendered as an integer with no commas.) The data in this column MUST also be horizontally and vertically centered within the table. • Column 4: Project Name (Required Data: The name of the project containing the vulnerability. Formatting Note: The name must be displayed in italics.) The data in this column MUST also be horizontally and vertically centered within the table. • Column 5: Status (Required Data: The current remediation status. Formatting Note: Use a fixed-width/code block style, e.g., `Open`, `Closed`, or `Retest`.) The data in this column MUST also be horizontally and vertically centered within the table. The entire table must be sorted first by Priority in strict descending order (Critical → High → Medium → Low → Informational) and secondarily by Affected Assets Count in descending order. Following the table, write a one-paragraph summary of exactly four sentences that clearly reports on the following metrics: 1. The total count of unique vulnerabilities returned in the table. 2. The count of vulnerabilities that are currently Closed. 3. The count of all vulnerabilities categorized as Critical or High that are still Open or Retest. 4. The single Vulnerability Name (from Column 1) that affects the largest number of assets. Presentation and Delivery Requirements: • Convert the entire output into a downloadable Word file. • Set the document title to: “Vulnerabilities Assigned” ``` {% endcode %} ### Create a Vulnerability Composition Metrics Dashboard

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Count Vulnerabilities](#count-vulnerabilities) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Role Definition: Act as a Senior Cybersecurity Analyst executing a critical data synthesis task. Core Task: Using the vulnerability data collected exclusively from the AttackForge Connector MCP source, you must identify and present the top 10 most common vulnerabilities by their total count of occurrences. Sorting & Tie-Breaking: 1. The final list must be sorted descending by the Total Number of Occurrences. 2. Crucially, ensure any and all vulnerabilities tied for the 10th position are fully included in the output. Required Output Fields (in order): 1. Vulnerability Name (Full descriptive name). The data in this column MUST also be horizontally and vertically left -centered within the table. Add 6pt line spacing before and after. 2. Total Number of Occurrences (Exact numerical count). The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after. 3. CVSS v3.1 Base Score (The exact numerical score, e.g., 9.8). The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after. 4. Assigned Priority Rating (The corresponding rating: Critical, High, Medium, Low, or Informational) in BOLD. The data in this column MUST also be horizontally and vertically centered within the table. Add 6pt line spacing before and after. Format & Constraints (Guardrails): • Document Title: The generated document must be titled: "Top 10 Vulnerabilities Report" • Timestamp: The very first line of the document (before the table) must state the exact Date, Time, and Time Zone the data was generated (e.g., "Generated on: 27/11/2025 at 09:10:18 AM AEDT"). • Present this information in a clear, sortable markdown table. • STRICTLY PROHIBITED: Do not include any notes, legends, introductory summaries, or concluding remarks (other than the required title/timestamp). • DATA INTEGRITY MANDATE: USE EXACT DATA. DO NOT APPROXIMATE OR ESTIMATE ANYTHING. Final Delivery Requirement: After generating the title, timestamp, and markdown table, immediately convert the resulting output into a downloadable Microsoft Word Document. ``` {% endcode %} ### Top 10 Vulnerabilities Dashboard

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Count Vulnerabilities](#count-vulnerabilities) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Role Definition: Act as a Senior Cybersecurity Analyst creating executive dashboards. 1. Priority Metric Tiles (KPIs) These key performance indicator (KPI) tiles provide an immediate, high-level view of the current active vulnerability landscape. For the following Project in AttackForge {{INSERT-PROJECT-NAME}} Data Source & Scope: All vulnerabilities identified via the AttackForge Connector MCP will be used to create the dashboard. Have the project Name in the Centre of the Dashboard. 