// MCP TOOL REFERENCE

DEFENSE MCP TOOLS

31 tools from the Defense MCP MCP Server, categorised by risk level.

View the Defense MCP policy → Token cost: 11,227 tokens →

// ALL 31 DEFENSE MCP TOOLS

READ 2 tools

Read backup Backup: config files, system state snapshots, restore, verify integrity, list backups Read dns_security DNS: resolver audit, DNSSEC check, tunneling detection, domain blocklists, query log audit

WRITE 27 tools

Write access_control Access control: SSH, PAM, sudo, user audit, password policy, shell restriction Write api_security API security: local API discovery, auth audit, rate limiting, TLS verify, CORS check Write app_harden App hardening: audit running apps, recommendations, firewall rules, systemd sandboxing Write cloud_security Cloud: environment detection, metadata audit, IAM credentials, storage audit, IMDS security Write compliance Compliance: Lynis, OpenSCAP, CIS benchmarks, framework checks, policy, cron/tmp hardening Write container_docker Docker security: audit, CIS bench, seccomp, daemon config, image scan Write container_isolation Container isolation: AppArmor, SELinux, namespaces, seccomp, rootless setup Write crypto Crypto: TLS/SSL audit, GPG, LUKS, file hashing, certificate lifecycle Write defense_mgmt Defense: tool checks, workflows, change history, posture, scheduled audits, remediation, reports Write firewall Firewall: iptables, UFW, nftables, persistence, policy audit Write harden_host Host hardening: services, permissions, systemd, cron, umask, banners, USB control Write harden_kernel Kernel hardening: sysctl, kernel security, bootloader, memory protections Write honeypot_manage Deception: canary tokens, honeyport listeners, trigger detection, canary management Write incident_response Incident response: volatile data, IOC scan, timeline, forensics (memory/disk/network/evidence/custody) Write integrity Integrity: AIDE, rootkit scanning, file hashing, drift baselines Write log_management Logging: auditd, journalctl, fail2ban, syslog, log rotation, SIEM integration Write malware Malware: ClamAV scan/update, YARA rules, suspicious files, webshells, quarantine Write network_defense Network: connections, traffic capture, port scan detection, IPv6 audit, self-scan, segmentation Write patch Patches: pending updates, unattended upgrades, package integrity, kernel audit, CVE lookup Write process_security Processes: audit running, capabilities, namespaces, anomaly detection, cgroup limits Write secrets Secrets: filesystem scan, env variable audit, SSH key sprawl, git history leak detection Write supply_chain Supply chain: SBOM generation, cosign artifact signing, SLSA provenance verification Write threat_intel Threat intel: IP/hash/domain reputation, feed management, blocklist application Write vuln_manage Vulnerabilities: nmap scan, nikto web scan, tracking, risk prioritization, remediation plans Write waf_manage WAF: ModSecurity audit, rule management, rate limiting, OWASP CRS, blocked request analysis Write wireless_security Wireless: Bluetooth audit, WiFi assessment, rogue AP detection, disable unused interfaces Write zero_trust Zero-trust: WireGuard VPN, peer management, mTLS certificates, microsegmentation

DESTRUCTIVE 1 tools

Destructive sudo_session Sudo: elevate privileges, check/drop/extend session, preflight tool checks

EXECUTE 1 tools

Execute ebpf eBPF/Falco: list eBPF programs, Falco status, deploy rules, read events

// FAQ

How many tools does the Defense MCP MCP server have? +

The Defense MCP MCP server exposes 31 tools across 4 categories: Read, Write, Destructive, Execute.

How do I enforce policies on Defense MCP tools? +

Route the Defense MCP server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard — they are enforced on every call before it reaches the server.

What risk categories do Defense MCP tools fall into? +

Defense MCP tools are categorised as Read (2), Write (27), Destructive (1), Execute (1). Each category has a recommended default policy.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.