Skip to main content
Glama
malloryai

Mallory MCP Server

Official
by malloryai
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

get_threat_actor

Retrieve detailed intelligence about specific threat actors or APT groups to understand their tactics, techniques, procedures, target sectors, and tools used for security research and incident analysis.

Instructions

Get threat actor by identifier

Use this tool when you need detailed intelligence about a specific threat actor or advanced persistent threat (APT) group. This information is valuable for:

  • Understanding the tactics, techniques, and procedures (TTPs) of threat actors

  • Researching who might be behind a security incident

  • Evaluating the sophistication level of potential adversaries

  • Gathering threat intelligence for security briefings

  • Understanding which sectors or regions a threat actor typically targets

Args: identifier (str): The identifier of the threat actor - can be either: - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1") - Name (e.g., "dark_cloud_shield")

Returns: Dict[str, Any]: Detailed threat actor information including: - uuid: Unique identifier for this threat actor - name: Machine-readable name (typically lowercase with underscores) - display_name: Human-readable name with proper formatting - created_at/updated_at/enriched_at: Timestamps for record management - gen_description: Generated description (if available) - mentions: List of references to this threat actor from various sources, each containing: - uuid: Unique identifier for this mention - overview: Summary of the threat actor's activities from this source - published_at: When the source material was published - collected_at: When this mention was collected - reference_url: URL of the source material - reference_source: Name of the source (e.g., "talos_intelligence_blog") - reference_user_generated_content: Whether this is user-generated content - Other metadata about the mention and reference

These mentions provide valuable context about the threat actor's:

  • Known attack vectors and exploited vulnerabilities

  • Target sectors, regions, or organizations

  • Tools and malware used

  • Attribution confidence and alternate names

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
identifierNo

Implementation Reference

  • malloryai/mcp/tools/threat_actors.py:7-50 (handler)
    The handler function for the 'get_threat_actor' tool. It is decorated with @mcp.tool() for registration and @handle_api_errors. Takes an identifier (UUID or name) and returns detailed threat actor information by calling the malloryai_client API.
    @mcp.tool()
@handle_api_errors
async def get_threat_actor(
    identifier: str = None,
) -> Dict[str, Any]:
    """Get threat actor by identifier

    Use this tool when you need detailed intelligence about a specific threat actor or
    advanced persistent threat (APT) group. This information is valuable for:
    - Understanding the tactics, techniques, and procedures (TTPs) of threat actors
    - Researching who might be behind a security incident
    - Evaluating the sophistication level of potential adversaries
    - Gathering threat intelligence for security briefings
    - Understanding which sectors or regions a threat actor typically targets

    Args:
        identifier (str): The identifier of the threat actor - can be either:
            - UUID (e.g., "a9b46d37-42b8-4b27-8b69-583dbcb2f5e1")
            - Name (e.g., "dark_cloud_shield")

    Returns:
    Dict[str, Any]: Detailed threat actor information including:
        - uuid: Unique identifier for this threat actor
        - name: Machine-readable name (typically lowercase with underscores)
        - display_name: Human-readable name with proper formatting
        - created_at/updated_at/enriched_at: Timestamps for record management
        - gen_description: Generated description (if available)
        - mentions: List of references to this threat actor from various sources, each containing:
            - uuid: Unique identifier for this mention
            - overview: Summary of the threat actor's activities from this source
            - published_at: When the source material was published
            - collected_at: When this mention was collected
            - reference_url: URL of the source material
            - reference_source: Name of the source (e.g., "talos_intelligence_blog")
            - reference_user_generated_content: Whether this is user-generated content
            - Other metadata about the mention and reference

    These mentions provide valuable context about the threat actor's:
    - Known attack vectors and exploited vulnerabilities
    - Target sectors, regions, or organizations
    - Tools and malware used
    - Attribution confidence and alternate names
    """
    return await malloryai_client.threat_actors.get_threat_actor(identifier)
  • malloryai/mcp/tools/threat_actors.py:7-7 (registration)
    The @mcp.tool() decorator registers the get_threat_actor function as an MCP tool.
    @mcp.tool()
  • malloryai/mcp/tools/threat_actors.py:9-11 (schema)
    Function signature defining input schema (identifier: str = None) and output type (Dict[str, Any]), with detailed Arg/Returns docstring.
    async def get_threat_actor(
    identifier: str = None,
) -> Dict[str, Any]:

Tool Definition Quality

A4.6/5.0
Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden and does well by describing the tool as a read operation ('Get'), specifying the return format (Dict[str, Any]), and detailing the structure of returned data including timestamps and mentions. It could improve by mentioning potential errors (e.g., if identifier not found) or rate limits, but it provides substantial behavioral context.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with clear sections (purpose, usage guidelines, args, returns) and uses bullet points for readability. It could be slightly more concise by reducing some detail in the returns section, but overall it's efficient and front-loaded with key information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given no annotations and no output schema, the description provides excellent context by detailing the return structure and use cases. It could improve by explicitly mentioning what happens with invalid identifiers or if no data is found, but it covers most aspects needed for a single-parameter read tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, so the description must compensate fully. It does so by clearly explaining the 'identifier' parameter as accepting either UUID or Name, providing examples of both formats, and specifying it's for retrieving a specific threat actor. This adds crucial meaning beyond the bare schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose as 'Get threat actor by identifier' and specifies it provides 'detailed intelligence about a specific threat actor or advanced persistent threat (APT) group.' It distinguishes from sibling tools like 'list_threat_actors' by focusing on retrieving detailed information for a single actor rather than listing multiple.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly states 'Use this tool when you need detailed intelligence about a specific threat actor' and provides five specific use cases (e.g., understanding TTPs, researching security incidents). It implicitly distinguishes from 'list_threat_actors' by focusing on single-actor details versus listing, and from other siblings like vulnerability tools by focusing on threat actors specifically.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/malloryai/mallory-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server