1. Top N Analysis Chart Priority Metric Tiles (KPIs) These key performance indicator (KPI) tiles provide an immediate, high-level view of the current active vulnerability landscape. • Title: "Total Vulnerabilities Distribution." • Visualization Type: Set of 5 Square Metric Tiles (Treemap Style). • Metrics & Display: Tiles must represent the count for each standard severity level: o Critical o High o Medium o Low o Informational • Design Rule: o Use standard industry color mapping (e.g., #D32F2F for Critical, #F57C00 for High, #FBC02D for Medium, #7CB342 for Low and #0288D1 for Informational). o The numeric count must be vertically and horizontally center-aligned inside the square tile for maximum visibility. • Make sure the data and calculation of finding the 10 Most Common Vulnerabilities by Count is done CORRECTLY • Centre aligned with the dashboard. 2. Top N Analysis Chart This chart focuses on identifying the most recurring vulnerability types. • Visualization Type: Horizontal Bar Chart, sorted descending. • Title: " Top 10 Most Common Vulnerabilities by Count." • Dynamic Chart Resolution Requirements: o Implement Tooltip for Full Title: Modify the chart to use a tooltip or hover-over functionality for the vulnerability title labels (y-axis/row labels). When a user hovers over any truncated title, a pop-up must appear displaying the full, complete, and untruncated vulnerability title. o Optimize Layout and Bar Length: Re-scale the horizontal length of the bars (representing the count) so they dynamically fit within the dedicated chart drawing space and do not obscure the title labels. Dynamically allocate sufficient horizontal space for the row labels on the left side of the chart. 3. Detailed Vulnerability Table This section provides the comprehensive, actionable list of vulnerabilities. • Content: Showing only the top 10 Most Common Vulnerabilities by Count • Required Columns: o Name o Priority (Color Coded e.g., #D32F2F for Critical, #F57C00 for High, #FBC02D for Medium, #7CB342 for Low and #0288D1 for Informational). o CVSS Base Score (cvssv3_1_score) o Likelihood of Exploitation o Date Found • Default Sorting: Table must default to be sorted descending by CVSS Score to prioritize the riskiest items immediately, if does not exists then sorted descending by Priority. • Filtering: Ensure filter controls are available for Priority. If none exists for the selected filter, mention e.g. “No Low Vulnerabilities ” • Make sure the data and calculation of finding the 10 Most Common Vulnerabilities by Count is done CORRECTLY IMPORTANT NOTE: Do NOT create or add things based on assumption. Strictly follow what is written in the prompt. For ChatGPT ONLY remove the () (Create this dashboard as a downloadable HTML file) else delete it. ``` {% endcode %} ### Create Interactive Vulnerabilities Chart

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Count Vulnerabilities](#count-vulnerabilities) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Objective: Generate a complete, interactive dashboard element featuring the required Radar Chart, title, subtitle, horizontal legend, and key summary metrics, perfectly matching the visual design. Data Source: AttackForge MCP for project "{{INSERT-PROJECT-NAME}}" Dashboard Element Structure & Design 1. Overall Container: The entire output must be rendered as a single, cohesive, dark-themed dashboard card/container with the specified layout. 2. Top Header (Small Text): A small, subtle text • CISO SECURITY DASHBOARD, centered. 3. Main Title: Average Vulnerability Age - Large, bold, centered, and prominently displayed. 4. Subtitle (Under Main Title): Open vulnerabilities by severity • {{INSERT-PROJECT-NAME}} - Smaller font, centered. Core Visualization Enforcement 1. Chart Type (STRICT): The central graphical element MUST BE a five-axis Radar Chart (or Web Chart). The use of any other chart type (e.g., Donut, Bar) is strictly forbidden. 2. Interactivity Enforcement (STRICT): The output HTML file must contain JavaScript to enable full interactivity. When a user hovers over or clicks on a data point on the radar chart, a dynamic tooltip/modal window must appear, clearly showing the exact Average Age for that severity axis (e.g., 'Avg Age: 142 Days'). Radar Chart Visualization Requirements 1. Axes: Critical, High, Medium, Low, Informational. 2. Metric: Average Open Vulnerability Age (in days). This metric determines the magnitude plotted on each axis. o Robust Calculation Logic: The magnitude for each axis is the mathematical average of the Raw Age (days between Vulnerability created and Today's Date) for all open vulnerabilities in that severity group. 3. Size & Scale: The radar chart must be large and visually dominant within the container. 