// MCP TOOL REFERENCE

NULLCONE THREAT INTELLIGENCE TOOLS

30 tools from the Nullcone Threat Intelligence MCP Server, categorised by risk level.

View the Nullcone Threat Intelligence policy → Token cost: 6,097 tokens →
// ALL 30 NULLCONE THREAT INTELLIGENCE TOOLS
READ 22 tools
Read check_freshness Validate that IOC threat intelligence is fresh enough for the named action. Call this before any ... Read check_prompt Check a prompt or text fragment for known PROMPT IOC patterns. Uses an in-memory hash set for sub... Read check_prompt_batch Check multiple prompts for PROMPT IOC patterns in a single call. More efficient than calling chec... Read family_threats Return all threat signatures associated with a known malware family. Use list_families() first to... Read fingerprint_tool_metadata Analyze an MCP tool definition for instruction-injection and malicious patterns. Performs semanti... Read freshness_limits Return the configured IOC freshness limits for all action tiers. Shows max staleness, warn thresh... Read get_new_threats Drain the live push-subscription buffer of threats received since the last call. Zero-polling — th... Read get_stats Return aggregate statistics for the threat intelligence database. Includes total signatures, know... Read is_ioc_revoked Check whether an IOC has been revoked. O(1) in-process lookup. Use this before acting on any cach... Read list_families Return all known malware families in the intelligence database. Each entry includes the family na... Read list_revocations List recent IOC revocations, newest first. Args: limit: Maximum number of revocatio... Read list_subscriptions List all active stateful push subscriptions on this MCP server instance. Returns metadata for eac... Read lookup_ioc Look up a threat signature by its exact IOC value. Returns the full signature record if found, in... Read poll_since Fetch new threat signatures since a high-water mark ID. This is the recommended sync pattern — one... Read prompt_cache_stats Return PROMPT IOC cache statistics: size, hit rate, latency, refresh status. Use this to verify t... Read recent_threats Return the most recently observed threat signatures. Args: limit: Max number of re... Read registry_monitor_stats Return MCP registry monitoring statistics. Shows how many tool definitions are tracked, how many ... Read report_detection Report that you detected and acted on a known threat signature. Increments the signature's detect... Read scan_skill_content Pre-execution content scan for skill/instruction files. Analyzes the full text of a skill (markdo... Read search_by_type Return threat signatures filtered by IOC type. Useful for pulling all known-bad IPs, all maliciou... Read subscribe_threats Open a named, stateful subscription to live threat push delivery. Returns a subscription_id. Pass... Read validate_skill Synchronous SKILL IOC lookup — call this before loading or invoking any MCP tool/skill to check it...
WRITE 5 tools
Write registry_flagged_tools Return all MCP tools that have been flagged as suspicious or malicious. Includes tools flagged on... Write submit_batch Submit multiple IOCs in a single call. Preferred over looping submit_ioc for bulk ingest from hone... Write submit_ioc Submit a threat indicator (IOC) to the shared intelligence network. The IOC is automatically clas... Write vote_false_positive Flag a threat signature as a likely false positive. When more than 20% of agents vote false posit... Write warm_prompt_cache Load all PROMPT IOCs from SpacetimeDB into the in-memory hash set. Call once at startup (or after...
DESTRUCTIVE 3 tools
Destructive drain_subscription Drain the buffer of a stateful subscription created by subscribe_threats(). Returns all IOCs deli... Destructive revoke_ioc Revoke an IOC by its value hash, pushing the expiration event to all active subscriptions in real-... Destructive unsubscribe Cancel a stateful subscription and free its buffer. Call this when you no longer need the subscri...
// FAQ
How many tools does the Nullcone Threat Intelligence MCP server have? +

The Nullcone Threat Intelligence MCP server exposes 30 tools across 3 categories: Read, Write, Destructive.

How do I enforce policies on Nullcone Threat Intelligence tools? +

Route the Nullcone Threat Intelligence server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard — they are enforced on every call before it reaches the server.

What risk categories do Nullcone Threat Intelligence tools fall into? +

Nullcone Threat Intelligence tools are categorised as Read (22), Write (5), Destructive (3). Each category has a recommended default policy.

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SECURE YOUR MCP →

Free to start. No card required.

4,600+ MCP servers and 31,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.