Skip to main content
Glama

D3FEND Attack Coverage

d3fend_attack_coverage
Read-onlyIdempotent

Batch analyze ATT&CK technique coverage against D3FEND defenses per tactic, pinpointing undefended techniques for gap assessment.

Instructions

Batch coverage breakdown: given a list of ATT&CK T-codes, return distinct defense counts per D3FEND tactic + identify which techniques have NO D3FEND mapping (undefended_techniques). Use to assess the defensive posture of an entire attack campaign or threat model in one call. defended_techniques is the subset with at least one D3FEND defense; undefended_techniques are gaps worth flagging. Pair with cve_search per gap to identify exploit availability. Free: 30/hr, Pro: 500/hr. Returns {queried_techniques, coverage_by_tactic, defended_techniques, undefended_techniques, next_calls}.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
attack_technique_idsYesList of ATT&CK technique ids (T#### or T####.###) to assess. Capped at 500 — extra entries are dropped server-side. Example: ['T1059', 'T1550.001', 'T1190', 'T9999'].

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate read-only, idempotent, non-destructive. The description adds important behavioral details: batch processing, capped at 500 entries with extra dropped, rate limits (30/hr Free, 500/hr Pro), and the exact fields in the return object. This provides sufficient transparency beyond annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single paragraph of five sentences, efficient and front-loaded with the main action. It includes only necessary information: purpose, return fields, usage hint, rate limits. No fluff, but could be more structured (e.g., bullet points for return fields).

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (batch, multiple return fields, rate limits) and the presence of an output schema, the description covers the main aspects: purpose, return object keys, usage, and constraints. It does not detail the format of coverage_by_tactic, but the output schema likely provides that. Overall, it is sufficiently complete.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema already covers the parameter 'attack_technique_ids' with full description (100% coverage), including maxItems and example. The description only reiterates the cap and example, adding no new meaning. So baseline 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool takes a list of ATT&CK T-codes and returns a coverage breakdown including defense counts per D3FEND tactic and identifies undefended techniques. It explicitly says this is for assessing defensive posture of an entire campaign or threat model, distinguishing it from siblings like d3fend_defense_for_attack.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides clear usage context: 'Use to assess the defensive posture of an entire attack campaign or threat model in one call' and suggests pairing with cve_search for gaps. However, it does not explicitly state when not to use it or compare to alternatives, so it falls short of full guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UPinar/contrastapi'

If you have feedback or need assistance with the MCP directory API, please join our Discord server