4. Aesthetics: o Dark background, consistent theme. o Use high-contrast colors (Red, Orange, Yellow, Blue, Green/Gray). o The plotted area/line within the radar chart must have a distinct color (e.g., Purple/Blue as shown in the example). Legend & Summary Metrics 1. Horizontal Legend (Under Chart): o Place the legend directly under the radar chart. o Items must be stacked horizontally in a single row. o Each legend item must include: Colored dot, Severity Name, Average Age (in days), AND Total Open Vulnerability Count. o Example: [Red Dot] Critical | 2630 Days | 4 vulns 2. Auxiliary Metrics (Bottom Cards): o Display three distinct, rounded-corner cards/boxes at the very bottom, arranged horizontally, matching the visual style. o Card 1 (Left): Label: OLDEST AVG AGE, Value: (Highest average age). o Card 2 (Middle): Label: TOTAL OPEN VULNS, Value: (Sum of all open vulnerabilities). o Card 3 (Right): Label: SEVERITIES TRACKED, Value: (Count of severity categories with data). [ (This block Only Valid for ChatGPT, else delete it.) Output Requirement Make this visualization a fully functional, interactive HTML File containing all necessary rendering libraries (e.g., Plotly, Chart.js, D3.js) and CSS to perfectly replicate the entire visual and functional design upon opening. a downloadable HTML File.] ``` {% endcode %} ### Review of Vulnerabilities in Retest

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Persona & Goal: You are a highly analytical Senior Application Security Remediation Manager. Your primary objective is to generate a clear, strictly actionable report on all outstanding projects and vulnerabilities sourced from the AttackForge MCP database. The report must prioritize required engineering effort and immediate focus areas. Create a title exactly: “Review of Vulnerabilities in Retest Phase” Data Source: Use all project and vulnerability data from the AttackForge MCP database. Required Output Structure Under this section, produce a single, consolidated markdown table listing every individual vulnerability instance where the Vulnerability Status is “retest” across all in-scope projects. The table must include the following columns in this exact order: 1. Vulnerability Name - Set the cell alignment to HORIZONTAL CENTER and VERTICAL CENTER, apply 6-point spacing BEFORE and AFTER the text within the cell, and ensure TEXT WRAPPING is enabled. 2. Vulnerability Priority (Critical, High, Medium, Low, Informational) 3. The EXACT, FULL, OFFICIAL NAME of the project linked to the vulnerability - Set the cell alignment to HORIZONTAL CENTER and VERTICAL CENTER, apply 6-point spacing BEFORE and AFTER the text within the cell, and ensure TEXT WRAPPING is enabled. 4. Affected Assets Count (Total number of assets affected by that specific vulnerability instance) - Set the cell alignment to HORIZONTAL CENTER and VERTICAL CENTER, apply 6-point spacing BEFORE and AFTER the text within the cell, and ensure TEXT WRAPPING is enabled. Design Requirements: 1. Page orientation – vertical. 2. Table Heading in BOLD and WHITE text and dark BLUE background. Set the cell alignment to HORIZONTAL CENTER and VERTICAL CENTER, apply 6-point spacing BEFORE and AFTER the text within the cell, and ensure TEXT WRAPPING is enabled. 3. Colour the text in the Vulnerability Priority based on cyber security standards. Requirements: 1. The table must include only real data from the Attack Forge MCP dataset. 2. Do not include any placeholder content, boilerplate, summaries, or executive-level narrative. 2. Presentation The final output must be formatted for easy download and review as a Downloadable PDF. ``` {% endcode %} ### Top 10 Affected Assets Dashboard

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Goal: Generate the Executive Summary Dashboard for the "{{INSERT-PROJECT-NAME}}" project, emphasizing prioritized, actionable insights, and strict adherence to industry-standard risk coloring (Red, Orange, Yellow, Blue, Gray). Persona: Lead Pentester and Reporting Manager. Dashboard Components 1. Metric Cards (Top Row) horizontally stacked: o Total Open Vulnerabilities (Count) o Total Critical/High Findings (Count) o Average CVSSv3 Score (Numeric, to one decimal place) 2. Top N Affected Assets Pie Chart (Dynamic Rendering) o Metric: Show the distribution of the Top 10 assets with the highest cumulative count of Critical, High, Medium, Low & Informational open vulnerabilities. o Data Rendering Constraint (Crucial Update): The pie chart must ONLY render slices for assets that have a Critical, High, Medium, Low & Informational open vulnerabilities count within the currently filtered dataset. If the total number of assets with findings is less than 10, display all found assets. Do not display an "Other" or blank section for non-existent categories. o Interaction: Must be highly interactive. > On Click/Hover: Display a tooltip/modal showing the Asset Name, its Total Critical, High, Medium, Low & Informational open vulnerabilities count greater than or equal to one, and an immediate list (or link to a detailed view) of the associated Critical, High, Medium, Low & Informational open vulnerabilities. o Filtering: This chart acts as the Primary Global Filter. Selecting a slice must dynamically update the data in ALL subsequent visualizations to reflect the selection of that specific asset. ``` {% endcode %} ### CVSS Dashboard

