get_vulnerability_exploitations
Retrieve active exploitation data for specific vulnerabilities to assess risk, prioritize patching, and inform incident response decisions based on threat actor activity.
Instructions
Get exploitation data for a specific vulnerability
Use this tool when you need to determine if a vulnerability has been actively exploited in the wild. This information is critical for risk assessment, incident response, and prioritization of remediation efforts. Exploitation data can help you:
Validate that a vulnerability is being actively used by threat actors
Understand when exploitation began and if it's ongoing
Identify which detection mechanisms observed the exploitation
Determine the frequency or prevalence of exploitation (count)
Make data-driven decisions about patching priorities
Args: identifier (str): The unique CVE ID or UUID of the vulnerability to retrieve. Example formats: "CVE-2023-1234" or "123e4567-e89b-12d3-a456-426614174000"
Returns: Dict[str, Any]: List of exploitation records for the specified vulnerability, where each record contains: - uuid: Unique identifier for this exploitation record - begins_at: Timestamp when exploitation was first observed - ends_at: Timestamp when exploitation activity ended - count: Number of exploitation occurrences detected - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - detection_signature_uuid: UUID of the signature that detected this exploitation - detection_signature_name: Name of the detection signature - detection_signature_source: Source of the detection (e.g., "cisa_kev") - detection_signature_method: Method used for detection (e.g., "manual")
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| identifier | Yes |
Implementation Reference
- The handler function implementing the 'get_vulnerability_exploitations' MCP tool. It is registered via the @mcp.tool() decorator and handles API errors with @handle_api_errors. The function proxies the request to the malloryai_client, passing the vulnerability identifier and returning the exploitation data.@mcp.tool() @handle_api_errors async def get_vulnerability_exploitations( identifier: str, ) -> Dict[str, Any]: """Get exploitation data for a specific vulnerability Use this tool when you need to determine if a vulnerability has been actively exploited in the wild. This information is critical for risk assessment, incident response, and prioritization of remediation efforts. Exploitation data can help you: - Validate that a vulnerability is being actively used by threat actors - Understand when exploitation began and if it's ongoing - Identify which detection mechanisms observed the exploitation - Determine the frequency or prevalence of exploitation (count) - Make data-driven decisions about patching priorities Args: identifier (str): The unique CVE ID or UUID of the vulnerability to retrieve. Example formats: "CVE-2023-1234" or "123e4567-e89b-12d3-a456-426614174000" Returns: Dict[str, Any]: List of exploitation records for the specified vulnerability, where each record contains: - uuid: Unique identifier for this exploitation record - begins_at: Timestamp when exploitation was first observed - ends_at: Timestamp when exploitation activity ended - count: Number of exploitation occurrences detected - created_at: Timestamp when this record was first added - updated_at: Timestamp when this record was last modified - detection_signature_uuid: UUID of the signature that detected this exploitation - detection_signature_name: Name of the detection signature - detection_signature_source: Source of the detection (e.g., "cisa_kev") - detection_signature_method: Method used for detection (e.g., "manual") An empty list indicates no known exploitation events for this vulnerability. """ return await malloryai_client.vulnerabilities.get_vulnerability_exploitations( identifier=identifier )