Schema

Server Configuration

Describes the environment variables required to run the server.

Name	Required	Description	Default
`THREATZONE_API_KEY`	Yes	Your Threat.Zone API key
`THREATZONE_API_URL`	No	Custom API URL for private tenants or on-premise deployments	https://app.threat.zone

Prompts

Interactive templates invoked by user choice

Name	Description
No prompts

Resources

Contextual data attached and managed by the client

Name	Description
No resources

Tools

Functions exposed to the LLM to take actions

Name	Description
get_metafields	Get available metafields for scan configuration.
get_levels	Get threat levels used in analysis results.
get_statuses	Get submission statuses.
get_sample_metafield	Get sample metafield configuration for sandbox analysis.
interpret_status	Interpret a numeric status value from submission results. Args: status_value: Numeric status value (1-5) Returns: Human-readable status description
interpret_threat_level	Interpret a numeric threat level value from analysis results. Args: level_value: Numeric threat level (0-3) Returns: Human-readable threat level description
get_submission_status_summary	Get submission details with interpreted status and threat level. Args: uuid: Submission UUID Returns: Submission details with human-readable status and threat level
get_user_info	Get current user information, workspace details, and usage limits.
get_server_config	Get current server configuration including API URL and connection status. Returns: Configuration details including API URL, version, and status
scan_url	Analyze a URL for threats and malicious content. Args: url: The URL to analyze is_public: Whether the scan results should be public
scan_file_sandbox	Submit a file for advanced sandbox analysis with detailed configuration. Args: file_path: Path to the file to analyze is_public: Whether the scan results should be public (default: False) entrypoint: File to execute within archive (if applicable) password: Password for archive files (if applicable) environment: Analysis environment - w7_x64, w10_x64, w11_x64, macos, android, linux (default: w10_x64) timeout: Analysis timeout in seconds - 60, 120, 180, 240, 300 (default: 180) work_path: Working directory - desktop, root, %AppData%, windows, temp (default: desktop) mouse_simulation: Enable mouse simulation (default: True) https_inspection: Enable HTTPS inspection (default: False) internet_connection: Enable internet connection (default: False) raw_logs: Include raw logs (default: False) snapshot: Take VM snapshots (default: False) sleep_evasion: Enable sleep evasion techniques (default: False) smart_tracing: Enable smart tracing (default: False) dump_collector: Enable dump collection (default: False) open_in_browser: Open files in browser (default: False) extension_check: Perform extension check (default: True) modules: Analysis modules to use, e.g., ["csi", "cdr"] (default: None) auto_config: Use automatic configuration (default: False)
scan_file_sandbox_simple	Submit a file for simple sandbox analysis using default settings. This is a simplified version of scan_file_sandbox with default configurations. Use scan_file_sandbox for advanced configuration options. Args: file_path: Path to the file to analyze is_public: Whether the scan results should be public (default: False) entrypoint: File to execute within archive (if applicable) password: Password for archive files (if applicable)
scan_file_static	Submit a file for static analysis. Args: file_path: Path to the file to analyze is_public: Whether the scan results should be public entrypoint: File to execute within archive (if applicable) password: Password for archive files (if applicable)
scan_file_cdr	Submit a file for CDR (Content Disarm and Reconstruction) processing. Args: file_path: Path to the file to process is_public: Whether the scan results should be public entrypoint: File to execute within archive (if applicable) password: Password for archive files (if applicable)
get_submission	Get submission details by UUID. Args: uuid: Submission UUID
get_submission_indicators	Get all indicators for a specific submission. Args: uuid: Submission UUID
get_submission_iocs	Get all Indicators of Compromise for a specific submission. Args: uuid: Submission UUID
get_submission_yara_rules	Get all matched YARA rules for a specific submission. Args: uuid: Submission UUID
get_submission_varist_results	Get Varist Hybrid Analyzer results for a specific submission. Args: uuid: Submission UUID
get_submission_artifacts	Get all artifacts for a specific submission. Args: uuid: Submission UUID
get_submission_config_extractor	Get all extracted configurations for a specific submission. Args: uuid: Submission UUID
get_submission_dns	Get all DNS queries for a specific submission. Args: uuid: Submission UUID
get_submission_http	Get all HTTP requests and packets for a specific submission. Args: uuid: Submission UUID
get_submission_tcp	Get all TCP requests and packets for a specific submission. Args: uuid: Submission UUID
get_submission_udp	Get all UDP requests and packets for a specific submission. Args: uuid: Submission UUID
get_submission_network_threats	Get all network threats for a specific submission. Args: uuid: Submission UUID
get_my_submissions	Get user's submissions with pagination. Args: page: Page number (default: 1) jump: Number of items per page (default: 10)
get_public_submissions	Get public submissions with pagination. Args: page: Page number (default: 1) jump: Number of items per page (default: 10)
search_by_hash	Search submissions by file hash (MD5, SHA1, or SHA256). Args: hash: File hash to search for page: Page number (default: 1) jump: Number of items per page (default: 10)
download_sanitized_file	Download the CDR-sanitized file for a given submission UUID. Args: uuid: Submission UUID Returns: Base64-encoded file content
download_html_report	Download HTML analysis report for a submission. Args: uuid: Submission UUID Returns: HTML report content

Server Configuration

Schema

Prompts

Resources

Tools

MCP directory API