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Count Vulnerabilities](#count-vulnerabilities) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Prompt Persona & Goal: You are a senior-level Cybersecurity Remediation Specialist compiling the Executive Summary section of a formal penetration test report. Your objective is to visually communicate the immediate risk posture to non-technical stakeholders. Data Source & Requirement: Utilizing the raw vulnerability data extracted from AttackForge MCP Project "{{INSERT-PROJECT-NAME}}", perform the following four mandatory steps: Step 1: Data Categorization and Standardization (The Foundation) Group all vulnerabilities based strictly on their CVSSv3 Base Score into the following four standard industry severity tiers. Use these exact labels for the categories: • Critical (9.0 - 10.0) • High (7.0 - 8.9) • Medium (4.0 - 6.9) • Low (0.1 - 3.9) Only collect vulnerabilities with a CVSSv3 Base Score assigned to it. Do NOT add vulnerabilities without it. Step 2: Visualization Code Generation (The Output) Generate a React artifact (NOT an HTML file with external CDN scripts) to create a professional Vertical Bar Chart. • Do NOT use external CDN libraries like Plotly CDN - these will be blocked and cause script errors. • The chart must plot the total count of findings (Y-axis) for each of the four severity categories (X-axis). • Set a professional, corporate color scheme (e.g., bright red for Critical, dark orange for High, yellow for Medium, light blue for Low). • Do NOT display count labels on top of the bars - counts should only appear in the tooltip on hover and in the summary section below the chart. Step 3: Presentation and Formatting (The Report View) Format the final output with the following required elements: 1. Main Heading (H1): The heading above the chart must be the project name: "{{INSERT-PROJECT-NAME}}" 2. Chart Title: The visualization itself must include the title: Vulnerability Count by CVSSv3 Base Score. 3. Axis Labels: Clearly label the X-axis as Severity Tier and the Y-axis as Total Count of Findings. 4. Key: Under the chart, include a center-aligned key listing the specific score range for each of the four severity tier labels (e.g., Critical (9.0-10.0)). Step 4: Enhanced Interactivity (The Functionality) Ensure the React artifact includes functionality where clicking on any individual bar dynamically displays a list of ALL Vulnerability Names, EXACT CVSSv3 Base Scores, and priority contributing to that specific severity count. ``` {% endcode %} ### Unique OWASP Top 10 Vulnerabilities Report

#### Tools Required * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Find all vulnerabilities that have the tag “OWASP Top 10.” For each matching vulnerability, return the following information: A brief description explaining what the OWASP Top 10 is. 1. Filter to show ONLY STATUS “Open” Vulnerabilities. Do NOT include “Closed” 2. Vulnerability Name – Enable text wrapping; centre-align both vertically and horizontally. Do NOT show Duplicate Vulnerability. This is unique. 3. Priority – Colour the cell based on cybersecurity standards; centre-align both vertically and horizontally. If multiple associated priority, separate them using a “, ”. 4. If Vulnerability has more than 1 priority, create separate row each different priority. 5. Associated Project Name – Enable text wrapping; centre-align both vertically and horizontally. If multiple associated project names, separate them using a “, ”. 6. Affected Assets – Enable text wrapping; centre-align both vertically and horizontally. If multiple associated assets, separate them using a “, ”. 7. Do NOT include "Total Vulnerabilities" summary. 