Skip to main content
Glama

D3FEND Defense for Attack

d3fend_defense_for_attack
Read-onlyIdempotent

Map an ATT&CK technique to its D3FEND defenses. Find mitigations for offensive intelligence findings from CVE or ATLAS lookups.

Instructions

Reverse lookup: given an ATT&CK T-code, return D3FEND defenses that mitigate it. This is the bridge from offensive intelligence (ATT&CK / ATLAS / CVE) to defensive playbook. Pair with cve_lookup or atlas_technique_lookup output — when those carry an ATT&CK id, call this tool to surface the mitigations. defenses is capped at limit (default 30) for token efficiency; total is the honest pre-truncation count and truncated=true flags when the cap was hit. coverage_by_tactic always aggregates the FULL set, not the slice. Default response is SLIM (drops uri from each row); pass include='full' for the verbose record. Pass exclude_id when drilling from d3fend_defense_lookup to skip self in the 'see also' list. Returns 200 with empty defenses list when the T-code has no D3FEND mapping (the gap is itself a signal). Free: 30/hr, Pro: 500/hr. Returns {attack_technique_id, total, truncated, defenses [{defense_id, label, uri (only when include=full), parent_label, tactic, artifact, attack_label, attack_tactic}], coverage_by_tactic, next_calls}.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
limitNoCap on `defenses` array length. Default 30; popular T-codes (T1059, T1078) map to 30-50+ defenses. `total` and `coverage_by_tactic` always reflect the honest pre-truncation count.
includeNoDetail level. Default (omit/empty) returns slim rows (drops the deterministic ontology `uri` — popular T-codes with 15+ defenses save ~900 chars). Pass 'full' to get `uri` back on every row.
exclude_idNoOptional D3FEND defense slug to omit from the defenses list. Used when chaining from d3fend_defense_lookup so the originating defense is not echoed back in its own 'see also' results.
attack_technique_idYesATT&CK technique id matching 'T####' or 'T####.###' (e.g. 'T1059', 'T1550.001'). Use this to bridge from CVE/ATLAS findings to D3FEND mitigations.

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Discloses key behaviors beyond annotations: truncation logic (`defenses` capped at `limit`, `total` and `coverage_by_tactic` always full), default slim response, rate limits (30/hr free, 500/hr Pro), and 200 response with empty list for unmapped T-codes. No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the core purpose, but is somewhat long. However, every sentence contributes meaning; a minor trim would improve conciseness.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (4 params, API behaviors, truncation, and rate limits), the description covers all necessary aspects including return structure (`defenses` fields, `coverage_by_tactic`, `next_calls`). Output schema handles the rest.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Each parameter description adds value beyond the schema: `limit` explains why cap matters for popular T-codes, `include` quantifies character savings, `exclude_id` details chaining use case, and `attack_technique_id` gives format examples.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it's a reverse lookup from ATT&CK T-code to D3FEND defenses, distinguishing it as the bridge from offensive intelligence to defensive playbook. It explicitly mentions pairing with cve_lookup or atlas_technique_lookup, differentiating it from siblings like d3fend_defense_lookup.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides explicit when-to-use guidance: call this tool when you have an ATT&CK id from CVE/ATLAS lookups. Also explains when to pass `exclude_id` when chaining from d3fend_defense_lookup, and when to use `include='full'` for verbose records.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UPinar/contrastapi'

If you have feedback or need assistance with the MCP directory API, please join our Discord server