8. IMPORTANT – Accurately count all vulnerabilities and check for duplicates. *Note if a vulnerability has different priority, break it into a separate row with its associated projects & assets. Present the results in a table format, sorted strictly from Critical to Informational priority. Presentation Requirements: • Page heading: “OWASP Top 10 Vulnerabilities”, centred. • Page orientation: Portrait. • Add column numbering for each row. • Header row (Row 1): white text with a dark blue background. • The Priority column must be centre aligned. • Enable text wrapping for all table cells. • The final output must be fully formatted and ready for download as a PDF, optimised for clear and effective review. ``` {% endcode %} ### Interactive Executive Project Closeout Scorecard

#### Tools Required * [Count Vulnerabilities](#count-vulnerabilities) * [Find Vulnerabilities](#find-vulnerabilities) * [Find Projects](#find-projects) * [Find Affected Assets](#find-affected-assets) * [Get Field Structure](#get-field-structure) #### Prompt {% code overflow="wrap" %} ``` Objective & Context Imagine you are a Cyber Security Engineer creating a final, high-stakes Executive Project Closeout Dashboard. This dashboard must summarize the security status and risk of closed projects to the Executive Leadership Team. Only showing projects with "completed status" Task: Create an Interactive Executive Project Closeout Scorecard. The dashboard must be presented in a concise, single-screen view with zero scrolling, utilizing clear, explicit risk color-coding. Name of Dashboard: Recently Closed Projects Summary Project Summary Table Present the all projects in a sortable, prioritized table. Each row must display the following data, with visual emphasis on risk: - Project Name (clickable, with text wrapping, opens full project detail view) - Start Date: Show EXACT Start Date (formatted as DD-MM-YYYY) - End Date: Show EXACT End Date (formatted as DD-MM-YYYY) - Total Assets: (Count of unique assets involved in the project) Data: Vulnerability Breakdown For each project, the total vulnerabilities must be broken down and displayed as separate, countable fields: - Total Vulnerabilities: (Overall Count) - Count of Critical Vulns (Must be strictly colored RED #DC2626) - Count of High Vulns (Must be strictly colored ORANGE #EA580C) - Count of Medium Vulns (Must be strictly colored BLUE #2563EB) - Count of Low Vulns (Must be strictly colored GREEN #16A34A) - Count of Info Vulns (Must be strictly colored GREY #6B7280) Presentation and Actionability The dashboard's primary function is to enable immediate risk investigation. Initial Prioritization: The table must be sorted by the Count of Critical Vulns (highest to lowest) upon initial loading. Vulnerability-to-Impact Modal: When the user clicks on any individual vulnerability count (e.g., the 'Count of Critical Vulns' number) for a specific project, a modal window must immediately open. - Modal Content: This modal must show the specific list of vulnerabilities that were clicked, alongside a count of its assigned affected assets (Total Assets assigned to that specific vulnerability type). Project Name Click: When the user clicks on the Project Name, a new full-screen detail view must be triggered. This view must consist of: 1. Project Title Header: - Project name displayed in center - Large font (1.75rem), bold (700 weight) - Rounded border (12px radius) with background color var(--bg-tertiary) - Border: 1px solid var(--border-accent) - Padding: 14px 32px - "Back to Dashboard" button on the right (position: absolute, right: 32px) 2. Bubble Chart Section - EXACT SPECIFICATIONS: Container: - Height: 500px - Background: var(--bg-secondary) - Border-radius: 12px - Border: 1px solid var(--border-color) - Padding: 24px - Position: relative (for reset button positioning) SVG Chart Dimensions: - Width: container width or 900px fallback - Height: container height or 450px fallback - Margins: { top: 30, right: 40, bottom: 65, left: 110 } - Chart area: width - margins, height - margins X-Axis (Discovery Date): - Type: Linear scale using JavaScript timestamps (milliseconds) - Range: min/max from vulnerability dates with 10% padding on each side - Padding calculation: dateRange * 0.1 or 86400000 (1 day) minimum - Tick labels: 7 ticks (0 to 6), formatted as "DD MMM" (e.g., "22 Nov") - Tick label position: y = height - margin.bottom + 25 - Axis title: "Discovery Date" at y = height - 10, centered Y-Axis (Severity Level): - Scale: Critical=5, High=4, Medium=3, Low=2, Info=1 - Range: 0.5 to 5.5 for proper spacing - Labels: "Critical", "High", "Medium", "Low", "Info" - Label position: x = margin.left - 20, text-anchor: end - Axis title: "Severity Level" at x = 20, rotated -90 degrees Axis Styling: - Axis titles: 15px, font-weight 600, fill #c0c0c8 - Tick labels: 13px, JetBrains Mono font, fill #a0a0b0 - Grid lines: stroke rgba(255, 255, 255, 0.05), stroke-width 1 - Axis lines: stroke #2a2a3a, stroke-width 1 Bubble Specifications: - Position X: xScale(new Date(vulnerability.created).getTime()) - Position Y: yScale(severityValue + jitter) - Jitter: (Math.random() - 0.5) * 0.4 (range: ±0.2) - Radius formula: Math.min(20, Math.max(8, assets * 5 + 6)) - Minimum radius: 8px - Maximum radius: 20px - Base: 6px + (assets × 5px) - Fill opacity: 0.85 - Stroke: same color as fill - Stroke-width: 1 Bubble Colors (with 0.85 opacity): - Critical: #DC2626 - High: #EA580C - Medium: #2563EB - Low: #16A34A - Info: #6B7280 Hover Tooltip: - Position: fixed, top: 50%, left: 50%, transform: translate(-50%, -50%) - Background: var(--bg-elevated) - Border: 1px solid var(--border-accent) - Border-radius: 12px - Padding: 16px 20px - Min-width: 280px - Shows: vulnerability title, discovery date (DD-MM-YYYY), affected assets count - Toggle visibility with .active class Clear Selection Button: - Position: absolute, top: 12px, right: 12px - Background: var(--bg-tertiary) - Border: 1px solid var(--border-color) - Border-radius: 6px - Padding: 8px 16px - Font-size: 0.8rem - Only visible when filter is active 3. Chart Legend: - Display: flex, justify-content: center, gap: 24px - Margin-top: 16px - Each item: colored dot (10px × 10px, border-radius: 50%) + label - Font-size: 0.8rem, color: var(--text-secondary) 4. Total Vulnerabilities Distribution Section: - Title: "Total Vulnerabilities Distribution" - Title font: 1.1rem, font-weight 600 - Container: flex, column, align-items center, gap 16px, margin-top 8px Distribution Boxes: - Container: flex, gap: 12px, justify-content: center - Each box: 100px × 80px - Border-radius: 8px - Border: 2px solid transparent (white when selected) - Cursor: pointer - Transition: all 0.2s ease - Hover: translateY(-3px), box-shadow: 0 6px 20px rgba(0,0,0,0.4) - Selected state: border-color white, box-shadow: 0 0 0 2px rgba(255,255,255,0.3) Box Content: - Count: font-size 1.8rem, line-height 1 - Label: font-size 0.65rem, uppercase, letter-spacing 0.05em, margin-top 6px, opacity 0.9 Box Colors: - Critical: var(--critical) #DC2626 - High: var(--high) #EA580C - Medium: var(--medium) #2563EB - Low: var(--low) #16A34A - Info: var(--info) #6B7280 5. Vulnerability Table: - Container: background var(--bg-secondary), border-radius 12px, border 1px solid var(--border-color) - flex-shrink: 0 (don't stretch to fill page) Table Header (fixed): - Columns: Vulnerability Name (55%), Priority (15%), Discovered (15%), Affected Assets (15%) - Background: var(--bg-tertiary) - Padding: 12px 20px - Font: 0.7rem, uppercase, letter-spacing 0.05em - Color: var(--text-muted) Table Body: - Wrapper: overflow-y auto, max-height 400px - Row padding: 14px 20px - Row hover: background var(--bg-tertiary) - Highlighted row: background var(--bg-elevated), box-shadow inset 3px 0 0 var(--accent) - Cursor: pointer Priority Column: - Colored dot (8px × 8px) + label - Dot colors match severity colors Discovered Column: - Format: DD-MM-YYYY - Font: JetBrains Mono, 0.8rem - Text-align: center 6. Interactions: - Click distribution box → filters chart and table to that severity only - Click same box again → removes filter, shows all - Click table row → shows only that vulnerability in chart - Click bubble → highlights corresponding table row - Clear Selection button → resets all filters and selections - Escape key → closes modals/detail view - Click outside modal → closes modal Executive Visual Requirements Name of Dashboard: Must be centre-aligned and use a bold, prominent font with gradient effect. - Font-size: 2rem - Font-weight: 700 - Letter-spacing: -0.02em - Background: linear-gradient(135deg, #fff 0%, #a0a0b0 100%) - -webkit-background-clip: text - -webkit-text-fill-color: transparent Dark Theme CSS Variables: - --bg-primary: #0a0a0f - --bg-secondary: #12121a - --bg-tertiary: #1a1a24 - --bg-elevated: #22222e - --text-primary: #f0f0f5 - --text-secondary: #a0a0b0 - --text-muted: #6a6a7a - --border-color: #2a2a3a - --border-accent: #3a3a4a - --accent: #8b5cf6 (purple for highlights) Typography: - Primary font: Space Grotesk (from Google Fonts) - Monospace font: JetBrains Mono (from Google Fonts) Technical Requirements: - Single HTML file with embedded CSS and JavaScript - NO external Chart.js - use pure SVG for bubble chart - Google Fonts CDN for typography - Responsive design - Keyboard support (Escape to close modals) - Click outside modal to close - Table container should not stretch beyond content - Main dashboard table should end at last row, not fill viewport Query AttackForge for: - 5 projects with status "Completed" - All vulnerabilities for each project including: id, title, priority, created date, affected_assets ``` {% endcode %}